1. Bitbucket
  2. Public Issue Tracker
  3. master
  4. Issues


Issue #3782 duplicate

wtf is the point of openID if you make me sign up for a user/pass anway?

Anonymous created an issue

No description provided.

Comments (5)

  1. Nicolas Venegas


    At the moment, a password is required for some operations on the site:

    • deleting a repository
    • stripping changesets from a mercurial repository
    • renaming your account
    • deleting your account

    That is why we provide you with a password during the OpenID sign-up process.



  2. jdlh

    I agree, BitBucket's use of OpenID doesn't make sense. It's contrary to my experience with other sites which accept OpenID.

    First, it's odd that BitBucket asks for a user ID after authenticating with an OpenID URI. The OpenID URI is supposed to serve the role of a user ID.

    Second, while I understand BitBucket's procedures require some extra authentication for some operations, having OpenID users enter is unusual. Perhaps there is a way under the OpenID protocol to re-authenticate before doing such operations.

    Asking for the combination of a user ID and a password, right after authenticating an OpenID identity, is what reasonably raises the reaction, "WTF?"

    And come to think of it, why should entering a password be the way BitBucket confirms that a user really wants to perform some serious operations? Are you really worried that someone would break into an account without knowing a password, but then would be stopped by another demand for a password? Many other systems simply use a confirmation dialog ("Are you sure? This cannot be undone. [OK] [Cancel]") for such situations.

    And if BitBucket asks for a password because it doesn't trust OpenID authentication, then you are IMHO better off not accepting OpenID authentication at all, rather than glueing a password on top of it.

  3. Log in to comment