Team, as mentioned earlier, I plant to start looking at the OpenID in
Roller again. As you may recall, the Roller config file allows new user
accounts with "no" OpenID, "only" OpenID, or "hybrid" -- either OpenID
and/or password. I'd like to change that "and/or" to just an "or":
Right now, for the new user signup screen under hybrid we allow new
accounts to be created with *both* a username/password and an OpenID to
access that account.
What I'm proposing, for any new user account under hybrid, that there be
one and only one authentication mechanism (username/password *or* OpenID
*or* whatever else comes up in the future). It's fully the user's
choice (there will be radio buttons to choose the one desired), but he
or she can only choose one. If someone has a theoretical need for both
a username/password *and* OpenID (I don't see why), that person would
create two accounts instead, and just allow the second account admin
rights on the blogs created by the first account. Such a change would
keep Roller in line with StackOverflow, Yahoo! Groups, and Flickr, that,
while providing an OpenID option, still have just one authentication
mechanism per account.
It sounds sweet and helpful to allow multiple ways to log into the same
account, but as you expand the number of authentication options you end
up introducing unnecessary code complexity and potential security holes
while not providing much additional utility to users. WDYT?
Regards,
Glen
- Tightening up the OpenID logic? Glen Mazza
-
