OpenID Authentication #57
Comments
ghost
assigned 
|
I've decided to abandon implementation of this feature for now because it would be far too easy to abuse. We have plenty of authentication strategies and we can obtain OAuth keys to add even more. I might consider adding this feature if people actually express a need for it in the future if we combine it with a CAPTCHA or add a bunch of code to monitor creation of accounts from various OpenID providers so we could blacklist the bad ones. I just don't feel like opening the site up to a game of wack-a-mole right now. |
|
This issue has been reopened because someone has expressed an interest in this issue (#88). I might allow this feature, but require the OpenID provider to use HTTPS, keep which providers were used to create an account with OpenID (so we can detect abuse), and also require a CAPTCHA (or some other form of anti-bot measure at registration). |
|
I don't get it. What's the problem with "phony users"? And what prevents me now from creating as many imgur or reddit users as I want? |
If you can create many phony users very quickly you can use them to post spam and malicious scripts faster than we can moderate and remove them (userscripts.org is a good example of this).
For one, I know the reddit uses a captcha at registration and limits the number of users you can create on an IP in a certain duration. We inherit all the protections our providers use to prevent registration of many phony users. OpenID would be much easier to abuse if we added it. Is there some particular reason you want OpenID? Is the current list of authenticators not sufficient for your needs? Is this a matter of privacy? |
Do new users have limits for posting?
Use captcha for new users as well. If spammers are determined enough to spend money on solving captcha - reddit won't save you. Right? |
Not yet. I'm not crazy about doing this since many new users just want to dump their scripts on the site. I was hoping to avoid dealing with this issue until the site is more popular. But yes, we'll probably have to do this.
I also intend to do this once the site becomes more popular. But at this point I want to make it really easy for new users to sign up. I will probably add OpenID once we reach this point. I'm not going to promise it right now because I need to think about it more and consult the other project members. You still didn't answer my questions:
|
See? A spammer doesn't even need those accounts you are worried about, since nothing stops a single phony user from posting thousands of malicious scripts and messages.
Sorry about that. Let me answer them now.
It's a matter of several factors. I believe decentralization is a good thing, and OpenID is perfect for decentralization. I hate the idea of being dependent on a single service, like github or reddit, for being able to login to a completely unrelated website, like OUJO. And yes, most of my userscripts are hosted on Bitbucket, which is not an option for logging in for now. In my opinion, this is handled best on stackexchange network sites (like stackoverflow.com). There you can login using several services (including plain OpenID), but most importantly - you can link several login methods to a single account. This frees you from being tied to a single service and makes you stop worrying about third-party services being down. All in all, I think you are too worried about spammers now. I understand that having the case of USO right in front of your eyes, you want to make every thing possible from preventing this happening to OUJO, but I'm not sure you should be concerned right now. The audience of OUJO is small and it is unlikely it will be targeted by spammers now. Later you could take measures according to the situation, maybe including community help (like it is done in stackexchange). These are just my thoughts, I hope they will be somehow helpful, sorry if not :) And thank you for the work you are doing. |
If this is a bug I'll open one... but I added goo to my list of authentications, reset GH back to primary, made sure I restarted my browser to remove any cookies, logged into goo, and OUJS still prompted me for GH credentials... I'm not quite entirely sure if this is how these are supposed to work or not. As far as adding in an OUJS site captcha it might be a good idea to route all requests, save for login/logout, to a captcha dummy routine... not necessarily adding a captcha in but the possibility for it if it is needed in the future. I'm neither here nor there on OpenID... privacy on OpenID is a lot less than it is with most other systems across the internet. |
|
Is this closable now with the new UI? We refer to OpenID in the main /login page so I assume so? Possible Reference: |
|
This issue is about allowing pure OpenID authentication on the site. I |
|
Decided it is unnecessary. |
All the authentication strategies listed on the login page work (I've tested all of them myself), except OpenID because it requires getting a special identifier. If a user selects OpenID from the dropdown they will be taken to /login/openid (which will use the same login.html template) where they can enter this identifier.
The text was updated successfully, but these errors were encountered: