We use cookies to improve your experience. No personal information is gathered and we don't serve ads. Cookies Policy.

ExpressionEngine Logo ExpressionEngine
Features Pricing Support Find A Developer
Partners Upgrades
Blog Add-Ons Learn
Docs Forums University
Log In or Sign Up
Log In Sign Up
ExpressionEngine Logo
Features Pro new Support Find A Developer
Partners Upgrades
Blog Add-Ons Learn
Docs Forums University Blog
  • Home
  • Forums

OpenID? It's been discussed in these forums before,

Development and Programming

Adrienne L. Travis's avatar
Adrienne L. Travis
213 posts
16 years ago
Adrienne L. Travis's avatar Adrienne L. Travis

but nothing’s ever come of it. It’s PHP-available now (it wasn’t one of the earlier times), Wordpress and Drupal have plugins/extensions – anyone got anything working on this front?

–Adrienne

       
Todd S's avatar
Todd S
57 posts
16 years ago
Todd S's avatar Todd S

The silence is deafening. I’m curious if any pmachine officials have any thoughts on today’s scuttlebut –> Wordpress, 37Signals Join OpenID Bandwagon. User management is probably the biggest issue hanging over me as I chart my direction with EE or alternatives. LDAP and OpenID(to a lesser degree) are central to this issue.

First, I want to get single sign-on implemented within an individual company. Not sure how OpenID will apply to my customers, just yet, so it’ll be interesting to see how that plays out with 37signals in a commercial application. In the blog world, yes, OpenID would seemingly fit like a glove, but it’ll take a while before it gains traction as an identity engine for businesses.

       
Jeremiah C.'s avatar
Jeremiah C.
8 posts
15 years ago
Jeremiah C.'s avatar Jeremiah C.

I too am highly interested in OpenID support in EE, should a module or, preferably, EE include this as a standard feature.

       
Hop Studios's avatar
Hop Studios
460 posts
15 years ago
Hop Studios's avatar Hop Studios

I actually don’t care too much about OpenID at this point – but one of my potential clients now does. So consider this a +1. 😊

TTFN Travis

       
Jamie Poitra's avatar
Jamie Poitra
409 posts
15 years ago
Jamie Poitra's avatar Jamie Poitra

Paul or Derek would need to chime in on any actual plans.

However, there are some valid security concerns involved with tying your membership and thus your entire EE install into a system that is run on servers not directly under your control.

I’ve not looked at the complete details of how OpenID works but I have a read a few pieces by people who have. There are some real potential issues with the way it works. And any time you relinquish site access to something you aren’t fully in control of there is potential for very real security issues regardless of how well designed it is (and there are people of the opinion that OpenID is fundamentally flawed in its design).

In addition I have used a few sites that use OpenID accounts and created one of my own to play with. I found the process very confusing from a user standpoint. It quickly becomes unclear where your account actually is. Where is my password stored? Where do I go to change it? Why do I have two logins for some sites with OpenID but only one for others?

Other than being a current buzz word, I don’t personally feel that OpenID integration has much of anything going for it. EE has an incredible track record in terms of security. I would be extremely hesitant to mess with that.

Please note again that Derek or Paul would need to chime in to give an idea of what kind of plans they might have for EE and OpenID. The above is my opinion of the state of things not EllisLab canon.

Jamie

       
Ty Martin's avatar
Ty Martin
232 posts
15 years ago
Ty Martin's avatar Ty Martin

Hi Jamie and Co. I just stumbled onto this discussion and thought I’d respond to Jamie’s concerns. I can’t add too much technically and I’m glad you and the EE crew and others are considering security with EE and OpenID, but at some point there will be some cross-site OpenID-like tool to manage identities online. If that’s not OpenID then what else will it be?

To me the security über ales attitude would be like ditching wifi and all it’s possibilities because WEP was flawed. Sure there are holes, but unless you’re attracting wide-spread attention, who’s going to waste their time with your network/EE installation? There are always ways to beef up and patch up security holes too, right?

The potential for cross-site membership is exciting though. Look at how successful Ning has been. Just wait till OpenSocial gets off the ground. This feature is inevitable, so let’s figure out an implementation to make it work with EE.

EDIT: +1 on this.

       
playwithsticks's avatar
playwithsticks
20 posts
15 years ago
playwithsticks's avatar playwithsticks

I completely agree. I think the pros out weigh the cons and am all in for an OpenID mod/plug/ext for EE

       
mrwarren's avatar
mrwarren
31 posts
15 years ago
mrwarren's avatar mrwarren

Agreed - this would be really handy. To be honest, I trust OpenID’s servers as much or more than my own, just because they’re there for one thing only - to authenticate stuff. So they’re going to be pretty good at it.

@wondermonkey - I’d say even if you have widespread attention you’re going to be safe. 37signals has added openid support to almost all of their apps. If it’s good enough to run basecamp, I’d say it’s good enough for me.

@jamie poitra - I agree with one of your issues for sure. OpenID right now has a pretty steep learning curve for new users. I think the easier they can make that the wider the adoption is going to be.

To me OpenID feels like RSS. Once you get used to using it - you wish every site out there had it.

       
Jamie Poitra's avatar
Jamie Poitra
409 posts
15 years ago
Jamie Poitra's avatar Jamie Poitra

I’m not sure the WIFI analogy works for me. With WIFI there are alternative ways of preventing access that are more secure than WEP. And in fact, some work places do NOT allow wireless connections despite all its possibilities (or didn’t until the enterprise versions of WPA came around). I don’t think its necessarily wrong in many cases to err on the side of caution when important data is concerned.

And the fact that 37signals is using it does nothing for me. 😊 The 37signals guys are brilliant but I’ve seen them do things that I would never do and say things that I don’t agree with.

I imagine an OpenID solution for EE that allows you to opt out would be reasonable. But as it would need to be built into the authentication and member account portions of EE its something for EllisLab to take care of as they see fit.

I guess I’m just really hesitant to trust other people with my personal security and privacy. I don’t use gmail besides using it for testing purposes for similar reasons. It’s great and all that Google’s motto is “Do no evil” but thats my life sitting there on my email server. I’d rather it be owned and controlled by myself and people I trust.

Jamie

       
mrwarren's avatar
mrwarren
31 posts
15 years ago
mrwarren's avatar mrwarren
I’d rather it be owned and controlled by myself and people I trust.

Exactly! It’s a trust issue. If you don’t trust OpenID, then you definitely won’t want to use it. Tons of people do though, and that number’s growing. I trust Google too, and Pair (my hosting provider). If I ever find any reason to not trust any of them, then I’d definitely switch my services away from them.

I agree it needs to be an opt-in solution (again, using Basecamp as an example - they default to regular ol’ user/pass model and let people opt into OpenID).

       
Matt Weinberg's avatar
Matt Weinberg
489 posts
15 years ago
Matt Weinberg's avatar Matt Weinberg

The great thing about OpenID is that if your openID provider starts getting shady or untrustworthy, you simply switch your OpenID delegate at your domain name to a new company and none of your logins have to be changed. There are plenty of delegates out there to try. I use myopenid.com personally.

       
Tim G.'s avatar
Tim G.
24 posts
14 years ago
Tim G.'s avatar Tim G.

Is there any news on OpenID? Will it have a module here at EE?

       
current's avatar
current
145 posts
14 years ago
current's avatar current

Hi all!

Check out this link!

With Paypal having joined the OpenID board, I think it’s time to give this some serious thought!

       
otto's avatar
otto
48 posts
about 14 years ago
otto's avatar otto

Going on two years for this request? Is anyone reading this request post other than those who so much want to see an OpenID sign-in??

We really need one. Yes, the client goes with us. No,…. their gone. <sigh>

       
Spazsquatch's avatar
Spazsquatch
112 posts
13 years ago
Spazsquatch's avatar Spazsquatch

FWIW there is an OpenID library available on (in? Damn you App Store!!!) the CodeIgniter Wiki. That might make it an easy addition come 2.0.

       

Reply

Sign In To Reply

ExpressionEngine Home Features Pro Contact Version Support
Learn Docs University Forums
Resources Support Add-Ons Partners Blog
Privacy Terms Trademark Use License

Packet Tide owns and develops ExpressionEngine. © Packet Tide, All Rights Reserved.