Authentication #38249
Labels
No Label
legacy module
Modeling
legacy project
Blender Cloud
legacy project
Documentation
legacy project
Infrastructure: blender.org
legacy project
Infrastructure: Websites
legacy project
Modeling
legacy project
Pillar
legacy project
Pillar Framework
Priority::High
Priority::Low
Priority::Normal
Status::Archived
Status::Confirmed
Status::Duplicate
Status::Needs Triage
Status::Resolved
Type::Bug
Type::Design
Type::Report
Type::To Do
No Milestone
No project
No Assignees
5 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: archive/blender-cloud#38249
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
(Not sure whether this is the appropriate way to provide feedback, but I couldn't determine a better method. Please apologize if I'm posting this in the wrong place.)
I wanted to provide some thoughts on the authentication mechanism of Blender Cloud. The Blender Cloud project page specifies a few bullet points on authentication , and seems to invite discussion. These are my thoughts on the topic. Please note that I'm approaching this from a UX perspective rather than security; I'm not a security expert, and won't pretend to be.
There are three paths suggested on the aforementioned page:
My advice is to go with the first point – rely on a third party OpenID authentication providers and become one (not or.) Additionally, I think a case should be made for supporting other big name providers such as Facebook and Twitter.
Relying on third party providers is a good thing, because it significantly reduces the sign-up friction for users of supported providers. Crucially, Google is an OpenID provider – their user base is massive and are by now comfortable with using their accounts to log in to other sites. As for the topic of Facebook and/or twitter support, the same argument applies. Their respective (and very large) user bases are comfortable with using their accounts for authentication on third party sites. There are potentially other benefits as well, such as the ability to implement social networking features, but that's a different story altogether.
As for becoming an OpenID provider I would argue that this is also a good thing. The Blender community is large; there are many different sites with different operators. Regardless, the community is fairly cohesive, in that people on one site are often members of another. Becoming an OpenID provider has to potential of unifying their identity across sites, not unlike how StackExchange operates. Maybe it's obvious, maybe it isn't, but I think that becoming an OpenID provider has far greater benefits than just authentication.
I think Mozilla Persona has many of the same benefits as OpenID. Particularly, it has support for OpenID as well so one could argue that choosing OpenID is to support just a subset of Persona. This is not entirely true, but true enough. However, Persona is new and betting on Persona means betting on technology that isn't proven yet. Mozilla is a big name, but it can't be discounted that Persona is essentially a research project. I hope it works out, because progress is necessary, but it may not be worth jumping in with both feet right now. OpenID however has proven its place and importantly, since Persona supports OpenID it doesn't preclude a later move to Persona. It essentially affords Blender Cloud to defer the decision till a later time, which is great!
Developing a custom solution is not a good idea in my opinion. It takes time and is a duplication of effort. There's little point in developing solutions for which there is an established standard, that both users and developers are familiar with. There are many OpenID supports with vested interest in its success, so Linus's law should apply. I can't see how a custom solution will mean anything but unnecessary work.
I don't necessarily know what the security implications of going the OpenID route would be, I hope others with more knowledge and experience in the field could provide insight. But from a UX perspective, I'd say OpenID is the best alternative – if not the only one at this point in time. Hope this helps!
Changed status to: 'Open'
Added subscriber: @mstade
Added subscriber: @Dorianux
Support for OpenID!
I would recommend [Flask Security ]] for Authorization and [ https:*github.com/mattupstate/flask-social | Flask-Social for Authentication.
Added subscriber: @FrancescoPaglia
Added subscriber: @SatishGoda
Changed status from 'Open' to: 'Archived'
Thanks everybody for the feedback. We are now using Flask-Security and it's the perfect solution for us at the moment.