archive
/
blender-cloud
0
1
Fork 1
Code Issues 25 Pull Requests Projects Releases Wiki Activity

Authentication #38249

New Issue
Closed
opened 2014-01-16 21:31:23 +01:00 by marcus@stade.se · 8 comments
marcus@stade.se commented 2014-01-16 21:31:23 +01:00
Copy Link

(Not sure whether this is the appropriate way to provide feedback, but I couldn't determine a better method. Please apologize if I'm posting this in the wrong place.)

I wanted to provide some thoughts on the authentication mechanism of Blender Cloud. The Blender Cloud project page specifies a few bullet points on authentication , and seems to invite discussion. These are my thoughts on the topic. Please note that I'm approaching this from a UX perspective rather than security; I'm not a security expert, and won't pretend to be.

There are three paths suggested on the aforementioned page:

My advice is to go with the first point – rely on a third party OpenID authentication providers and become one (not or.) Additionally, I think a case should be made for supporting other big name providers such as Facebook and Twitter.

Relying on third party providers is a good thing, because it significantly reduces the sign-up friction for users of supported providers. Crucially, Google is an OpenID provider – their user base is massive and are by now comfortable with using their accounts to log in to other sites. As for the topic of Facebook and/or twitter support, the same argument applies. Their respective (and very large) user bases are comfortable with using their accounts for authentication on third party sites. There are potentially other benefits as well, such as the ability to implement social networking features, but that's a different story altogether.

As for becoming an OpenID provider I would argue that this is also a good thing. The Blender community is large; there are many different sites with different operators. Regardless, the community is fairly cohesive, in that people on one site are often members of another. Becoming an OpenID provider has to potential of unifying their identity across sites, not unlike how StackExchange operates. Maybe it's obvious, maybe it isn't, but I think that becoming an OpenID provider has far greater benefits than just authentication.

I think Mozilla Persona has many of the same benefits as OpenID. Particularly, it has support for OpenID as well so one could argue that choosing OpenID is to support just a subset of Persona. This is not entirely true, but true enough. However, Persona is new and betting on Persona means betting on technology that isn't proven yet. Mozilla is a big name, but it can't be discounted that Persona is essentially a research project. I hope it works out, because progress is necessary, but it may not be worth jumping in with both feet right now. OpenID however has proven its place and importantly, since Persona supports OpenID it doesn't preclude a later move to Persona. It essentially affords Blender Cloud to defer the decision till a later time, which is great!

Developing a custom solution is not a good idea in my opinion. It takes time and is a duplication of effort. There's little point in developing solutions for which there is an established standard, that both users and developers are familiar with. There are many OpenID supports with vested interest in its success, so Linus's law should apply. I can't see how a custom solution will mean anything but unnecessary work.

I don't necessarily know what the security implications of going the OpenID route would be, I hope others with more knowledge and experience in the field could provide insight. But from a UX perspective, I'd say OpenID is the best alternative – if not the only one at this point in time. Hope this helps!

(Not sure whether this is the appropriate way to provide feedback, but I couldn't determine a better method. Please apologize if I'm posting this in the wrong place.) I wanted to provide some thoughts on the authentication mechanism of Blender Cloud. The Blender Cloud project page specifies a few [bullet points on authentication ](http://wiki.blender.org/index.php/Org:Institute/BlenderCloud#Authentication), and seems to invite discussion. These are my thoughts on the topic. Please note that I'm approaching this from a UX perspective rather than security; I'm not a security expert, and won't pretend to be. There are three paths suggested on the aforementioned page: - Rely on a 3rd party OpenID authentication provider or become a provider ourselves - [Mozilla Persona] https://developer.mozilla.org/en-US/Persona - Develop our own simple authentication system My advice is to go with the first point – rely on a third party OpenID authentication providers *and* become one (not *or*.) Additionally, I think a case should be made for supporting other big name providers such as Facebook and Twitter. Relying on third party providers is a *good* thing, because it significantly reduces the sign-up friction for users of supported providers. Crucially, Google is an OpenID provider – their user base is massive and are by now comfortable with using their accounts to log in to other sites. As for the topic of Facebook and/or twitter support, the same argument applies. Their respective (and very large) user bases are comfortable with using their accounts for authentication on third party sites. There are potentially other benefits as well, such as the ability to implement social networking features, but that's a different story altogether. As for becoming an OpenID provider I would argue that this is *also* a good thing. The Blender community is large; there are many different sites with different operators. Regardless, the community is fairly cohesive, in that people on one site are often members of another. Becoming an OpenID provider has to potential of unifying their identity across sites, not unlike how StackExchange operates. Maybe it's obvious, maybe it isn't, but I think that becoming an OpenID provider has far greater benefits than just authentication. I think Mozilla Persona has many of the same benefits as OpenID. Particularly, it has support for OpenID *as well* so one could argue that choosing OpenID is to support just a subset of Persona. This is not entirely true, but true enough. However, Persona is *new* and betting on Persona means betting on technology that isn't proven yet. Mozilla is a big name, but it can't be discounted that Persona is essentially a research project. I hope it works out, because progress is necessary, but it may not be worth jumping in with both feet right now. OpenID however has proven its place and importantly, since Persona supports OpenID it doesn't preclude a *later* move to Persona. It essentially affords Blender Cloud to defer the decision till a later time, which is great! Developing a custom solution is not a good idea in my opinion. It takes time and is a duplication of effort. There's little point in developing solutions for which there is an established standard, that both users *and* developers are familiar with. There are many OpenID supports with vested interest in its success, so [Linus's law ](http://en.wikipedia.org/wiki/Linus's_Law) should apply. I can't see how a custom solution will mean anything but unnecessary work. I don't necessarily know what the security implications of going the OpenID route would be, I hope others with more knowledge and experience in the field could provide insight. But from a UX perspective, I'd say OpenID is the best alternative – if not the *only* one at this point in time. Hope this helps!
marcus@stade.se commented 2014-01-16 21:31:23 +01:00
Author
Copy Link

Changed status to: 'Open'

Changed status to: 'Open'
marcus@stade.se commented 2014-01-16 21:31:23 +01:00
Author
Copy Link

Added subscriber: @mstade

Added subscriber: @mstade
Dorianux commented 2014-01-17 14:11:40 +01:00 (Migrated from localhost:3001)
Owner
Copy Link

Added subscriber: @Dorianux

Added subscriber: @Dorianux
Dorianux commented 2014-01-17 14:11:40 +01:00 (Migrated from localhost:3001)
Owner
Copy Link

Support for OpenID!

I would recommend [Flask Security ]] for Authorization and [ https:*github.com/mattupstate/flask-social | Flask-Social for Authentication.

**Support for OpenID!** I would recommend [Flask Security ]] for Authorization and [[ https:*github.com/mattupstate/flask-social | Flask-Social ](http:*pythonhosted.org/Flask-Security/) for Authentication.
Francesco Paglia commented 2014-01-19 17:44:19 +01:00
Copy Link

Added subscriber: @FrancescoPaglia

Added subscriber: @FrancescoPaglia
Satish Goda commented 2014-02-24 18:36:43 +01:00
Copy Link

Added subscriber: @SatishGoda

Added subscriber: @SatishGoda
Francesco Siddi commented 2014-03-17 20:04:00 +01:00
Copy Link

Changed status from 'Open' to: 'Archived'

Changed status from 'Open' to: 'Archived'
Francesco Siddi self-assigned this 2014-03-17 20:04:00 +01:00
Francesco Siddi commented 2014-03-17 20:04:00 +01:00
Copy Link

Thanks everybody for the feedback. We are now using Flask-Security and it's the perfect solution for us at the moment.

Thanks everybody for the feedback. We are now using Flask-Security and it's the perfect solution for us at the moment.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
production
cryptography-rust-fix
welcome-2020-update
flamencoResumeArchiving
wip-production-videos
wip-redesign
wip-front-end
wip-open-project-landing
wip-readme-tweaks
last-outside-docker
first-py36
last-py27
Labels
Clear labels   
legacy module
Modeling

  
legacy project
Blender Cloud

  
legacy project
Documentation

  
legacy project
Infrastructure: blender.org

  
legacy project
Infrastructure: Websites

  
legacy project
Modeling

  
legacy project
Pillar

  
legacy project
Pillar Framework

  
Priority::High

   
Priority::Low

   
Priority::Normal

   
Status::Archived

   
Status::Confirmed

   
Status::Duplicate

   
Status::Needs Triage

   
Status::Resolved

   
Type::Bug

   
Type::Design

   
Type::Report

   
Type::To Do
No Label
legacy module
Modeling
legacy project
Blender Cloud
legacy project
Documentation
legacy project
Infrastructure: blender.org
legacy project
Infrastructure: Websites
legacy project
Modeling
legacy project
Pillar
legacy project
Pillar Framework
Priority::High
Priority::Low
Priority::Normal
Status::Archived
Status::Confirmed
Status::Duplicate
Status::Needs Triage
Status::Resolved
Type::Bug
Type::Design
Type::Report
Type::To Do
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
Francesco Siddi
5 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: archive/blender-cloud#38249
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?