OpenID bridging

[Francois Marier]

Here's a summary of the two OpenID ideas that were discussed at the
Paris mini-workweek.

# Persona as an OpenID provider

In order to increase the number of sites where users can sign in using
their Persona account, we could run openid.persona.org.

This would be an OpenID provider and a Persona RP.

It would allow users to enter
"https://openid.persona.org/per...@example.com" as their OpenID on any
site that allows OpenID logins (e.g. Stack Overflow). Users would then
be redirected to a login page with the familiar Persona button and
dialog before being authenticated and redirected to the site.

# Persona as an OpenID consumer

In order to let sophisticated users delegate authority for their domain
to an existing OpenID provider, we could build a new IdP.

This would be an OpenID consumer and a Persona IdP.

It would users who own a domain name to run an IdP that would require
the user to authenticate against a particular OpenID identifier. If I
configure my instance of this IdP (running on fmarier.org), I can add
"https://launchpad.net/~fmarier" to the config file and then when I try
to sign into a Persona-enabled site with fran...@fmarier.org, I will be
prompted to authenticate on launchpad.net as "fmarier".

Alternatively, we could offer a hosted version of this software like
Austin did with hostedpersona.me

I'm planning to work on that second one during my next Manic Monday /
Freaky Friday.

Francois

[Austin King]

On 9/3/13 11:19 PM, Francois Marier wrote:
> # Persona as an OpenID consumer
>
> In order to let sophisticated users delegate authority for their domain
> to an existing OpenID provider, we could build a new IdP.

It is interesting how major OpenID providers have consolidated in the space.

As a customer, I got this email from myOpenID (Janrain) this morning:

> I wanted to reach out personally to let you know that we have made the
> decision to end of life the myOpenID service. myOpenID will be turned
> off on February 1, 2014.
>
> In 2006 Janrain created myOpenID to fulfill our vision to make
> registration and login easier on the web for people. Since that time,
> social networks and email providers such as Facebook, Google, Twitter,
> LinkedIn and Yahoo! have embraced open identity standards. And now,
> billions of people who have created accounts with these services can
> use their identities to easily register and login to sites across the
> web in the way myOpenID was intended.
>
> By 2009 it had become obvious that the vast majority of consumers
> would prefer to utilize an existing identity from a recognized
> provider rather than create their own myOpenID account. As a result,
> our business focus changed to address this desire, and we introduced
> social login technology. While the technology is slightly different
> from where we were in 2006, I'm confident that we are still delivering
> on our initial promise -- that people should take control of their
> online identity and are empowered to carry those identities with them
> as they navigate the web.
>
> For those of you who still actively use myOpenID, I can understand
> your disappointment to hear this news and apologize if this causes you
> any inconvenience. To reduce this inconvenience, we are delaying the
> end of life of the service until February 1, 2014 to give you time to
> begin using other identities on those sites where you use myOpenID today.
>
> Speaking on behalf of Janrain, I truly appreciate your past support of
> myOpenID.
>

-- Austin


> Francois
> _______________________________________________
> dev-identity mailing list
> dev-id...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-identity

[Gervase Markham]

On 04/09/13 07:19, Francois Marier wrote:
> It would allow users to enter
> "https://openid.persona.org/per...@example.com" as their OpenID on any
> site that allows OpenID logins (e.g. Stack Overflow). Users would then
> be redirected to a login page with the familiar Persona button and
> dialog before being authenticated and redirected to the site.

Awesome idea. Particularly as MyOpenID is shutting. I would love to be
able to use Persona instead on all the OpenID-supporting sites. This is
how one login system can take over another one. Great idea.

Is there any way that it could instead simply be:
https://openid.persona.org/
?

In other words, could the site figure out your persona ID(s)? Or could
it only do it if you were using the backup IdP? Where is that list of
IDs that I see when I do a persona login stored?

> It would users who own a domain name to run an IdP that would require
> the user to authenticate against a particular OpenID identifier. If I
> configure my instance of this IdP (running on fmarier.org), I can add
> "https://launchpad.net/~fmarier" to the config file and then when I try
> to sign into a Persona-enabled site with fran...@fmarier.org, I will be
> prompted to authenticate on launchpad.net as "fmarier".

By contrast, I'm not sure what this buys you. It makes things more
complicated. Why would you run this software rather than supporting
Persona directly? Why would we want to encourage the use of OpenID in
scenarios where it didn't have to be used?

Gerv

[Gervase Markham]

On 04/09/13 07:19, Francois Marier wrote:

> It would allow users to enter
> "https://openid.persona.org/per...@example.com" as their OpenID on any
> site that allows OpenID logins (e.g. Stack Overflow). Users would then
> be redirected to a login page with the familiar Persona button and
> dialog before being authenticated and redirected to the site.

Awesome idea. Particularly as MyOpenID is shutting. I would love to be
able to use Persona instead on all the OpenID-supporting sites. This is
how one login system can take over another one. Great idea.

Is there any way that it could instead simply be:
https://openid.persona.org/
?

In other words, could the site figure out your persona ID(s)? Or could
it only do it if you were using the backup IdP? Where is that list of
IDs that I see when I do a persona login stored?

> It would users who own a domain name to run an IdP that would require
> the user to authenticate against a particular OpenID identifier. If I
> configure my instance of this IdP (running on fmarier.org), I can add
> "https://launchpad.net/~fmarier" to the config file and then when I try
> to sign into a Persona-enabled site with fran...@fmarier.org, I will be
> prompted to authenticate on launchpad.net as "fmarier".

[Gervase Markham]

On 04/09/13 07:19, Francois Marier wrote:

> It would allow users to enter
> "https://openid.persona.org/per...@example.com" as their OpenID on any
> site that allows OpenID logins (e.g. Stack Overflow). Users would then
> be redirected to a login page with the familiar Persona button and
> dialog before being authenticated and redirected to the site.

Awesome idea. Particularly as MyOpenID is shutting. I would love to be
able to use Persona instead on all the OpenID-supporting sites. This is
how one login system can take over another one. Great idea.

Is there any way that it could instead simply be:
https://openid.persona.org/
?

In other words, could the site figure out your persona ID(s)? Or could
it only do it if you were using the backup IdP? Where is that list of
IDs that I see when I do a persona login stored?

> It would users who own a domain name to run an IdP that would require
> the user to authenticate against a particular OpenID identifier. If I
> configure my instance of this IdP (running on fmarier.org), I can add
> "https://launchpad.net/~fmarier" to the config file and then when I try
> to sign into a Persona-enabled site with fran...@fmarier.org, I will be
> prompted to authenticate on launchpad.net as "fmarier".

[Dan Callahan]

On 9/4/13 1:19 AM, Francois Marier wrote:
> Here's a summary of the two OpenID ideas that were discussed at the
> Paris mini-workweek.
>
> # Persona as an OpenID provider
>
> In order to increase the number of sites where users can sign in using
> their Persona account, we could run openid.persona.org.
>
> This would be an OpenID provider and a Persona RP.

Super interesting idea.

Given the complete and total collapse of OpenID, I can't see how this
would help us improve the status quo for non-wizards. Even the wizards
see minimal benefit, since sites that allow freeform OpenID URLs are
practically non-existant outside of Stack Overflow and Ikiwiki.

Instead, I wonder if we can use these final death throes of OpenID to
promote migrating to Persona instead of another vendor-locked solution?
Even Google is strongly moving in that direction: "Google's OpenID
service is being replaced by Login with OAuth 2.0."

https://developers.google.com/accounts/docs/GettingStarted

-Callahad

[Francois Marier]

On 07/09/13 04:38, Dan Callahan wrote:
> Given the complete and total collapse of OpenID, I can't see how this
> would help us improve the status quo for non-wizards. Even the wizards
> see minimal benefit, since sites that allow freeform OpenID URLs are
> practically non-existant outside of Stack Overflow and Ikiwiki.

You're right that large players have largely abandonned OpenID, but if
you look at the long tail, there are still more sites that accept OpenID
than Persona.

They are mostly for technical audiences (or "wizards" to refer to a
specific Firefox user group), but they are quite important for these
users. A good example of a piece of software that uses OpenID
exclusively is Gerrit Code Review (used in Android and OpenStack for
example).

> Instead, I wonder if we can use these final death throes of OpenID to
> promote migrating to Persona instead of another vendor-locked solution?

I think we totally should.

Also, letting our users make use of their Persona account on "legacy"
OpenID sites could be part of that "upgrade strategy".

Francois

[Francois Marier]

On 07/09/13 04:06, Gervase Markham wrote:
> Awesome idea. Particularly as MyOpenID is shutting. I would love to be
> able to use Persona instead on all the OpenID-supporting sites. This is
> how one login system can take over another one. Great idea.
>
> Is there any way that it could instead simply be:
> https://openid.persona.org/
> ?

My understanding is that your OpenID has to be different from mine if
we're logging into the same site. That URL is the unique identifier for
each user.

> In other words, could the site figure out your persona ID(s)? Or could
> it only do it if you were using the backup IdP?

This "bridge" would be a centralized service since it's really just a
Persona RP. It would work with any Persona IdP, there is no reason to
restrict it to the fallback IdP.

> Where is that list of IDs that I see when I do a persona login stored?

It's currently stored in the fallback IdP account. At the Paris
mini-work-week we discussed moving this to local storage (or somewhere
else in the browser in the case of native Persona support).

>> It would users who own a domain name to run an IdP that would require
>> the user to authenticate against a particular OpenID identifier. If I
>> configure my instance of this IdP (running on fmarier.org), I can add
>> "https://launchpad.net/~fmarier" to the config file and then when I try
>> to sign into a Persona-enabled site with fran...@fmarier.org, I will be
>> prompted to authenticate on launchpad.net as "fmarier".
>
> By contrast, I'm not sure what this buys you. It makes things more
> complicated. Why would you run this software rather than supporting
> Persona directly?

Here's a use case for it:

"As an Ubuntu/OpenStack/Android developer, I already have a secure
OpenID provider that I trust and I would like to make use of it to log
into Persona sites. I do not want to run my own identity provider
(that's too much responsibility), I want to delegate to the OpenID
provider I already use in my daily work."

> Why would we want to encourage the use of OpenID in
> scenarios where it didn't have to be used?

That's a good point. We should probably not run this as a hosted service
under the Persona brand.

Francois

[Gervase Markham]

On 08/09/13 10:00, Francois Marier wrote:
> My understanding is that your OpenID has to be different from mine if
> we're logging into the same site. That URL is the unique identifier for
> each user.

Good point - OK :-)

>> Where is that list of IDs that I see when I do a persona login stored?
>
> It's currently stored in the fallback IdP account. At the Paris
> mini-work-week we discussed moving this to local storage (or somewhere
> else in the browser in the case of native Persona support).

That seems like a very wise move.

> Here's a use case for it:
>
> "As an Ubuntu/OpenStack/Android developer, I already have a secure
> OpenID provider that I trust and I would like to make use of it to log
> into Persona sites. I do not want to run my own identity provider
> (that's too much responsibility), I want to delegate to the OpenID
> provider I already use in my daily work."

..."and either a) my email provider's IdP is not secure enough for me,
or b) the Mozilla backup IdP is not secure enough for me"?

I think the "I want to have 42 passwords rather than 43 passwords"
argument is pretty weak; you could only really make the case for this if
your OpenID provider happened to have some extra special security.

>> Why would we want to encourage the use of OpenID in
>> scenarios where it didn't have to be used?
>
> That's a good point. We should probably not run this as a hosted service
> under the Persona brand.

I really think that this would not be a good use of the Persona team's
time. If someone else wants to write it, good for them.

Gerv