Canonical SSO provider

Remove OpenID pre-authorization support

Bug #121538 reported by James Henstridge on 2007-06-21

Affects		Status	Importance	Assigned to	Milestone
	Canonical SSO provider	Triaged	Low	Unassigned

Bug Description

For phase 1 of Launchpad-SSO, we hid the pre-authorization feature in Stuart's original implementation.

This is fine for sites using checkid_setup (which most of our sites probably will), but reduces the use of checkid_immediate since such a request will always fail, passing the user to checkid_setup mode.

We should look at how to expose this feature without complicating the UI.

Tags:

Revision history for this message

James Henstridge (jamesh) wrote on 2007-10-24:

This feature came up in conversation, so it is probably time to re-evaluate.

Certain assertions in an OpenID request will change over time, and the RP needs to have an up-to-date view of the information. The best way to handle this is by using a short session time on the RP (say half an hour), and then reauthenticate the user when the session expires.

If e.g. the wiki is reauthenticating the user every 30 minutes, the existing authorisation form will be a pain. Pre-authorizing the user for e.g. a day would limit the number of authentication forms presented to the user while keeping the RPs up to date.

One use case for this is disabling abusive user accounts. Due to the distributed nature of OpenID, this would just stop the user from logging in again -- they'd still be able to use sites for which they had an existing session. In this case, the session timeout used by the RP determines its period of exposure.

Francis J. Lacoste (flacoste) on 2008-11-05

Changed in launchpad-foundations:
importance:	Undecided → Medium
status:	New → Triaged

Revision history for this message

Stuart Metcalfe (stuartmetcalfe) wrote on 2009-10-12:

Do we have a list of sites actually using this feature?

Changed in canonical-identity-provider:
importance:	Medium → Low
status:	Triaged → Incomplete
visibility:	public → private

Stuart Metcalfe (stuartmetcalfe) on 2010-02-17

Changed in canonical-identity-provider:
assignee:	nobody → Stuart Metcalfe (stuartmetcalfe)

Revision history for this message

Stuart Metcalfe (stuartmetcalfe) wrote on 2010-09-08:

We have auto-login and recently implemented checkid_immediate support (for trusted sites only atm). The only case I know about where the old behaviour is used is shop->training and that hasn't been used for a while now, so changing this bug to remove the functionality from SSO.

summary:	- Re-evaluate OpenID pre-authorization support + Remove OpenID pre-authorization support
Changed in canonical-identity-provider:
assignee:	Stuart Metcalfe (stuartmetcalfe) → nobody
status:	Incomplete → Triaged

Stuart Metcalfe (stuartmetcalfe) on 2010-10-15

tags:

added: housekeeping
removed: openid

Revision history for this message

Robert Collins (lifeless) wrote on 2011-05-30:

Can this bug be opened ? Am cleaning up LP bug database and this showed up on my search. Doesn't seem to have anything confidential in it.

Stuart Metcalfe (stuartmetcalfe) on 2011-05-30

visibility:

private → public

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.