User profile pages should not be OpenID identities
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
Medium
|
Unassigned |
Bug Description
When we announce general availability of Launchpad as an OpenID provider, we should only offer identity URLs we are willing to support long term, since withdrawing an identity URL can cut the user off from RPs where they used that identity.
At this point, we are exposing two classes of identity URLs:
1. persistent identity URLs (e.g. https:/
2. a user's profile page (e.g. https:/
We are already committed to the first for the shop, and other services The second is currently only available to members of the openid testers team, so is not in wide use. I think we should remove the second class of identity URLs.
The following steps are needed to remove these URLs while still letting people log in to OpenID 2.0 sites with their profile page URL:
1. edit person-index.pt to remove the <link> elements providing OpenID 1.x discovery support.
2. make person-xrds.pt the same as openidapplicati
The tests for OpenID discovery will need to be updated appropriately. This change makes person profile pages into identifier select URLs and Launchpad will return the person's persistent identity URL in the response.
Changed in launchpad: | |
assignee: | nobody → flacoste |
importance: | Undecided → High |
milestone: | none → 1.2.3 |
status: | New → Confirmed |
Changed in launchpad: | |
milestone: | 1.2.3 → 1.2.4 |
Changed in launchpad: | |
milestone: | 1.2.4 → 1.2.5 |
Changed in launchpad: | |
milestone: | 1.2.5 → 1.2.6 |
assignee: | flacoste → nobody |
Changed in launchpad: | |
assignee: | Curtis Hovey (sinzui) → nobody |
Any reason we don't want to support form 2) long term?
Form 2) is for users trying to authenticate with OpenID 1.0/1.1 consumers. The major consumers are switching but there are still bugs to iron out (eg. LiveJournal). In reality, dropping this might not be too much hardship.