[TYPO3-core] RFC: Feature #10585: Enable BE-User to change their OpenID

[Dmitry Dulepov]

Hi!

Steffen Gebert wrote:
> Okay - but what is more secure:
> * get the OpenID from the user via E-Mail
> * let the authenticated user set his OpenID
> ;)

It is not relevant :) I can tell anyone that my OpenID is. This will not decrease securiry in any way because I will still have to enter the password :)

The idea was that admin has a control over what IDs are used. For example, if you are in a company, you can set up a private OpenID server. Then you can require your employees to login to any produced web sites only using OpenID. If someone quits, you just disable his OpenID on your server and he can't login anymore. It is that simple.

If users are allowed to change their OpenIDs, it is not possible to prevent them from changing IDs to something external. It can be harmful.

> Or - what's the difference between a password and an OpenID?
> It's also possible to change the password without entering current one - so 
> for me setup is insecure by design :)

With OpenID you enter the password on another site (at OpenID provider's site).

> Should we have a new config option (user/user-group based) to enable/disable 
> user to change OpenID? 

Yes, this could be a solution. I would favor "disabled" by default.

> I'm open for any suggestions (esp. about extensibility of setup).
> Should we move to dev-list?

Yes, I think so.

-- 
Dmitry Dulepov
TYPO3 core team
http://dmitry-dulepov.com/
"Sometimes they go bad. No one knows why" (Cameron, TSCC, "Dungeons&Dragons")