Debian discusses Discourse

Posted Apr 22, 2020 13:21 UTC (Wed) by gray_-_wolf (subscriber, #131074)
In reply to: Debian discusses Discourse by NAR
Parent article: Debian discusses Discourse

> In many cases I can login using my Google account.

Yeah, which is awesome way to lose access if Google ever decides it does not
like you.

Debian discusses Discourse

Posted Apr 25, 2020 1:47 UTC (Sat) by marcH (subscriber, #57642) [Link] (6 responses)

> Yeah, which is awesome way to lose access if Google ever decides it does not like you.

This true of every account consolidation solution, any better concept?

If this comment was specifically about Google, any better OAuth / password manager recommendation? With FIDO 2FA please!

Debian discusses Discourse

Posted Apr 25, 2020 4:19 UTC (Sat) by pizza (subscriber, #46) [Link] (5 responses)

> This true of every account consolidation solution, any better concept?

Sure, run your own single-user OpenID provider on a cheap $5/mo VPS host.

Then your identity is truly *yours*, and can't be taken away from you.

(Yes, I realize this takes a little bit of money, and a little bit of work. So only folks that truly care will bother)

Debian discusses Discourse

Posted Apr 25, 2020 11:35 UTC (Sat) by rschroev (subscriber, #4164) [Link] (4 responses)

Do many sites allow logging in using custom OpenID providers? I used to have a simple personal OpenID, just a PHP script running somewhere IIRC. But IIRC there were not a lot of sites where I could use that. The Stackexchange sites supported it, but I they stopped that some time ago.

In any case I'm not entirely sure but I don't have the impression there are many sites that support you using your own OpenID.

Debian discusses Discourse

Posted Apr 25, 2020 13:19 UTC (Sat) by pizza (subscriber, #46) [Link]

> In any case I'm not entirely sure but I don't have the impression there are many sites that support you using your own OpenID.

Unfortunately, you are correct. Big sites are more than happy to act as an OpenID identity provider; after all it gives them more opportunities to collect data on you and increases lock-in with their services, but very few accept anyone else acting as a provider.

Welcome to the future, I guess.

Debian discusses Discourse

Posted Apr 26, 2020 7:22 UTC (Sun) by jezuch (subscriber, #52988) [Link] (2 responses)

Yeah, from what I can tell, the original vision of OpenID etc. morphed from "you run your identity provider (or use a trusted one) and we'll let you log in using it" to "the only two 'trusted' identity providers in the entire world are Google and Facebook". So instead of a generic button, you see two buttons: "Login with Google/Facebook".

It sucks.

Debian discusses Discourse

Posted May 4, 2020 17:54 UTC (Mon) by wookey (guest, #5501) [Link] (1 responses)

It sucks enormously. How did that happen? OpenID was great, why did it get taken away?

I'm not telling either of those entities which sites I visit so have never used the 'log in with unpleasant entity' button. But the alternative is trusting each and every site (there must be hundreds by now) to take good care of my credentials. They do of course lose them on a regular basis. Quite why I'm not allowed to manage my own identity, I don't know.

Debian discusses Discourse

Posted May 6, 2020 6:10 UTC (Wed) by jezuch (subscriber, #52988) [Link]

My suspicion is that the idea of external identity provider was alien and incomprehensible to managers who direct software teams, until Google and Facebook appeared and said "you can allow users to log in using their credentials on our sites". Then the managers thought "wow, such a great idea!" because they recognize these names and don't realize that the underlying mechanism is exactly the same regardless of the identity provider used.

To clarify, I mean the kind of managers who say that we don't have time for writing tests and refactoring. Which I think is most managers?