OpenID,OpenID2,Open Connect的未来是什么?值得实施提供者吗? [英] What is the future of OpenID, OpenID2, Open Connect? Is it worth implementing a provider?
问题描述
我看到了随处可见的OpenID登录名,并决定应该考虑在服务器上实现自己的提供程序,以便我可以控制自己的信息和登录名.
令人惊讶的是,这非常复杂且困难.
即使许多站点都允许OpenID登录(例如该登录),我仍发现以下问题:
- 许多简单的自行拥有"单一身份OpenID Provider解决方案现已成为汽配.
- OpenID一直存在非常严重的持续性安全问题:
http://en.wikipedia.org/wiki/OpenID#Security
- 许多OpenID提供程序似乎已经消失了(MyOpenID.com,getopenid.com等.)
- 该协议似乎在不断变化,因为以前的版本已删除(也许是由于安全问题?)
例如,从13年8月开始的关于使用Google Plus/Profiles作为代表的SO解决方案现在收到Google的错误消息,称该OpenID 2.0支持将在今年4月从Google移除,并由OpenID Connect取代:
将OpenID委托给Google(不是Google Apps)
有人甚至提供简单的OpenID Connect 单一身份提供程序吗?在查看OpenID的OpenID提供程序软件列表时,根本没有提到任何OpenID Connect解决方案,更不用说该页面已经4年没有更新了!
http://wiki.openid.net /w/page/12995226/Run%20your%20own%20identity%20server
浏览所有这些信息,这让我感到非常高兴,我几年前搁置了在服务器上实现OpenID 2.0的计划,因为这似乎已经过时了,我想不出一种简单的方法来只要证明我的身份.令人惊讶的是,我不能只安装一个软件包并编辑配置文件然后运行.大多数较简单的实现都涉及安装和使用PHP,这有其自身的安全性问题,需要了解.
所以-谁是OpenID的专家,它的发展方向是谁,可以给我一些有关如何设置我的身份提供者的建议,或者是否值得尝试?我很想控制自己的信息和电子邮件地址的分配,并拥有一个永久的身份,但是如果标准将不断变化,那么它就不是真正的永久性.
OpenID 2.0已过时,直到今天,OpenID Foundation才批准了动态客户端注册),但该规范被标记为可选",客户端库中未广泛支持该规范,我严重怀疑我们会看到许多实现动态客户端注册的应用程序.
向OpenID Connect转移的过程使用户和应用程序开发人员(更不用说较小的身份提供者)都失去了力量,而所有这些都交给了大型的名牌服务提供者.因此,不幸的是,设置您自己的个人OpenID Provider的想法似乎不再是未来的证明.
I see OpenID logins available everywhere, and decided that I should look into implementing my own provider on my server so I can control my information and my login.
This is, surprisingly, quite complicated and difficult.
Even though many sites allow OpenID logins (such as this one), I am discovering the following issues:
- Many simple "roll-your-own" single identity OpenID Provider solutions are now vaporware.
- There have been pretty severe ongoing security issues with OpenID:
http://en.wikipedia.org/wiki/OpenID#Security
- Many OpenID Providers seem to have disappeared (MyOpenID.com, getopenid.com, etc..)
- The protocol seems to be constantly changing with previous versions dropped (perhaps due to security issues?)
As an example, this solution on SO from Aug'13 about using Google Plus/Profiles as a delegate now gets an error from Google saying that OpenID 2.0 support is being removed from Google by this April and replaced with OpenID Connect:
Delegate OpenID to Google (NOT Google Apps)
Does anyone even offer a simple OpenID Connect single identity provider? Looking at OpenID's list of OpenID provider software doesn't mention any OpenID Connect solutions at all, not to mention that the page hasn't been updated in 4 years!
http://wiki.openid.net/w/page/12995226/Run%20your%20own%20identity%20server
Looking through all this information, it makes me really happy I shelved my plan a couple years ago to implement OpenID 2.0 on my server, since that looks like it's becoming obsolete already, and I can't figure out an easy way to just prove my identity. It's surprising that I can't just do a single package install and edit a config file and go. Most of the simpler implementations involve installing and using PHP, which has it's own security issues that need to be learned about.
So - anyone who is an expert on OpenID and where it is going who can give me some advice on how to just setup my on identity provider or if it's worth the difficulty? I'd love to have control over my information and distribution of my email address as well as have a permanent identity, but if the standard is going to keep changing then it's not really permanent.
OpenID 2.0 is deprecated, and just today the OpenID Foundation approved an OpenID 2.0 to OpenID Connect Migration Guide.
I'm not an expert on OpenID, but it's important to be aware that OpenID Connect is fundamentally different from older versions. In particular, it runs on top of OAuth, so the Relying Party must obtain OAuth credentials from the Service Provider.
There is spec that allows the RP to automatically obtain these OAuth Credentials (called Dynamic Client Registration), but the spec is marked as "optional", it is not widely supported in client libraries, and I severely doubt we'll be seeing many applications implementing Dynamic Client Registration.
The movement to OpenID Connect takes the power away from both users and from application developers (not to mention the smaller identity providers) and gives it all to the large, name-brand service providers. So unfortunately, it looks like the idea of setting up your own personal OpenID Provider is not going to be future proof.
这篇关于OpenID,OpenID2,Open Connect的未来是什么?值得实施提供者吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
