[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #7088 [Internal Services/Service - trac]: trac and blog should support openid and browserid



#7088: trac and blog should support openid and browserid
----------------------------------------------+-------------------------
 Reporter:  phobos                            |          Owner:  (none)
     Type:  enhancement                       |         Status:  closed
 Priority:  Medium                            |      Milestone:
Component:  Internal Services/Service - trac  |        Version:
 Severity:  Normal                            |     Resolution:  wontfix
 Keywords:                                    |  Actual Points:
Parent ID:                                    |         Points:
 Reviewer:                                    |        Sponsor:
----------------------------------------------+-------------------------
Changes (by anarcat):

 * status:  new => closed
 * resolution:   => wontfix


Comment:

 i don't believe OpenID is a good avenue anymore. it's been dropped from
 support almost everywhere. OpenID 2.0 has been published over a decade ago
 (in 2007) and suffers from a series of security vulnerabilities:

 https://en.wikipedia.org/wiki/OpenID#Security

 In general, the *concept* of OpenID is problematic as it is very
 vulnerable to phishing.

 There is a new OpenID standard called "OpenID connected" and based on
 Oauth:

 https://en.wikipedia.org/wiki/OpenID_Connect

 ... but from my experience, being based on Oauth, it's very hard to
 implement. There is an OpenID connect plugin for trac, that said:

 https://github.com/trac-hacks/trac-oidc

 ... but it's mostly to authenticate against Google, and requires us to go
 through all sorts of hoops to make it work.

 I don't think this is worth it.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7088#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs