Audrey A Lee
2010-Jan-09 10:32 UTC
Pure, OpenID-only (password not a choice) Authentication?
Hello list, Are any of you using OpenID to register and authenticate your users? I have found 2 projects on github which mix Rails with OpenID: http://github.com/tsechingho/authlogic_bundle http://github.com/binarylogic/authlogic_openid Both projects seem suited for providing a choice to the end-user: - "Vanilla" password based authentication - OpenID based authentication I want to implement the use-case where the end-user is allowed only OpenID based authentication. Some end-users are completely confused by the idea of having 2 ways to authenticate. And even the smart ones bump into a problem. They register, and then return in a month and forget if they were using a password or OpenID. So, I want to make it easy for them. They use OpenID or nothing. Actually, I want to make it even simpler: Yahoo-OpenID or nothing. Anyway I did the obvious thing. I tried to remove "Vanilla" password based authentication from each of the above projects. I ended up with 2 piles of broken software. So my question is, do you know of any projects or Rails starter kits which implement OpenID-only authentication? Thanks, --Audrey -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
chatgris
2010-Jan-09 15:54 UTC
Re: Pure, OpenID-only (password not a choice) Authentication?
You could try this plugin : http://github.com/rails/open_id_authentication -- Julien On 9 jan, 11:32, Audrey A Lee <audrey.lee.is...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Hello list, > > Are any of you using OpenID to register and authenticate your users? > > I have found 2 projects on github which mix Rails with OpenID: > > http://github.com/tsechingho/authlogic_bundlehttp://github.com/binarylogic/authlogic_openid > > Both projects seem suited for providing a choice to the end-user: > - "Vanilla" password based authentication > - OpenID based authentication > > I want to implement the use-case where the end-user is allowed only > OpenID based authentication. > > Some end-users are completely confused by the idea of having 2 ways to > authenticate. > > And even the smart ones bump into a problem. They register, and then > return in a month > and forget if they were using a password or OpenID. > > So, I want to make it easy for them. They use OpenID or nothing. > Actually, I want to make it even simpler: Yahoo-OpenID or nothing. > > Anyway I did the obvious thing. > > I tried to remove "Vanilla" password based authentication from each of > the above projects. > > I ended up with 2 piles of broken software. > > So my question is, do you know of any projects or Rails starter kits > which implement OpenID-only authentication? > > Thanks, > > --Audrey-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Rick DeNatale
2010-Jan-09 18:56 UTC
Re: Pure, OpenID-only (password not a choice) Authentication?
On Sat, Jan 9, 2010 at 5:32 AM, Audrey A Lee <audrey.lee.is.me-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Hello list, > > Are any of you using OpenID to register and authenticate your users? > > I have found 2 projects on github which mix Rails with OpenID: > > http://github.com/tsechingho/authlogic_bundle > http://github.com/binarylogic/authlogic_openid > > Both projects seem suited for providing a choice to the end-user: > - "Vanilla" password based authentication > - OpenID based authentication > > I want to implement the use-case where the end-user is allowed only > OpenID based authentication. > > Some end-users are completely confused by the idea of having 2 ways to > authenticate. > > And even the smart ones bump into a problem. They register, and then > return in a month > and forget if they were using a password or OpenID. > > So, I want to make it easy for them. They use OpenID or nothing. > Actually, I want to make it even simpler: Yahoo-OpenID or nothing. > > Anyway I did the obvious thing. > > I tried to remove "Vanilla" password based authentication from each of > the above projects. > > I ended up with 2 piles of broken software. > > So my question is, do you know of any projects or Rails starter kits > which implement OpenID-only authentication?No I don''t. And I believe that the openid advocates don''t recommend this. The problem is that if the user''s open id server is unavailable for whatever reason, he/she can''t log in. Providing a password option for authentications is the openid equivalent of a ''forgot my password'' mechanism. Just some food for thought. -- Rick DeNatale Blog: http://talklikeaduck.denhaven2.com/ Twitter: http://twitter.com/RickDeNatale WWR: http://www.workingwithrails.com/person/9021-rick-denatale LinkedIn: http://www.linkedin.com/in/rickdenatale -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Robert Walker
2010-Jan-10 08:15 UTC
Re: Pure, OpenID-only (password not a choice) Authentication
Rick Denatale wrote:> On Sat, Jan 9, 2010 at 5:32 AM, Audrey A Lee > <audrey.lee.is.me-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: >> - "Vanilla" password based authentication >> and forget if they were using a password or OpenID. >> >> So my question is, do you know of any projects or Rails starter kits >> which implement OpenID-only authentication? > > No I don''t. And I believe that the openid advocates don''t recommend > this.I don''t know about other OpenID advocates, but this is not exactly my recommendation.> The problem is that if the user''s open id server is unavailable for > whatever reason, he/she can''t log in.I think the more likely case is that your own web site will be unavailable far more often than any OpenID provider''s. I just don''t think this is a particularly valid argument.> Providing a password option for authentications is the openid > equivalent of a ''forgot my password'' mechanism.I can''t see how these two are related in any way. They are completely different forms of authentication. I personally think that developers provide the choice because most "regular users" don''t really understand the advantage of OpenID. Trying to explain it to them might be more trouble that it''s worth. Most people are just so accustomed to username and password that any deviation from that mechanism might be too confusing for them. For the OP:> So, I want to make it easy for them. They use OpenID or nothing. > Actually, I want to make it even simpler: Yahoo-OpenID or nothing.While I believe that providing an OpenID only solution is workable, I would be very much against forcing them to use a particular OpenID provider. I personally use VeriSign as my provider. Mostly because I trust their security, and I have setup multi-factor authentication using their provided iPhone app. Forcing users into a particular OpenID provider defeats one of the major advantages of the OpenID system. If you''re going to push authentication to a third-party, that''s great, but let the users choose whomever they want as that third-party. Another advantage of OpenID is that a web site can avoid having to store any sensitive information at all. I am currently developing a web site for a local developer''s group. I have also chosen to use OpenID only for authentication. My reason for doing so is to avoid the need for adding (and paying for) a SSL certificate. I don''t like the idea of accepting user''s password in the clear. The only ways to avoid that are either buy a SSL certificate or use OpenID only. I''ve chosen the latter because of the many advantages it provides. I no longer need an SSL certificate, I''m not storing any sensitive information at all, and my users will be able to share their OpenID with any other sites that support it. -- Posted via http://www.ruby-forum.com/. --0015175cad8c24663d047ccb05f4 Content-Type: text/plain; charset=ISO-8859-1 -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en. --0015175cad8c24663d047ccb05f4--