http://qs321.pair.com?node_id=712075

I was recently checking out Stack Overflow, a relatively new programming Q&A site. Like PerlMonks, it uses voting to rate quality answers, but unlike PerlMonks, there aren't really discussion threads (answers with high votes get sorted to the top.)

Anywho, it looks pretty interesting, so I decided to sign up. Turns out they use OpenID, which I hadn't heard of before. OpenID can (apparently) authenticate you against any user database ("provider?") that has an OpenID API. So, if I'm going to answer Perl questions on Stack Overflow, why not identify myself with my PerlMonks account?

Would it be difficult to add an OpenID provider to PM? A good idea? I would of course be willing to contribute to the development effort. I'm already perusing through the OpenID modules on CPAN.

Replies are listed 'Best First'.
Re: PerlMonks OpenID provider?
by Your Mother (Archbishop) on Sep 17, 2008 at 18:23 UTC

    Would it be difficult to add an OpenID provider to PM?

    No. It would be semi-trivial. Probably something like 50-100 lines of code + Net::OpenID::Server.

    A good idea?

    I think "no." It sort of locks PM into being an identity provider. That's kind of a big commitment for little, if any, gain. Mostly it would be the programming equivalent of a vanity plate. There are several good/free OpenID providers out there already. If you want to do your own from your own site, it should be pretty easy to roll (after you get your head around the protocol -- it's confusing at first). If I could choose, I'd prefer OpenID to generally reflect 1:1 ownership of domains or accounts at dedicated providers, rather than participation in social (even code based like PM) sites.

      I think you mean Net::OpenID::Consumer. UPDATE: oh, never mind, he's not talking about loging into pm, he's talking about loging into other sites as pm home nodes... my mistake. I'm against that. I'm for the logins.

      -Paul

      If I could choose, I'd prefer OpenID to generally reflect 1:1 ownership of domains or accounts at dedicated providers

      Except that this runs counter to one of the express goals of OpenID.

      Makeshifts last the longest.

      Hi,

      I tend to agree with My Mother... sorry, your Mother, when s?he says that (s)he prefer OpenID to reflect 1:1 ownership of domains or accounts at dedicated providers.

      So, I don't think that the time needed to turn PerlMonks into a OpenID provider would be more interesting used to make PerlMonks into a OpenID consumer, so that we could use our OpenID identifiers here.

      But, again, maybe there are other things that could be done before that.

Re: PerlMonks OpenID provider?
by mr_mischief (Monsignor) on Sep 18, 2008 at 00:16 UTC
    Doing so might be useful to you personally and to a handful of other monks. How, though, would using PM resources to make logging into another programming forum easier benefit PM? Why should my page views here suffer in speed from you logging in to answer a Perl question on some other site? It doesn't seem to be a very useful choice for PM's development time or machine resources from where I sit.
      Doing so might be useful to you personally and to a handful of other monks. How, though, would using PM resources to make logging into another programming forum easier benefit PM? Why should my page views here suffer in speed from you logging in to answer a Perl question on some other site? It doesn't seem to be a very useful choice for PM's development time or machine resources from where I sit.
      Exactly. The OP proposes that PM people expend effort which will have the effect of creating the vector
      PM -> SO. How does Perlmonks benefit from diverting mindshare to Stack Overflow?

      If the point is to get PM people to post pointers back to PM on SO, one doesn't need to add an OpenID provider to PM for that -- it's simply a matter of creating accounts over there and logging in.

      Plus there are the security issues raised by others.

      It's far better to spend development effort on things that benefit people on Perlmonks.

Re: PerlMonks OpenID provider?
by jettero (Monsignor) on Sep 17, 2008 at 17:54 UTC
    I think it's a great idea, but I'm biased -- I like OpenID. There are a bunch of problems with it, and I think there are as many people who hate it as people who've heard of it.

    I think our home nodes should use http://microid.org/ too.

    -Paul

Re: PerlMonks OpenID provider?
by dHarry (Abbot) on Sep 18, 2008 at 11:56 UTC

    My concern is the security part. How secure is this OpenID? I read some stuff on identityblog on OpenID and I am not sure what to make of it. For submitting a Perl post on a forum I can probably live with the level of security. (Loggon on to the Monastery means submitting your password over http which is also not particular safe).

    But OpenID will most likely quickly turn into a silver bullet (IT history is full of examples) and be (over)applied to any authentication/authorization problem. I would like to know more about it before I go gung-ho on OpenID. It does look like an interesting initiative though (at first sight).

      An interesting security aspect of trust-based authentication is that authentication for every site using it is only as secure as the least secure trusted site.

      I'm not very familiar with OpenID as the buzzword du jour, but I'm guessing a site administrator can specifically distrust authentication information from particular sites. That's a good security move. When you start broadly wild carding denials or switching over to explicit acceptance instead of explicit denial then it's not exactly "open" any longer. It just becomes a small ring of trust, which is frankly not that exciting to me.

      I mean, do you really want to trust Bob's Computer Shop to allow logins to your site? Slashdot? 4chan? If Business Week is suffering from SQL injection attacks on their main page, do you really want all their blog commenters to log in all over the rest of the web with trust credentials?

        "I mean, do you really want to trust Bob's Computer Shop to allow logins to your site?"

        Why wouldn't you? For the average site (like the one mentioned in the OP), it really doesn't matter who handles authentication (not authorization). Now let's leave banks and websites like that out of the question. Digg? Slashdot? Perlmonks? JoeSchmoe-Forum? Does it really matter who handles authentication?

        Sure, Bob's Computer Shop could be faking credentials, but with regular password based authentication on your own site, you're really no better off. (Palin's Yahoo! mailbox anyone?). With sites like bugmenot.com, password based authentication is definitely no better IMHO.

        But I'd like to hear some arguments of the "haters" :)

        --
        b10m