Opened 7 years ago

Closed 2 months ago

#7088 closed enhancement (wontfix)

trac and blog should support openid and browserid

Reported by: phobos Owned by:
Priority: Medium Milestone:
Component: Internal Services/Service - trac Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

A number of users are willing to not be wholly anonymous. We shouldn't force everyone into our own paranoia world and if someone has an openid and/or browserid account, they can use it on trac and the blog (and forthcoming forums).

There is an openid auth plugin for trac at https://github.com/dairiki/authopenid-plugin

There is not yet a browserid auth plugin for trac, but I bet we can find someone to write one for us.

As for the blog, we'll need to upgrade to current drupal, or find new blog software, to get openid and browserid support.

Child Tickets

Change History (3)

comment:1 Changed 6 years ago by weasel

Component: Tor Sysadmin TeamService - trac

comment:2 Changed 2 years ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

comment:3 Changed 2 months ago by anarcat

Resolution: wontfix
Status: newclosed

i don't believe OpenID is a good avenue anymore. it's been dropped from support almost everywhere. OpenID 2.0 has been published over a decade ago (in 2007) and suffers from a series of security vulnerabilities:

https://en.wikipedia.org/wiki/OpenID#Security

In general, the *concept* of OpenID is problematic as it is very vulnerable to phishing.

There is a new OpenID standard called "OpenID connected" and based on Oauth:

https://en.wikipedia.org/wiki/OpenID_Connect

... but from my experience, being based on Oauth, it's very hard to implement. There is an OpenID connect plugin for trac, that said:

https://github.com/trac-hacks/trac-oidc

... but it's mostly to authenticate against Google, and requires us to go through all sorts of hoops to make it work.

I don't think this is worth it.

Note: See TracTickets for help on using tickets.