Re: Good communication with upstream is good idea

[Ben Finney <ben+debian@benfinney.id.au>]

Steve Langasek <vorlon@debian.org> writes:

> On Wed, Jul 23, 2008 at 12:15:20PM -0400, Joey Hess wrote:
> > I've seen websites get openid wrong in a variety of amusing ways,
> > but on reasonable implementations, you generally indicate your
> > openid provider by trying your openid into the openid login box
> > when first visiting a web site, and are then immediatly logged
> > into that web site.
> 
> You first have to have some way of associating your openid login with an
> account on that website.

In the workflow Joey describes above, this is usually done by the
server creating the account on first login.

> The only way to make that initial association would be by logging in
> to Launchpad using a one-time password from their registration
> interface.

No, this could (instead) be done by Launchpad authorising the OpenID
login, creating the account, and treating the session as logged into
that account from that point on. In other words, the OpenID *is* the
authentication, as far as Launchpad is concerned.

Whether this requires changes to Launchpad so that it conforms with
normal OpenID replying party behaviour, I don't know; probably it
does. But until it dos, Launchpad is not behaving as a normal OpenID
relying party.

-- 
 \       “I believe in making the world safe for our children, but not |
  `\    our children's children, because I don't think children should |
_o__)                                     be having sex.” —Jack Handey |
Ben Finney