[wp-hackers] Re: GSoC 2008 Proposal: Core OpenID Support

Ronald Heft ron at cavemonkey50.com
Mon Mar 24 18:41:09 GMT 2008

I'm a little confused by your explanation of how my implementation of OpenID
could allow for spoof-able comments, but don't worry about re-explaining as
I'm forgoing that implementation.
I completely agree with you about requiring registration for OpenID
comments. I have been testing existing OpenID plugins this morning, and
every single one of them links OpenID comments to registration. There is no
reason why an OpenID comment needs an account. This is certainly one area
where a new plugin could improve in.

Regarding adding the server code for each user, again, I completely agree.
Users should have the option of allowing WordPress to be their OpenID
server, or point their account to an existing OpenID delegate.

Regarding a separate field, yet again, I'm right there with you. Using the
existing URI field is a bad interface. A separate field that switches place
with the anonymous fields using a Javascript toggle would be the best method
for using OpenID.

So, I'm now thinking a better plugin may be the best way to go about OpenID
support. As you mentioned earlier Otto, the current set of OpenID plugins,
while robust, are not widely adopted. Perhaps a different
plugin implementation may spark more OpenID adoption among WordPress users.
If that occurs, core inclusion could be looked at later down the road.

If I should go about developing another OpenID plugin, here is how it would
differ from existing plugins:

1. Allow for anonymous OpenID commenting without registration
2. Provide a separate field for anonymous OpenID comments, and don't utilize
the URI field like existing plugins do
3. Include an OpenID server for all registered WordPress users.
4. Provide an option for a user to delegate a third party OpenID provider
instead of using the built in server

Looking through current OpenID plugins, no plugin to date allows anonymous
OpenID commenting and there is no implementation of an OpenID server outside
of WordPress MU. There two areas would strongly benefit from an alternative

In addition, working on a plugin instead of core support would
most definitely allow me to provide support for using WordPress as an OpenID
server. A plugin would give me the whole summer to add support and work out
the bugs, while core support would limit me to mid-summer for core

What's everyone's opinion on developing an alternative plugin instead of
core support? Are there any features you feel are missing / should be
developed differently in current plugin implementations of OpenID?

On Mon, Mar 24, 2008 at 10:30 AM, Otto <otto at ottodestruct.com> wrote:

> No, I got what you said all the way around, and your idea. I really
> did understand you the first time.
> The problem with it is that if you add OpenID without adding it to
> commenting as well, then it's practically useless for some large
> number of the userbase. Furthermore, if you allow OpenID logins, but
> then don't check those OpenID's on comments, then you could be said to
> be intentionally making comments spoofable. Logged in users don't get
> asked for their name/url info normally, but non-logged in users would
> be able to use the exact same information.
> I'm not opposed to OpenID commenting. I'm opposed to mandatory
> registration for commenting. I'm opposed to *requiring* OpenID for
> commenting, even. I think that OpenID in all currently implemented
> forms (all the plugins) buggers that up completely.
> Here's an alternative that maybe you have not considered:
> 1. Allow OpenID for logging in/registration. This is simply an
> alternative to providing a password to login, basically. No problems
> here. Note that they still must provide a username and password when
> they register! You have to have such because of the next bit.
> 2. While you're at it, add OpenID server code. Let each user get their
> own local OpenID by virtue of being a user. The profile pages can be
> their url, or the author pages, or something along those lines.
> 3. The important bit: Allow OpenID for commenting, but allow it
> without also requiring registration. That is, if somebody uses an
> OpenID to comment, then allow it, but don't create a user account for
> them and don't save any credentials or trust information or anything
> like that. Basically, you'll have two separate options: a) Allow
> OpenID comments, b) Only allow registered users to comment (this
> option already exists).
> Furthermore, make OpenID a *SEPARATE FIELD*. If I don't want to use my
> OpenID, but do want to use my blog URL, then I should be able to do
> so. Integrating the URL field with OpenID is annoying when I put in my
> URL and then it detects my OpenID and I get a "do you want to trust
> this site" message from my OpenID server. No, I don't want to trust
> the site, and I didn't want to use OpenID either! Annoying, that is.
> The best interface would likely be some kind of a javascript to let me
> select either the normal 3 field thing or select the OpenID 1 field
> and 2 extra steps thing. Maybe a "Use OpenID" link with the little
> OpenID icon. Whatever, should be able to be themed differently of
> course.
> -Otto
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

Ronald Heft, Jr.
Information Sciences and Technology
Pennsylvania State University

9rules Network

More information about the wp-hackers mailing list