[
https://issues.apache.org/jira/browse/JSPWIKI-94?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12676340#action_12676340
]
Andrew Jaquith commented on JSPWIKI-94:
---------------------------------------
What I meant is that when you accept "any" OpenID assertion, you don't really
know who is authenticated unless you know something about the OP. The example
you gave (rogue OP) is one example of how OpenID could fail -- there are
others, though.
My current thinking is that we should have a configurable option, probably as
JAAS configuration options, that defines what OPs we accept OpenID assertions
from. We would use SREG to obtain the information needed to create an account
In JSPWiki.
By default, the list of acceptable OPs would be a short list: Gmail, Yahoo!,
VeriSign and probably about a half-dozen others. But if the admin wanted, they
could configure the system to accept any OP. This would be the "other" OP
option you describe in step 3.
As far as registration confirmation goes -- that is a separate issue. You can
turn on workflows for confirming registrations today, for all registrations. I
think this will work the same way in 3.0 -- approvals are either on (for every
OP) or off.
> OpenID support
> --------------
>
> Key: JSPWIKI-94
> URL: https://issues.apache.org/jira/browse/JSPWIKI-94
> Project: JSPWiki
> Issue Type: New Feature
> Components: Authentication&Authorization
> Reporter: Janne Jalkanen
> Priority: Minor
> Fix For: 3.1
>
>
> Now that OpenID2.0 is launched, we should look seriously into enabling that
> as a way to manage your JSPWiki identity.
> http://openid.net/2007/12/05/openid-2_0-final-ly/
> I don't want to put any specific version on this item - it'll come when
> someone is motivated enough to make it work ;-). But it's a good idea to
> keep here so that we don't forget about it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
