Status of OpenID Consumer in Bugzilla

Rob Lanphier robla at robla.net
Fri Jul 1 23:03:26 UTC 2005 

Hi Martin,

Comments inline (multiple parts snipped out):

On Fri, 2005-07-01 at 10:59 +0100, Martin Atkins wrote:
> Rob Lanphier wrote:
> > *  Where should the OpenID URI be stored?
> 
> LiveJournal does this by having a separate identity map table. Every new 
> OpenID user gets a userid magically allocated and an entry placed into 
> the map table which is essentially a (userid, identity) pair. This seems 
> reasonable since it doesn't inflate any other tables and add needless 
> indexes for sites which aren't using OpenID.

I think you're probably right from a long-term perspective.  I have some
misgivings about using an existing field that may clash with other auth
mechanisms.

BZ folks, what are your thoughts on this input?

> > *  Should email verification process still occur?
> 
> No. As above, ideally Bugzilla shouldn't need my email address unless I 
> want to be contacted through it, in which case I'll provide it when I've 
> logged in. The address I'm identified by on LiveJournal's bugzilla 
> installation doesn't actually work anymore, but I've done nothing about 
> it because I don't want email from Bugzilla anyway. I don't really see 
> why I should have to provide it if I'm not going to use it as a login 
> identifier, especially on LiveJournal's Bugzilla where email isn't used 
> as a primary means of contact.

Well, I don't see any way around verifying email *when* its used.  You
bring up very good points on the question of "if", but once someone opts
in, I don't think that BZ can trust an email provided by an OpenID user
any more than it can trust an email provided by a normal new account.

So, this is probably a two-stage process:
1.  Make it possible to use BZ with OpenID
2.  Make it possible to use BZ without email

A third stage way down the road is to somehow optimize how email
verification works (e.g. OpenID for mailto: URLs).

> In the interests of getting a working version out quickly, though, I'd 
> accept as a short term solution just binding an OpenID identity to an 
> existing email-bound account. That way I won't have to remember my 
> password. :)

Cool, I should be able to get something like this out soon.

Rob

More information about the developers mailing list