django-openid-auth

Merge lp://staging/~joe-topjian-v/django-openid-auth/jtopjian-dev into lp://staging/~django-openid-auth/django-openid-auth/trunk

  1. jtopjian-dev
  2. Merge into trunk
Proposed by Joe T
Status: Needs review
Proposed branch: lp://staging/~joe-topjian-v/django-openid-auth/jtopjian-dev
Merge into: lp://staging/~django-openid-auth/django-openid-auth/trunk
Diff against target: 96 lines (+27/-11)
3 files modified
README.txt (+6/-0)
django_openid_auth/auth.py (+7/-0)
django_openid_auth/views.py (+14/-11)
To merge this branch: bzr merge lp://staging/~joe-topjian-v/django-openid-auth/jtopjian-dev
Reviewer Review Type Date Requested Status
django-openid-auth developers Pending
Review via email: mp+28210@code.staging.launchpad.net

Description of the change

This branch adds an option that enforces OpenID accounts to have an email address.

This has been tested with various myopenid.com accounts that choose not to include an email address in their profile.

My rationale behind this setting is that although OpenID allows for easy account creation and the ability to restrict information from being shared, I want registered accounts to at least contain an email address.

Also mixed in is my patch for Bug #517393.

To post a comment you must log in.
Revision history for this message
James Henstridge (jamesh) wrote :

Sorry for not reviewing this patch earlier. Note that email addresses are only self asserted, so unless you have some other reason to trust the provider you shouldn't treat them as validated.

I wonder if a better approach would be to ask the user for the required information if it is not provided?

Reply
Revision history for this message
Joe T (joe-topjian-v) wrote :

My opinion is that if the application I am creating is unable to trust various OpenID providers, I should not be allowing them to be used for authentication at all. If I choose to trust an OpenID provider for authentication, I should also be able to trust them as a central repository for any other information as well.

However, I understand that checking for various user attributes should not be the responsibility for django-openid-auth -- the "auth" in the name can be seen as it is for authentication only.

Reply
Revision history for this message
James Henstridge (jamesh) wrote :

There are certainly use cases for accepting user details from an OpenID provider you don't fully trust.

The only thing the OpenID protocol tells you for a given OpenID authentication handshake is that the user controls the given identity URL (this is roughly equivalent to proving that the user knows the password associated with a particular user name).

When I say that all other details are self asserted, I'm not saying that they are useless. There is a lot of self asserted information many applications would be happy to accept without verification (e.g. the user's full name). My point was that if you need verified information, then self asserted details from the OpenID handshake are as good as details entered into a form by the user. It doesn't mean the authentication is compromised.

Reply

Unmerged revisions

67. By Joe T

added email required setting

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
The diff is not available at this time. You can reload the page or download it.

Subscribers

People subscribed via source and target branches