OpenID and PGV?

Kerry Choy
2008-03-26
2013-05-30
  • Kerry Choy

    Kerry Choy - 2008-03-26

    Before I raise an RFE is there any current development on intehrating OpenID into PGV? Is it a good or a bad thing?

     
    • Greg Roach

      Greg Roach - 2008-03-26

      <<Is it a good or a bad thing?>>

      It's a good thing if you just want a quick way to deal with trivial authentication, such as posting comments on blogs.

      It's a bad thing if you are dealing with information of any importance.  Googling for OpenID and phishing brings back 170000 hits.  A reasonable summary of the problems can be found here http://www.idcorner.org/?p=161.

      Under the data protection laws of my country, I have a duty of care towards the personal data I hold.  IMHO, allowing access via OpenID would probably count as criminal negligence.

      Even if someone wants to implement it, I will not allow it on my live site.

       
    • Anonymous - 2008-03-27

      We see requests like this from time to time, and thats not a bad thing. I recall a request not long ago to integrate PGV with FaceBook. It was also rejected, but some ideas are popular enough to get actioned.

      I'd never heard of OpenID before this, so I've had a look around the internet. My conclusion has to be the same as Greg's - there's no way that would ever get anywhere near my site. We go to great lengths to protect the privacy of our members / users. By all means raise an RFE, but I doubt it will be looked at. If you really feel it would be useful I suspect you will need to write it yourself. If it does get implemented, it will HAVE to be as an option that can be easily removed, or only installed as a separate add-on. Far too controversial to be part of the core.

       
  • Andy Kaplan-Myrth

    It's been a while since OpenID was mentioned here and it looks like it was probably misunderstood the last time, since the whole idea of openid was so new. I'd like to suggest it again and take another crack at explaining the advantages.

    Since last year when this was last suggested in these forums, OpenID has emerged as a standard for centralized authentication. The idea, in a nutshell, is that instead of having usernames and passwords for lots of different websites, you have a single username and password at a OpenID provider. Then, when you want to get an account at a new website (like your family's PGV site), instead of needing to create a new username and password for your account, you point it to your existing OpenID account and sign in with your OpenID username and password, Your OpenID provider sends a message to the PGV site saying that you have signed in successfully. PGV can then proceed with your account creation (or just log you in if you have an account already) without needing you to create a new username and password.

    This has become almost standard on the web in recent months - on most new sites, you can log in using your Twitter, Facebook or OpenID credentials. You still need to create an *account* on the new site, but you don't need to create a new username and password to go with it. That's the key advantage.

    Services like RPXnow.com make it easy to implement openid and other services (loosely called "OAuth" services) and hook them into existing websites. I've looked at creating an RPXnow application to work with PGV but I just don't know the PGV code well enough to do it.

    **Ideally** it would be fantastic if somebody would build an RPXnow app and a plugin for PGV so new users could associate existing credentials with new PGV accounts and sign in with those credentials. RIght now, I can see that family members are interested in contributing to our online family tree but don't relish the thought of setting up a new account to remember and trusting my servers with their login credentials. It would help enormously to get them involved if they could log in with their Twitter, Facebook or Google credentials (but don't be scared of Facebook or Twitter in this context - this would *not* require them to cross-post info to Facebook or anything! It would just let them log in via their Facebook credentials!).

    Worth considering?

    Cheers,
    Andy

     
  • Anonymous - 2010-01-03

    I can only offer a personal opinion, which for me is that nothing has changed since the original post. Phishing in relation to OpenID is still a key vulnerability and a VERY hot topic on the WWW.

    Just because it "has become almost standard on the web in recent months" doesn't make it a good thing (some might say it makes it the opposite :-)  ).

    For me its simple - the day my online banking service decides its safe to use OpenID is the day I MIGHT consider it for my very precious living relative's private data. I regard this data that seriously, and have a commitment to my registered users to that effect.

    Of course I have absolutely no problem with someone developing it for PGV - just so long as I can ensure I don't see it on my site.

    Actually, re-reading your post, I see at the end you said "It would help enormously to get them involved if they could log in with their Twitter, Facebook or Google credentials "  So why can't they? Whats stopping them (other than being aware its bad practice) from using the same username and password for PGV as they use on FaceBook or Twitter, or anywhere else come to that?

     
  • Andy Kaplan-Myrth

    Thanks for your reply!

    I'm aware that OpenID and OAuth are hot topics on the web with regards to phishing vulnerabilities. At the same time, however, they are important tools for identity management and authentication. And I honestly don't see how they pose any increased phishing risk, especially when, as you seem to recognize, most people will use the same username and password for all of their accounts.

    As for my comment about OpenID making it easier to get family members to sign up for accounts: Yes, they can get a new account at the PGV site with the same username and password they usually use so it's easy to remember. But I can't be the only person out there who has an uphill battle first explaining to sometimes distant family members the advantages of using my website instead of some commercial site, and then asking them to give me their username and password for a new account. I just think it would seem more seamless and, well, there would be a lower barrier to entry if they could log in with an account they already had.

    Regarding the phishing concerns, it seems to me that your concerns as a user are different than your concerns as a webmaster. As a user, you definitely want to be sure that you are signing in to your own OpenID provider and not some man-in-the-middle scammer. But as a webmaster you *know* that the openid/oauth API you're using is legit and not a phishing scam. Instead, your concern is more paternalistic - you want your family members and website users to understand the risks of openid and be careful using it (in case they encounter phishing scams at other sites). So, given the momentum behind OpenID and OAuth and the likelihood that some kind of centralized identity/account management will become widely used, I believe that *as webmasters* the most responsible thing for us to do is to use OpenID responsibly and educate our users so they know what *real* and *legit* OpenID logins look like, so they can be suspicious of unusual implementations.

    At the risk of rambling, here's another way to look at it: From a users's perspective, the more major or important a service is, the more likely you are to be willing to get a new username and password account. Twitter? Sure, you'll give a username+password to get an account. But just to read some blog? No way - you want to do that without getting an account. Your cousin Andy's family tree website? Well, I think that's somewhere in the middle: it's valuable, so you're willing to do *something* extra to access it, but it's no Twitter or Facebook - why should you need to give it your username and password? But I think you would much more willing to sign in with other credentials.

    I understand the concerns with phishing and openid, but I think as a webmaster the benefits far outweigh the risks. But I've said enough about it - I hope somebody who reads this is able to alter the PHP enough to implement RPX or some other openid/oauth tool in PGV!

    Cheers,
    Andy

     
  • Stephen Arnold

    Stephen Arnold - 2010-01-04

    Andy  
    Perhaps part of your 'encouragement' issue goes to the question you posed:  

        then asking them to give me their username and password for a new
        account.

    Why would you ever ask your users for their U/N and password? This action goes to the heart of defeating most registration procedures and specifically, the PGV registration system and U/N-Password integrity.  

    I must assume from your discussion that you don't allow users to register themselves, and that's just fine if you should chose, but you still don't need their U/N and PW. You could simply assign a U/N and temp P/W for each and instruct them that, for personal security they should go to their account and change them to their own personal preferences upon accessing their account for the first time. In fact, this brings up a possible RFE, that shows when a PW was last changed and perhaps a security measurement of the PW hardness.  

    Andy, as to 'educating' our users as to what a legitimate OpenID login would resemble, I'm busy enough training users on PGV and GEDCOM without accepting more responsibilitiy for others' software. And given the propensity to ignore warnings on simple issue, and the ease at which phishers are able to convince a significant portion of almost any user base to divulge their SSN's, DOB's, addresses, phone numbers and more, education would seem fruitless. I find the idea of a secure web-based depository of U/N and PW an oxymoron when its almost impossible to secure it on a local machine, let alone something in the WWW universe.  

    If someone develops this for PGV, fine, but we will certainly need a configuration that prevents its use if so decided by the Admin.  
    JOHO, Stephen

     
  • Andy Kaplan-Myrth

    Hi Stephen,

    No, you've totally misunderstood what I was saying.

    It would be a good start to assume I'm not a complete idiot, or the most irresponsible of webmasters, right? Nobody would ask users for their usernames and passwords and set up their accounts for them (I hope!). I simply meant that by asking family members to come to the site and set up accounts (or request accounts to be approved by admins, in the case of my own family's site), there's a barrier to entry that could be avoided if they could instead use their OpenID or OAuth credentials. Make sense (even if you don't trust OpenID or Oauth)?

    That's a rhetorical question - this is not something I need to press any further. This was just one feature I would have liked to see PGV support - not even the most pressing IMHO. At any rate, I would be happy to leave the discussion here.

    Best wishes,
    Andy

     
  • Anonymous - 2010-01-04

    Andy, I think we differ in the fundamentals here, but I wish you good luck in getting this written (not many responses here though…).

    You say:

    1 - "the more major or important a service is, the more likely you are to be willing to get a new username and password account. ". There we agree. BUT you rate a PGV site as LOWER than a Twitter or Facebook account. I rate it a million times higher, due to the high value of  the extremely private data stored about living individuals. Hence my associating it at the same level as an online banking service.

    2- "there would be a lower barrier to entry". But I WANT a high barrier to entry, for just the reasons described above. I promise my users that if they register on the site (and providing their own details is a pre-requisite to registration) then I WILL protect that data by all methods possible.

    I hate to be an old stick-in-the mud on this but I hope none of our busy developers spends their valuable time on this idea. Sorry, just my personal view.

     
  • Stephen Arnold

    Stephen Arnold - 2010-01-04

    Andy  
    Now its you who has misunderstood. Certainly wasn't calling you stupid. I simply took you literally, interpreting the active verb "asking" to mean precisely what you wrote.  

    There are some among us admins who DON'T use the registration system, preferring to preregister and pre-approve access to users, so my interpretation wasn't as far fetched or condemning as yours of our reply. 

    I remain with Kiwi on this, infatuation with social networking sites will diminish (anyone remember MySpace?), but I rank the importance of our family genealogy site in magnitudes vs those to which you refer.  
    -Stephen

     
  • Andy Kaplan-Myrth

    This is a really disappointing discussion.

    I've been a long time PGV user. PGV is at the root of my family's genealogy project. I promote our site to family members so they will contribute to one collaborative family tree instead of working on their own smaller projects. That requires a lower barrier to entry than the effort involved in buying FTM off the shelf, so anything that can be done to encourage involvement is a good thing in my experience.

    Whatever. Sorry to have come across as a troll here - I'm not one. I didn't mean to get into an argument about PGV webmaster best practices. I was just making a feature request that would address a need that I have and I'm sure other users have as well.

    Sincerely,
    Andy

     
  • Greg Roach

    Greg Roach - 2010-01-04

    If there was a "standard/official" openid library to use, I might look at it.  But there isn't.  Go to the openid wiki (http://wiki.openid.net/Libraries) and it lists pages and pages of them, helpfully adding that "they are maintained by members of the OpenID community and are not necessarily known to work".

    Great.  I could spend weeks working on integrating one of these libraries, and at the end of it, it probably wouldn't even work!

    It seems like an awful lot of effort for very little reward.

     
  • Greg Roach

    Greg Roach - 2010-01-04

    …as well as wanting a library that was "known to work", I'd also be keen on one that was "known to be secure".

    I'd imagine that openid users such as SF, etc. have the resources to write their own implementations, and don't use one of these publicly available libraries.

     
  • Veit

    Veit - 2010-01-04

    Greg,
    without having any experience I know Joomla! is using this one:
    http://www.openidenabled.com/

    But I have the same opinion as Kiwi and Stephen, there are more interesting topics to enhance PGV than an openid login.
    It maybe more useful to sites that don't have an approval process like we do.

     
  • Andy Kaplan-Myrth

    @fisharebest  Have you looked at www.rpxnow.com? It's not a standalone library, but the free version of the service should be sufficient. It provides the openid and oauth interface and returns authentication information. One way to do this is to write code for PGV to parse the info returned from RPX…

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks