I'm currently debating whether I should use OpenID login for one of my websites. OpenID may be harder for me to implement because I already have registration and login code written, but this is just a time consideration. What advantages and disadvantages are there to using OpenID in contrast to, say, a traditional website user account system.
我目前正在讨论是否应该在我的某个网站上使用OpenID登录。我可能更难实现OpenID,因为我已经编写了注册和登录代码,但这只是一个时间考虑因素。与传统的网站用户帐户系统相比,使用OpenID有什么优点和缺点。
3 个解决方案
#1
Advantages
you have a single sign-on which is actually pretty cool, in particular for people having a lot of accounts here and there.
你有一个单点登录,这实际上非常酷,特别是对于那里有很多帐户的人。
The openid server provides basic info about the user, saving the need to write down the usual basic info every time. In this sense you save the hassle to your users.
openid服务器提供有关用户的基本信息,无需每次都记下常用的基本信息。从这个意义上讲,您可以节省用户的麻烦。
It enhances the traditional user/pass mechanism pretty well. There are many sites around providing both systems at the same time.
它很好地增强了传统的用户/传递机制。有许多站点同时提供这两个系统。
Moves trust of honesty from multiple parties to only one. At the moment, I don't know if any of the sites I am registered on stores my password in clear text to steal it and tries to use it on other sites assuming that I have the same password.
将诚实信任从多方转移到只有一方。目前,我不知道我注册的任何网站是否以明文形式存储我的密码以窃取它并尝试在其他网站上使用它,假设我有相同的密码。
The technical advantage of delegation. You are not forced to use the same provider. You can switch.
授权的技术优势。您不必*使用相同的提供商。你可以切换。
Disadvantages
You still have to provide user/password to those who don't understand the new paradigm or they don't have an openid (maybe they have it, but they don't know). If it's a broad range of people your are trying to address, then you could scare them away.
你仍然需要为那些不了解新范例的人提供用户/密码,或者他们没有openid(也许他们拥有它,但他们不知道)。如果你想要解决的是广泛的人群,那么你可能会吓跑他们。
Also, I would not use it for anything serious. I would not trust my bank asking me to login with my openid, but also many e-commerce sites as well. It's ok for unimportant things.
另外,我不会将它用于任何严肃的事情。我不相信我的银行要求我使用我的openid登录,也要求许多电子商务网站登录。对于不重要的事情是可以的。
The openid provider can track user's habits, as they receive all the auth requests. That's why I deployed my personal provider.
openid提供商可以跟踪用户的习惯,因为他们收到所有的auth请求。这就是我部署我的个人提供商的原因。
Finally, as far as I saw, many cases of openid servers move the password in cleartext, but this is my understanding and I could be wrong. I deployed my own openid provider, and I went to great deal so that the password was transported via https, even if my openid is marked as http
最后,据我所见,很多openid服务器都以明文形式移动密码,但这是我的理解,我可能是错的。我部署了自己的openid提供程序,并且通过https传输了密码,即使我的openid被标记为http
#2
The main advantage that I see, although not necessarily applicable in your case if you want keep your existing system, is that I don't have to worry about storing passwords.
我看到的主要优点是,虽然不一定适用于您的情况,如果您想保留现有系统,我不必担心存储密码。
Too many people use the same password (or a small set of passwords) for everything, so if my site was compromised (and I'd hope I was sufficiently skilled enough to prevent that, but security is a multi-layers beast, so anything to add extra security in is good in my book) then the attacker couldn't get hold of the password.
太多人使用相同的密码(或一小组密码)用于所有事情,所以如果我的网站遭到入侵(我希望我足够熟练以防止这种情况,但安全性是一个多层的野兽,所以任何事情为了在我的书中增加额外的安全性,那么攻击者无法获得密码。
For the user, they can now legitimately have just one password for everything. They use an OpenID Provider that they trust rather than having to trust any tom dick or harry on the internet with a website.
对于用户来说,他们现在可以合法地只拥有一个密码。他们使用他们信任的OpenID提供商,而不必信任任何汤姆迪克或哈利在互联网上使用网站。
#3
Well taking SO as an example it supports both. I login using my Google Account through OpenID but I still need to have an account/username to link to my OpenID. I assume that you're only allowing logins through OpenID but not for your users to login using your site as an OpenID server.
以SO为例,它支持两者。我通过OpenID使用我的Google帐户登录,但仍需要一个帐户/用户名才能链接到我的OpenID。我假设您只允许通过OpenID登录,但不允许您的用户使用您的站点作为OpenID服务器登录。
So to clear things up; You can use a lot of your login/logout code and you will need it because the only difference is that you authenticate through a third-party instead of your own database. In pseudo-code imagine this:
所以要清理事情;您可以使用大量的登录/注销代码,因为唯一的区别是您通过第三方而不是您自己的数据库进行身份验证。在伪代码中想象一下:
authenticate_from_db(String username, String password)
{
fetch username and password where username = username
if username = username and password = hash_of(password)
{
return true;
}
else
{
return false;
}
}
authenticate_from_openid(String openId_provider)
{
provider = contact_openID_provider(openID_provider)
if(provider)
{
login.username = map(returned_user, your_db)
return true
}
else
{
return false;
}
}
So you see, mostly the authentication process is changed while your own is still also used.
所以你看,大多数情况下,身份验证过程都会被更改,而你自己的身份仍在使用
The advantage is pretty clear:
优点很明显:
- Allowing users to login with existing accounts through their OpenID provider.
- Your existing users could optionally login through their OpenID provider
允许用户通过其OpenID提供程序使用现有帐户登录。
您现有的用户可以选择通过他们的OpenID提供商登录
The disadvantages are (I could imagine):
缺点是(我可以想象):
- Hostile OpenID providers (spam?) authenticating their spambots etc
- Other security concerns by allowing a third party to authenticate your users
敌对的OpenID提供商(垃圾邮件?)验证他们的垃圾邮件等
允许第三方对您的用户进行身份验证的其他安全问题
I want to underline that supporting OpenID should not change anything for your existing users.
我想强调支持OpenID不应该改变现有用户的任何内容。
OpenID users still need to have an account, they're just authenticated through a third-party.
OpenID用户仍然需要拥有一个帐户,他们只是通过第三方进行身份验证。
#1
Advantages
you have a single sign-on which is actually pretty cool, in particular for people having a lot of accounts here and there.
你有一个单点登录,这实际上非常酷,特别是对于那里有很多帐户的人。
The openid server provides basic info about the user, saving the need to write down the usual basic info every time. In this sense you save the hassle to your users.
openid服务器提供有关用户的基本信息,无需每次都记下常用的基本信息。从这个意义上讲,您可以节省用户的麻烦。
It enhances the traditional user/pass mechanism pretty well. There are many sites around providing both systems at the same time.
它很好地增强了传统的用户/传递机制。有许多站点同时提供这两个系统。
Moves trust of honesty from multiple parties to only one. At the moment, I don't know if any of the sites I am registered on stores my password in clear text to steal it and tries to use it on other sites assuming that I have the same password.
将诚实信任从多方转移到只有一方。目前,我不知道我注册的任何网站是否以明文形式存储我的密码以窃取它并尝试在其他网站上使用它,假设我有相同的密码。
The technical advantage of delegation. You are not forced to use the same provider. You can switch.
授权的技术优势。您不必*使用相同的提供商。你可以切换。
Disadvantages
You still have to provide user/password to those who don't understand the new paradigm or they don't have an openid (maybe they have it, but they don't know). If it's a broad range of people your are trying to address, then you could scare them away.
你仍然需要为那些不了解新范例的人提供用户/密码,或者他们没有openid(也许他们拥有它,但他们不知道)。如果你想要解决的是广泛的人群,那么你可能会吓跑他们。
Also, I would not use it for anything serious. I would not trust my bank asking me to login with my openid, but also many e-commerce sites as well. It's ok for unimportant things.
另外,我不会将它用于任何严肃的事情。我不相信我的银行要求我使用我的openid登录,也要求许多电子商务网站登录。对于不重要的事情是可以的。
The openid provider can track user's habits, as they receive all the auth requests. That's why I deployed my personal provider.
openid提供商可以跟踪用户的习惯,因为他们收到所有的auth请求。这就是我部署我的个人提供商的原因。
Finally, as far as I saw, many cases of openid servers move the password in cleartext, but this is my understanding and I could be wrong. I deployed my own openid provider, and I went to great deal so that the password was transported via https, even if my openid is marked as http
最后,据我所见,很多openid服务器都以明文形式移动密码,但这是我的理解,我可能是错的。我部署了自己的openid提供程序,并且通过https传输了密码,即使我的openid被标记为http
#2
The main advantage that I see, although not necessarily applicable in your case if you want keep your existing system, is that I don't have to worry about storing passwords.
我看到的主要优点是,虽然不一定适用于您的情况,如果您想保留现有系统,我不必担心存储密码。
Too many people use the same password (or a small set of passwords) for everything, so if my site was compromised (and I'd hope I was sufficiently skilled enough to prevent that, but security is a multi-layers beast, so anything to add extra security in is good in my book) then the attacker couldn't get hold of the password.
太多人使用相同的密码(或一小组密码)用于所有事情,所以如果我的网站遭到入侵(我希望我足够熟练以防止这种情况,但安全性是一个多层的野兽,所以任何事情为了在我的书中增加额外的安全性,那么攻击者无法获得密码。
For the user, they can now legitimately have just one password for everything. They use an OpenID Provider that they trust rather than having to trust any tom dick or harry on the internet with a website.
对于用户来说,他们现在可以合法地只拥有一个密码。他们使用他们信任的OpenID提供商,而不必信任任何汤姆迪克或哈利在互联网上使用网站。
#3
Well taking SO as an example it supports both. I login using my Google Account through OpenID but I still need to have an account/username to link to my OpenID. I assume that you're only allowing logins through OpenID but not for your users to login using your site as an OpenID server.
以SO为例,它支持两者。我通过OpenID使用我的Google帐户登录,但仍需要一个帐户/用户名才能链接到我的OpenID。我假设您只允许通过OpenID登录,但不允许您的用户使用您的站点作为OpenID服务器登录。
So to clear things up; You can use a lot of your login/logout code and you will need it because the only difference is that you authenticate through a third-party instead of your own database. In pseudo-code imagine this:
所以要清理事情;您可以使用大量的登录/注销代码,因为唯一的区别是您通过第三方而不是您自己的数据库进行身份验证。在伪代码中想象一下:
authenticate_from_db(String username, String password)
{
fetch username and password where username = username
if username = username and password = hash_of(password)
{
return true;
}
else
{
return false;
}
}
authenticate_from_openid(String openId_provider)
{
provider = contact_openID_provider(openID_provider)
if(provider)
{
login.username = map(returned_user, your_db)
return true
}
else
{
return false;
}
}
So you see, mostly the authentication process is changed while your own is still also used.
所以你看,大多数情况下,身份验证过程都会被更改,而你自己的身份仍在使用
The advantage is pretty clear:
优点很明显:
- Allowing users to login with existing accounts through their OpenID provider.
- Your existing users could optionally login through their OpenID provider
允许用户通过其OpenID提供程序使用现有帐户登录。
您现有的用户可以选择通过他们的OpenID提供商登录
The disadvantages are (I could imagine):
缺点是(我可以想象):
- Hostile OpenID providers (spam?) authenticating their spambots etc
- Other security concerns by allowing a third party to authenticate your users
敌对的OpenID提供商(垃圾邮件?)验证他们的垃圾邮件等
允许第三方对您的用户进行身份验证的其他安全问题
I want to underline that supporting OpenID should not change anything for your existing users.
我想强调支持OpenID不应该改变现有用户的任何内容。
OpenID users still need to have an account, they're just authenticated through a third-party.
OpenID用户仍然需要拥有一个帐户,他们只是通过第三方进行身份验证。