[tor-bugs] #7088 [Internal Services/Service - trac]: trac and blog should support openid and browserid
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Oct 16 15:56:09 UTC 2019
#7088: trac and blog should support openid and browserid
----------------------------------------------+-------------------------
Reporter: phobos | Owner: (none)
Type: enhancement | Status: closed
Priority: Medium | Milestone:
Component: Internal Services/Service - trac | Version:
Severity: Normal | Resolution: wontfix
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
----------------------------------------------+-------------------------
Changes (by anarcat):
* status: new => closed
* resolution: => wontfix
Comment:
i don't believe OpenID is a good avenue anymore. it's been dropped from
support almost everywhere. OpenID 2.0 has been published over a decade ago
(in 2007) and suffers from a series of security vulnerabilities:
https://en.wikipedia.org/wiki/OpenID#Security
In general, the *concept* of OpenID is problematic as it is very
vulnerable to phishing.
There is a new OpenID standard called "OpenID connected" and based on
Oauth:
https://en.wikipedia.org/wiki/OpenID_Connect
... but from my experience, being based on Oauth, it's very hard to
implement. There is an OpenID connect plugin for trac, that said:
https://github.com/trac-hacks/trac-oidc
... but it's mostly to authenticate against Google, and requires us to go
through all sorts of hoops to make it work.
I don't think this is worth it.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7088#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list