Pure, OpenID-only (password not a choice) Authentication?

Hello list,

Are any of you using OpenID to register and authenticate your users?

I have found 2 projects on github which mix Rails with OpenID:

Both projects seem suited for providing a choice to the end-user:

  • “Vanilla” password based authentication
  • OpenID based authentication

I want to implement the use-case where the end-user is allowed only
OpenID based authentication.

Some end-users are completely confused by the idea of having 2 ways to
authenticate.

And even the smart ones bump into a problem. They register, and then
return in a month
and forget if they were using a password or OpenID.

So, I want to make it easy for them. They use OpenID or nothing.
Actually, I want to make it even simpler: Yahoo-OpenID or nothing.

Anyway I did the obvious thing.

I tried to remove “Vanilla” password based authentication from each of
the above projects.

I ended up with 2 piles of broken software.

So my question is, do you know of any projects or Rails starter kits
which implement OpenID-only authentication?

Thanks,

–Audrey

On Sat, Jan 9, 2010 at 5:32 AM, Audrey A Lee
[email protected] wrote:

 - “Vanilla” password based authentication
and forget if they were using a password or OpenID.

So my question is, do you know of any projects or Rails starter kits
which implement OpenID-only authentication?

No I don’t. And I believe that the openid advocates don’t recommend
this.

The problem is that if the user’s open id server is unavailable for
whatever reason, he/she can’t log in.

Providing a password option for authentications is the openid
equivalent of a ‘forgot my password’ mechanism.

Just some food for thought.

Rick DeNatale

Blog: http://talklikeaduck.denhaven2.com/
Twitter: http://twitter.com/RickDeNatale
WWR: http://www.workingwithrails.com/person/9021-rick-denatale
LinkedIn: Rick DeNatale - Developer - IBM | LinkedIn

You could try this plugin :

Julien

Rick Denatale wrote:

On Sat, Jan 9, 2010 at 5:32 AM, Audrey A Lee
[email protected] wrote:

 - “Vanilla” password based authentication
and forget if they were using a password or OpenID.

So my question is, do you know of any projects or Rails starter kits
which implement OpenID-only authentication?

No I don’t. And I believe that the openid advocates don’t recommend
this.

I don’t know about other OpenID advocates, but this is not exactly my
recommendation.

The problem is that if the user’s open id server is unavailable for
whatever reason, he/she can’t log in.

I think the more likely case is that your own web site will be
unavailable far more often than any OpenID provider’s. I just don’t
think this is a particularly valid argument.

Providing a password option for authentications is the openid
equivalent of a ‘forgot my password’ mechanism.

I can’t see how these two are related in any way. They are completely
different forms of authentication.

I personally think that developers provide the choice because most
“regular users” don’t really understand the advantage of OpenID. Trying
to explain it to them might be more trouble that it’s worth. Most people
are just so accustomed to username and password that any deviation from
that mechanism might be too confusing for them.

For the OP:

So, I want to make it easy for them. They use OpenID or nothing.
Actually, I want to make it even simpler: Yahoo-OpenID or nothing.

While I believe that providing an OpenID only solution is workable, I
would be very much against forcing them to use a particular OpenID
provider. I personally use VeriSign as my provider. Mostly because I
trust their security, and I have setup multi-factor authentication using
their provided iPhone app.

Forcing users into a particular OpenID provider defeats one of the major
advantages of the OpenID system. If you’re going to push authentication
to a third-party, that’s great, but let the users choose whomever they
want as that third-party.

Another advantage of OpenID is that a web site can avoid having to store
any sensitive information at all. I am currently developing a web site
for a local developer’s group. I have also chosen to use OpenID only for
authentication. My reason for doing so is to avoid the need for adding
(and paying for) a SSL certificate. I don’t like the idea of accepting
user’s password in the clear. The only ways to avoid that are either buy
a SSL certificate or use OpenID only. I’ve chosen the latter because of
the many advantages it provides. I no longer need an SSL certificate,
I’m not storing any sensitive information at all, and my users will be
able to share their OpenID with any other sites that support it.