SVN OpenID OAuth

Page history last edited by Chris Messina 3 months, 1 week ago
Wanted to follow up on an anti-pattern I see, and an opportunity that I think we could collectively develop a good practice around. Specifically:

http://getsatisfaction.com/beanstalk/topics/beanstalk_should_not_ask_me_for_an_openid_and_then_not_verify_it

Interestingly, Unfuddle implemented support in the same way.

My contention is that whenever someone specifies an OpenID URL, they should have to verify it immediately in order to associate it with an account.

Now, I understand in both Beanstalk and Unfuddle's cases there are other traditional credentials available to sign in, especially for SVN, but this kind of defeats the purpose and utility of using a single identifier for sign in.

So, a couple things:

  1. I should be able to create a new account with my OpenID.
  2. If I already have an account in the system, I should be able to associate (one or more) OpenIDs with that existing account.
  3. If you let me associate an OpenID with an account that I'm already signed in to, you should force me to verify that OpenID immediately (i.e. I shouldn't be able to just type my OpenID into a textbox, save it, and NOT verify that it is indeed my OpenID -- for example, what if I put in someone else's OpenID? What if I want to use Yahoo's directed identity? etc).
  4. I should be able to remove or disassociate any OpenID from my account, unless it is the last good identifier on my account (i.e. I must always have at least n or more identifiers associated with my account, where n is at least 1 or greater).
  5. I should be able to make use of any API without necessarily need a new identifier (use OAuth).
  6. I should be able to use something like SVN or protected RSS feeds along with my OpenID (see Basecamp's token model, or OAuth).

So, given these desires/requirements, I feel like we have the pieces we need to put together an advisory document to describe how to meet all these needs... I'd like to know specifically if Unfuddle or Beanstalk has any pushback or questions about these things, or questions about how to best go about implementing support for this stuff.

Chris

Comments (0)

You don't have permission to comment on this page.

Printable version
 
Anonymous Create an account or Log in