OpenID authentication

[webtech]

OpenId authentication would be very usefull in roundcube.
Is it in your roadmap ?

[webtech]

Up

[webtech]

Re-up.

Any answers ??

[attachmentgenie]

OpenId authentication would be very usefull in roundcube.

Not really, openid as such doesnt provide email. So unless email servers start accepting openid, this is most likely not on the cards. (i am not a Rc dev though)

[saxsux]

I think being able to login to roundcube with OpenID would be a fantastic idea!
As long as roundcube already has your server login details stored, and OpenID was only used for authenticating yourself, what attachmentgenie doesn't matter.

[evilbunny]

I think being able to login to roundcube with OpenID would be a fantastic idea!
As long as roundcube already has your server login details stored, and OpenID was only used for authenticating yourself, what attachmentgenie doesn't matter.

I don't consider that OpenID was really designed for this kind of secure authentication, in fact I treat it with about the same amount of respect/caution as an alternative to a web captcha.

[bpat1434]

The problem with openID is that it's meant to group many different logins together. So if I use 3 different email addresses to log in to multiple sites, which email would RoundCube know to use? And also, I don't think the API really sends the email address, I think it just sends the userID (haven't looked into it in a while).

Not saying it's a bad idea; however, I personally feel that openID is less-secure than using your email and password. Why? Because with the email the user needs to know both pieces of information. With openID a user can get your info from one website that is a forum or blog, and then go into your email account via RoundCube (or some other webmail service) and send emails as you. Is that something you'd really want? Plus, if you change your password on the IMAP server, it doesn't change it with OpenID which is a problem since now you're bypassing the IMAP login function and you'd have to change your password with roundcube (which currently doesn't store passwords because it's a security risk).

[nja]

@bpat1434

Sniffing the users openid url does not give access to roundcube mails. One still needs a password.

And your other objection seems to concern only a very small user group. I think the very most users have only one emailaccount in one roundcube instance. The users with more accounts could still decide which of the accounts they want to link to an openid account.

Roundcube without ssl is less secure than for example roundcube + openid (for example via phpMyID).

So, imho making openID optional with a plugin would be a great feature.