integrate with Mozilla Persona #756
Comments
|
+1 from @msenateatplos on #1264. |
|
BTW @whit537 the title for this ticket is misspelled. Personas should be singular. |
|
Quoting myself from #583:
|
|
I think I would agree with this. Persona seems to be a neat oAuth. Once you've signed up you could get re-directed to a page where you can fill in the other oAuth services for further verification of yourself. |
|
@daxter Fixed the title, thanksorry. I'm open to this but seems like refactoring accounts elsewhere comes first. |
|
Actually, it seems like this would replace our accounts elsewhere code, potentially? Or seriously affect it, yes? |
|
It depends on whether we make Persona the only way to authenticate, and thus making OAuth for Twitter, etc. only for proving that you own a given account. I haven't looked at the current accounts code in detail; was there a specific refactoring you were thinking of in your first comment? |
|
@daxter Does Persona give us an API to determine what OAuth accounts a person has linked to their Persona? Yes. @lyndsysimon started working on this on a fork eight months ago, and two months ago I brought that work into a branch on the main repo here. I neglected to kick off a PR at that time; I've done so now: #1369. |
|
First two useful links to find more information on Persona: the wiki and the blog. So, Mozilla created a cryptographic protocol for asserting the ownership of an email address. This is based around Identity Providers (IdPs), which are nominally the organizations that host that given email domain. When a domain doesn't have an IdP set up, Persona defaults to sending an email to the user to confirm ownership. Currently though a good chunk of email users get the easiest UI flow of 2-3 mouse clicks because both Google and Yahoo have set up their own IdPs. Two good links to learn more are the official BrowserID spec and the mid-level protocol overview. More links: TL;DR, @whit537: Persona does nothing more than prove ownership of an email address, so to prove ownership of Twitter, GitHub etc. accounts we'd still have to use OAuth. |
|
@daxter Okay, that's significantly less useful than I'd hoped, then. |
|
How about this then: what are your goals? I've already expressed mine. |
|
For example: how do you feel about switching the roles so that Persona is used for auth and OAuth is used to show who you are on other services? |
|
Just to chime in here... Using only Persona would be tantamount to vendor lock-in. Something I believe is a bad thing. Also, it forces people (who might, for some reason, not like it) to use Persona. As an alternative, we can push Persona as the preferred method of authentication (if we're convinced its useful) and still allow others like Github, Bitbucket, etc. Just emphasize them less. From what I can tell, Persona is only interesting in verifying that someone has registered on the Persona site with a certain email. However, Gittip's reasons for using Github, Bitbucket and Twitter are to prove, publicly, that someone's Gittip account is for the same person behind that Github, etc account they like so much. So connecting the Github etc accounts would still be necessary in my view. |
|
Persona was built specifically to prevent vendor lock-in. Anyone can run an IdP; it's all open source. The whole point of using Persona is it allows you to authenticate a user, and know they own that email address, without requiring that they actually enter a password. I'm not suggesting that we get rid of OAuth for services like GitHub and Twitter, merely that we don't use them for authentication. We'd still use them to prove that a given user owns a given external account, just like we do today. And just to clarify, I'm not necessarily against continuing to allow authentication via those services; I just think that allowing it makes the user experience unnecessarily complex. But then again, I'm reminded of #583. Since we deal with financial transactions we really need an email address to get ahold of our users with. Not all OAuth providers give us access to the user's email (Twitter, for example), so it'd be easier if our authentication scheme inherently and always grabbed the user's email address. |
|
Ok, then we're saying the same thing I guess. Just as long as we keep in mind that Persona validates email ownership, so it authorizes a user for a service, it doesn't provide identity confirmation. |
|
If Gittip goes to Persona exclusively, that'll be the last you see of me. (Not that it'll be a big loss yet.) As is, it has two deal-breaking flaws (that I tried to report on gmane.comp.mozilla.identity.devel but which got swallowed by a mess-up on my part and I'm still waiting for a response from GMane on the topic since Thunderbird doesn't appear to have a "Sent Messages" box for NNTP):
|
|
@ssokolow We have preliminary work that allows Persona to function in environments without popups (iOS Chrome, Windows Phone, etc.) that could potentially be re-purposed to address your first concern. There are limitations to what we can do when As to working well with many addresses, please contact me privately (my username at mozilla.com) so we can make sure we've got a record of what does and doesn't work well for you. Persona should remember your preferred email address for each individual site, but maybe we could do that better? |
|
Interestingly, once a verified email is provided by persona, it seems like the user search api can be used to associate it with the github user name. Dunno how well verified the public email address of a user is on github, but it could be something to explore as a way to ask the user only for an email, and link to github as a magic side-effect. |
|
What benefits would that have over the current system? I know I'm a bit of a broken record on the issue, but the only change I see is the downside that I'd probably give Gittip a unique alias and then run up against "We couldn't find your GitHub account" while the OAuth approach is just "click two buttons and the accounts are paired." |
|
It provides UX flow that 99% of people would appreciate. If there is a fallback to the OAuth approach on github it seems fine to me. |
|
I understand that. I just don't understand whether it provides any benefit over using the "click two buttons and you're done" interaction for an OAuth provider like GitHub which allows e-mail scraping. |
|
hmm. does bit bucket have a search by email function? would "tip by email" be interesting? just thinking out loud - I dig merit based crowd funding. |
|
hmmm I wouldn't appreciate automatic linking of my third party accounts to my gittip account.. I like being in control myself. If I want to link my GitHub but not my BitBucket, for whatever reason, Gittip should respect that and not auto-link it. And to be honest, I don't see the added value of yet another "single point of authentication"... |
|
This may not be the right place to have this discussion, sorry for the noise!
Persona is just trying to take the password out of traditional "email + password" login systems. If Gittip is happy with only offering provider-specific OAuth login options, then Persona doesn't add a ton of value. If Gittip is considering a traditional / freeform / user-driven login option ("email + password"), then Persona should be a great fit. It lets people use any email address they want, and Gittip never needs to touch a password again. |
Thanks for the clarification, @callahad. This helps me a lot. We're not planning to provide email-only login in the near future, because social accounts are central to our anti-fraud systems (more discussion on #89). So I'm going to go ahead and close this ticket. If email-only sign-ups on Gittip ever pick up enough momentum, let's revisit Persona. |
|
And to clarify @callahad, Gittip doesn't currently deal with any passwords. Right now, the only way to log in is via external services like GitHub or Twitter. |
|
@daxter Right. We're not planning to allow people to authenticate via email, only via Twitter, GitHub, Bitbucket, Facebook, and Google. (Maybe Yahoo or Microsoft someday?) |
|
Oh? That's the first I've heard that. What exactly is the reason? Quite a few people in #89 argue that auth via email is insecure, but the current scheme is considerably less so as it only takes one external account (each of which nominally require a password, and thus are vulnerable to attack) in order to compromise to your Gittip account. As well, we're relying on each external service's implementation of OAuth. That's a large surface area for attack. This problem only gets worse if we start supporting more services. Instead of e.g. implementing dual-factor authentication via Yubikeys as has been suggested before, we could just use Persona and let the individual user decide how much security they want. For example, by using Google's dual-factor auth. |
This is false. An email-based Gittip account would have the email account as a single point of failure, so it is not "considerably" more secure in this regard than a social-based Gittip account.
The plan is to only permit certain OAuth implementations to be usable for authentication, namely the big ones: Twitter, Facebook, Google (I feel okay about GitHub. I feel iff-y about Bitbucket). We'll allow many, many more OAuth providers to be usable to connect an account to a Gittip account even if it's not usable for authentication to Gittip. Down the road perhaps we can use multiple social accounts in multi-factor auth (along with SMS). The bottom line here is anti-fraud. With social-based Gittip accounts we have a whole new set of fraud signals to work with that simply don't exist with email-based accounts. The two matters are entangled for us, and our current strategy "ain't broke," as they say. |
Oh? Persona may offers significant user experience improvements for this case. Similar to AirBNB, you could allow people to authenticate with an email address to avoid NASCAR-esque login screens, and then give that user the ability to hang multiple social authorizations off of that account. It avoids the "I have all of these accounts, which should I pick?" and "Which did I pick last time?" problems, as well as sidestepping counter-intuitive processes like signing in with GitHub in order to accept tips on a Bitbucket account. Anywho, y'all have enough on your plate to where I won't belabor the point. If Gittip decides to explore Persona, the team is standing by to help. Otherwise, see you at PyCon in April? :) |
The argument here is single point of failure vs large surface area for attack. It seems to me that the large surface area is a much higher risk. After all, it only takes one weak password for an external service (or a badly implemented auth scheme by that service) in order for your Gittip account to be compromised. I don't know about you, but I have more secure authentication set up for my email than I do for everyday social services. At any rate, thanks for taking the time to talk with us @callahad 🐙 |
|
Social accounts hang of the email anyway. When ones email is compromised, the social accounts can easily follow but not the other way around. Therefore adding email sign in IMHO does not increase the risk. We could allow email sign in but allow credits and withdrawals only after attaching some social account (thus not using any social account for sign in). Having the ability to decrease the number of ways one can sign it would also help lower the risks. |
|
We're reopening this as a new auth method, more details coming from the contributor soon. |
|
|
I've assigned this two stars. |
|
"Why we love Mozilla Persona. And why you should, too." |
|
http://benjamin.smedbergs.us/blog/2014-02-11/dont-use-mozilla-persona-to-secure-high-value-data/
|
|
But ...
|
|
The comments on that blog post, and on Hacker News, are worth a read.
|
|
So that would be #638. |
|
Persona doesn't look like a very good fit for Gratipay, because we already have email addresses for most of our users, but we haven't verified them yet. Persona is designed to verify the email address of a user at sign-up, I doubt that we can do a bulk verification of email addresses we already have, so it's probably going to be simpler for us to implement the traditional email+password authentication. Closing, feel free to reopen if you disagree. |
Per @buchuki
The text was updated successfully, but these errors were encountered: