OpenID Authentication about openuserjs.org HOT 11 CLOSED

I've decided to abandon implementation of this feature for now because it would be far too easy to abuse. We have plenty of authentication strategies and we can obtain OAuth keys to add even more. I might consider adding this feature if people actually express a need for it in the future if we combine it with a CAPTCHA or add a bunch of code to monitor creation of accounts from various OpenID providers so we could blacklist the bad ones. I just don't feel like opening the site up to a game of wack-a-mole right now.

from openuserjs.org.

This issue has been reopened because someone has expressed an interest in this issue (#88).
As I stated above, the reason I closed this issue in the first place was because lack of interest by others, that I didn't see an immediate need with all of the existing authentication methods available, and the great potential for abuse since anyone would set up a OpenID provider and use it to easily create a limitless number of phony users.

I might allow this feature, but require the OpenID provider to use HTTPS, keep which providers were used to create an account with OpenID (so we can detect abuse), and also require a CAPTCHA (or some other form of anti-bot measure at registration).

from openuserjs.org.

I don't get it. What's the problem with "phony users"? And what prevents me now from creating as many imgur or reddit users as I want?

from openuserjs.org.

I don't get it. What's the problem with "phony users"?

If you can create many phony users very quickly you can use them to post spam and malicious scripts faster than we can moderate and remove them (userscripts.org is a good example of this).

And what prevents me now from creating as many imgur or reddit users as I want?

For one, I know the reddit uses a captcha at registration and limits the number of users you can create on an IP in a certain duration. We inherit all the protections our providers use to prevent registration of many phony users. OpenID would be much easier to abuse if we added it.

Is there some particular reason you want OpenID? Is the current list of authenticators not sufficient for your needs? Is this a matter of privacy?

from openuserjs.org.

If you can create many phony users very quickly you can use them to post spam and malicious scripts faster than we can moderate and remove them

Do new users have limits for posting?

For one, I know the reddit uses a captcha at registration and limits the number of users you can create on an IP in a certain duration.

Use captcha for new users as well. If spammers are determined enough to spend money on solving captcha - reddit won't save you. Right?

from openuserjs.org.

Do new users have limits for posting?

Not yet. I'm not crazy about doing this since many new users just want to dump their scripts on the site. I was hoping to avoid dealing with this issue until the site is more popular. But yes, we'll probably have to do this.

Use captcha for new users as well.

I also intend to do this once the site becomes more popular. But at this point I want to make it really easy for new users to sign up. I will probably add OpenID once we reach this point. I'm not going to promise it right now because I need to think about it more and consult the other project members.

You still didn't answer my questions:

Is there some particular reason you want OpenID? Is the current list of authenticators not sufficient for your needs? Is this a matter of privacy?

from openuserjs.org.

Not yet. I'm not crazy about doing this since many new users just want to dump their scripts on the site.

See? A spammer doesn't even need those accounts you are worried about, since nothing stops a single phony user from posting thousands of malicious scripts and messages.

You still didn't answer my questions

Sorry about that. Let me answer them now.

Is there some particular reason you want OpenID? Is the current list of authenticators not sufficient for your needs? Is this a matter of privacy?

It's a matter of several factors. I believe decentralization is a good thing, and OpenID is perfect for decentralization. I hate the idea of being dependent on a single service, like github or reddit, for being able to login to a completely unrelated website, like OUJO. And yes, most of my userscripts are hosted on Bitbucket, which is not an option for logging in for now.

In my opinion, this is handled best on stackexchange network sites (like stackoverflow.com). There you can login using several services (including plain OpenID), but most importantly - you can link several login methods to a single account. This frees you from being tied to a single service and makes you stop worrying about third-party services being down.

All in all, I think you are too worried about spammers now. I understand that having the case of USO right in front of your eyes, you want to make every thing possible from preventing this happening to OUJO, but I'm not sure you should be concerned right now. The audience of OUJO is small and it is unlikely it will be targeted by spammers now. Later you could take measures according to the situation, maybe including community help (like it is done in stackexchange).

These are just my thoughts, I hope they will be somehow helpful, sorry if not :) And thank you for the work you are doing.

from openuserjs.org.

Is the current list of authenticators not sufficient for your needs?

If this is a bug I'll open one... but I added goo to my list of authentications, reset GH back to primary, made sure I restarted my browser to remove any cookies, logged into goo, and OUJS still prompted me for GH credentials... I'm not quite entirely sure if this is how these are supposed to work or not.

As far as adding in an OUJS site captcha it might be a good idea to route all requests, save for login/logout, to a captcha dummy routine... not necessarily adding a captcha in but the possibility for it if it is needed in the future.

I'm neither here nor there on OpenID... privacy on OpenID is a lot less than it is with most other systems across the internet.

from openuserjs.org.

Is this closable now with the new UI? We refer to OpenID in the main /login page so I assume so?

Possible Reference:

• Zren@a6a6c0a

from openuserjs.org.

This issue is about allowing pure OpenID authentication on the site. I
still haven't made up my mind (which is why I left it open). I'd like to
hear what others think.

from openuserjs.org.

Decided it is unnecessary.

from openuserjs.org.