Loading Profile...
Beanstalk should not ask me for an OpenID and then not verify it
Basecamp had this problem in the beginning. If you're going to ask for an OpenID, I need to prove that I own and can login with that URL *immediately*! Otherwise I could put in google.com and then be locked out of my account!
I’m frustrated
1 person has this problem
I have this problem, too!
Tell me when someone solves it.
The more people who report this problem, the more it gets noticed.
The more people who report this problem, the more it gets noticed.
-
Inappropriate?The thing is, you will still need login/pass for svn, that's why we don't allow having OpenID as the only authentication method. That means that you can always login like boring people, using login/pass.
I’m confident
-
Inappropriate?Thanks -- and while that makes sense, it's still bad practice.
As for your SVN observation, you should take a look at OAuth. We're working on solving that very problem.
http://groups.google.com/group/oauth
I’m confident
-
Inappropriate?I agree that validation of OpenID urls is important and I can promise that our OpenID support in Beanstalk will greatly improve over time.
We have couple of neat ideas pending, we just need to get public release kicked out of the house, so we can start polishing and improving.
P.S. Checking OAuth. Can't figure out what it is about yet.
I’m excited
-
Inappropriate?Hey Chris,
I'm interested in hearing more about OAuth. What were some of the situations that motivated you to start the project? It seems like it could be very useful for Beanstalk, if I understand it correcty.
I’m curious
-
Inappropriate?OAuth was motivated by two use cases: Dealing with Ma.gnolia's support for OpenID account creation in Dashboard Widgets (how do you login to a dashboard widget with an OpenID?) and getting Twitter to support OpenID when they currently only support (at the time) basic auth for their API... in other words, how do you enable desktop and/or web service authentication for OpenID?
The solution was to look at existing auth solutions like AuthSub (Google) BBAuth (Yahoo), FlickrAuth, and OpenAuth (AOL) and abstract a protocol based on best practices and common methods that all could implement and support... reducing the work of developers and providing essentially "the OpenID of APIs"...
Make sense? 0.9 of the spec should be out tomorrow; 1.0 should be out Oct 1.
I’m proud
-
Inappropriate?Very useful. I'll make sure to follow and contribute to the group. We will be interested in using this as we extend our apps. Thanks!
I’m enlightened
-
Inappropriate?This flow is still broken. I tried to sign in using my OpenID and nothing happened... I just got error messages:
http://flickr.com/photos/factoryjoe/2...
There seems to be no way that you verify that I actually OWN that URL -- which could cause problems if I enter the wrong OpenID URL and then can't log in.
It also seems a missed opportunity to use SREG.
Anyway, I would have hoped that this would have been fixed by now.. any thoughts?
I’m frustrated
-
Inappropriate?Welcome back. Don't be frustrated :)
We just talked about this the other day.
SREG would be almost useless for our registration, mainly because we need you to fill in a real user/pass. We actually considered completely removing OpenID from registration until we find some time for the right solution.
At the moment, all of our attention has been going into stability, performance, and the UI. We have a pretty big update coming soon, so after that, we can dig into the OpenID solution.
We've been slacking a bit on the OAuth investigation. If you have some time, get in touch by email or IM to get me up to speed.
Thanks for checking in.
-Chris
1 person says
this solves the problem
-
Inappropriate?Fair enough. Still, you tempt me so!
While I can see how OpenID doesn't seem all that useful, especially since you're talking about the need for username/password for SVN... SREG is useful for filling in the name and email address -- and would save me typing if you're going to offer OpenID anyway.
I'll happily follow up by email; for OAuth to be much of a solution we need to patch SVN, which is a bit of a way off... not impossible, but not something that'll happen right away.
I’m still waiting for satisfaction. But I'm patient.
EMPLOYEE
EMPLOYEE