Does Propane support OpenID?

Propane and OpenID

Prior to December 2009, Campfire only permitted access via a username (an email address) and a password. In December 2009, 37signals introduced OpenID logins to Campfire as part of a larger effort to unify logins across all of their products.

Unfortunately, Propane does not support OpenID for logging in and I have no immediate plans to support it. A full explanation of the issues can be found at the end of this article.

All is not lost though

It turns out that your 37signals ID maintains both a username/password and your OpenID - see http://twitter.com/37signals/status/7050443510

If you remember the username and password you originally used to create your 37signals ID (before you told it your OpenID URL), that's the username and password you give to Propane.

If you don't remember the username and password then the steps to reset it to known values are a bit involved: you have to temporarily switch to username/password authentication in order to change your password.

Here's what I did:

  1. In a web browser, go to "My Info" in your Campfire.
  2. From "My Info", visit "Edit your personal information"
  3. Underneath the the field for your OpenID URL (take a note of the URL for later) is a "use normal username" link. Click that.
  4. The username field should already be filled in. If not, choose a username.
  5. Choose a new password - you now know the username and password you're going to give to Propane.
  6. Save your changes.
  7. Go to "Edit your personal information" again and click the "use OpenID" link.
  8. if required, fill in your original OpenID.
  9. Save your changes.

Why doesn't Propane support OpenID?

The mechanics of OpenID assume that the user agent (that is, your web browser) is involved in the entire OpenID exchange. The grossly oversimplified version of events is:

  • Campfire redirects to your OpenID provider.
  • Your OpenID provider asks you to login (if you haven't already done so already) and then redirects you back to Campfire with a confirmation that you've been authenticated.

This is great because you only have to remember one username and password.

However, it also concentrates a huge amount of risk onto that single username and password you give to your OpenID provider.

If someone got hold of it, they'd be able to access any of the sites which trust that OpenID provider. Knowing that, I'll bet you would be pretty unhappy if a random stranger was looking over your shoulder and watching your keystrokes while you logged-in to your OpenID provider's web site.

Don't ever forget though: every time you login to your OpenID provider there is a random stranger looking over your shoulder - the browser window you're typing that username and password into. Thankfully we can generally trust Safari and Firefox to be benign and not do anything evil with the passwords we type into them every day.

So, bearing in mind that the mechanics of OpenID demand that the user agent be involved in the entire OpenID exchange, if Propane were to support OpenID you would have to tell Propane the username and password for your OpenID provider.

Even if you're personally okay with that, I'm not interested in being the random stranger watching over your shoulder as you type in the password that unlocks your entire online identity.

Upcoming changes

Propane version 2 (under development) will switch from being a site-specific-browser to being a Campfire API Client.

This means that Propane will authenticate using your Campfire API key rather than your username and password - eliminating the whole OpenID issue.