Status of OpenID Consumer in Bugzilla
Rob Lanphier
robla at robla.net
Fri Jul 1 16:03:26 PDT 2005
Hi Martin,
Comments inline (multiple parts snipped out):
On Fri, 2005-07-01 at 10:59 +0100, Martin Atkins wrote:
> Rob Lanphier wrote:
> > * Where should the OpenID URI be stored?
>
> LiveJournal does this by having a separate identity map table. Every new
> OpenID user gets a userid magically allocated and an entry placed into
> the map table which is essentially a (userid, identity) pair. This seems
> reasonable since it doesn't inflate any other tables and add needless
> indexes for sites which aren't using OpenID.
I think you're probably right from a long-term perspective. I have some
misgivings about using an existing field that may clash with other auth
mechanisms.
BZ folks, what are your thoughts on this input?
> > * Should email verification process still occur?
>
> No. As above, ideally Bugzilla shouldn't need my email address unless I
> want to be contacted through it, in which case I'll provide it when I've
> logged in. The address I'm identified by on LiveJournal's bugzilla
> installation doesn't actually work anymore, but I've done nothing about
> it because I don't want email from Bugzilla anyway. I don't really see
> why I should have to provide it if I'm not going to use it as a login
> identifier, especially on LiveJournal's Bugzilla where email isn't used
> as a primary means of contact.
Well, I don't see any way around verifying email *when* its used. You
bring up very good points on the question of "if", but once someone opts
in, I don't think that BZ can trust an email provided by an OpenID user
any more than it can trust an email provided by a normal new account.
So, this is probably a two-stage process:
1. Make it possible to use BZ with OpenID
2. Make it possible to use BZ without email
A third stage way down the road is to somehow optimize how email
verification works (e.g. OpenID for mailto: URLs).
> In the interests of getting a working version out quickly, though, I'd
> accept as a short term solution just binding an OpenID identity to an
> existing email-bound account. That way I won't have to remember my
> password. :)
Cool, I should be able to get something like this out soon.
Rob
More information about the yadis
mailing list