I have written a fair number of webapps. They are virtually all quick and dirty things mostly for myself and immediate friends, but there are more than a few. I am pretty sick of implementing authentication.
I have two previous go-to approaches to authentication:
- Collect a username, password, and email address. The email address is used for password recovery/resets.
- Avoid collecting any user data. Generate some random value and stick it on the URL. If someone wants to return as the same person, they need to save that URL.
For my last project, I decided to take OpenID for a spin. There is already plenty written on the failings of OpenID.
But my experience was slightly difference from what I have read, so I want to elaborate.
I wanted to make my webapp, but I knew I wanted to try something like !OpenID for authentication. I say "something like," because going into this, I had no preconceptions about whether OpenID, OAuth, or some other proprietary thing I had never heard of was what I wanted. That probably should have been enough to stop me.
I decided I would be using OpenID via python-openid. As far as I can tell, the included examples are the only documentation of that library. The django example did not help me much, as I was not using django and am not very familiar with it. I focused mostly on consumer.py, but it has a number of configurable parameters that only confused me, and I did not find it helpful at all that it only functioned as a standalone web server.
I fought with it for a while and eventually ended up with something which purported to authenticate me. I also found and hooked up a reasonably nice frontend for encouraging people to use well-known providers.
I eventually went on to work on actually implementing my web app and started showing it to people. Several things happened. These things surprised me. Authentication is not a place where I want to be surprised.
- People associate authenticating with third parties with leaking information from those third parties.
- My app deals with RSS feeds. People authenticated with their Google accounts. People were disappointed that their Google Reader RSS feeds did not show up.
- People do not like leaking information.
I'm not sure why, but whenever I see "login with Facebook" or similar stuff, I tend to close the tab and move on.
- I misinterpreted what guarantees !OpenID was making. I may still be doing so. The biggest example of this is that Google returned a different ID depending on the realm I specified.
- I initially had generated the realm from the HTTP request, which meant that the domain people used to get to the site and whether they included a trailing slash on the URL would cause them to authenticate as different users.
- I experimented with moving the site to a different host, but that would have required changing the realm and therefore somehow re-authenticating everybody.
This little adventure was not all failure. It is still in operation, and people use it.
Probably the coolest thing to me is that I am storing so little personal identifying information. In general, I would say that people should care about this more than they do. I store OpenIDs. I store no email addresses. Names are optional. If someone gets access to the database, they get a list of Google OpenID URLs that are specific to my site and therefore pretty worthless.
Google tends to remember that I have logged in, so I can get into my site just by clicking on the Google provider logo.
But OpenID has not really solved any problems I have, and it has been a big hassle to integrate correctly.