Remove OpenID pre-authorization support

Bug #121538 reported by James Henstridge
4
Affects Status Importance Assigned to Milestone
Canonical SSO provider
Triaged
Low
Unassigned

Bug Description

For phase 1 of Launchpad-SSO, we hid the pre-authorization feature in Stuart's original implementation.

This is fine for sites using checkid_setup (which most of our sites probably will), but reduces the use of checkid_immediate since such a request will always fail, passing the user to checkid_setup mode.

We should look at how to expose this feature without complicating the UI.

Tags: housekeeping
Revision history for this message
James Henstridge (jamesh) wrote :

This feature came up in conversation, so it is probably time to re-evaluate.

Certain assertions in an OpenID request will change over time, and the RP needs to have an up-to-date view of the information. The best way to handle this is by using a short session time on the RP (say half an hour), and then reauthenticate the user when the session expires.

If e.g. the wiki is reauthenticating the user every 30 minutes, the existing authorisation form will be a pain. Pre-authorizing the user for e.g. a day would limit the number of authentication forms presented to the user while keeping the RPs up to date.

One use case for this is disabling abusive user accounts. Due to the distributed nature of OpenID, this would just stop the user from logging in again -- they'd still be able to use sites for which they had an existing session. In this case, the session timeout used by the RP determines its period of exposure.

Changed in launchpad-foundations:
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Stuart Metcalfe (stuartmetcalfe) wrote :

Do we have a list of sites actually using this feature?

Changed in canonical-identity-provider:
importance: Medium → Low
status: Triaged → Incomplete
visibility: public → private
Changed in canonical-identity-provider:
assignee: nobody → Stuart Metcalfe (stuartmetcalfe)
Revision history for this message
Stuart Metcalfe (stuartmetcalfe) wrote :

We have auto-login and recently implemented checkid_immediate support (for trusted sites only atm). The only case I know about where the old behaviour is used is shop->training and that hasn't been used for a while now, so changing this bug to remove the functionality from SSO.

summary: - Re-evaluate OpenID pre-authorization support
+ Remove OpenID pre-authorization support
Changed in canonical-identity-provider:
assignee: Stuart Metcalfe (stuartmetcalfe) → nobody
status: Incomplete → Triaged
tags: added: housekeeping
removed: openid
Revision history for this message
Robert Collins (lifeless) wrote :

Can this bug be opened ? Am cleaning up LP bug database and this showed up on my search. Doesn't seem to have anything confidential in it.

visibility: private → public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.