Cake
  • Log In
  • Sign Up
    • Are you planning to add alternate means of validating logins such as google, facebook or open auth id? I am planning on publishing an article on a website and would like to direct the comments to a thread I will create in Cake for the article. Just curious if there are other means other than registering through Cake to comment inside Cake.

    • We don't currently have plans to do this.

      When websites offer multiple ways to log in, users sometimes forget which service they used to log in previously, which can end up being really frustrating. This happens to me all the time and I hate it. 😖

      Supporting Google, Facebook, or Twitter logins would also require sharing significant amounts of user data with Google, Facebook, and Twitter, which isn't something we want to do.

    • No problem. Makes sense! Just curious about your thoughts on open auth id. Not saying you should do it but is this a possible work around where it is only a universal verification without a request for data. Maybe I am not undertanding the tech fully.

    • Just curious about your thoughts on open auth id. Not saying you should do it but is this a possible work around where it is only a universal verification without a request for data.

      OpenID is an authentication protocol, but it's not an actual service itself. In other words, it's a standardized way for websites to communicate with each other about authenticating users.

      So if you have a user account on Google and would like to log into Cake, Cake could use the OpenID protocol to ask Google if you own the account you say you own.

      In this scenario, Google would be acting as an OpenID identity provider (because your login information is stored and authenticated by Google) and Cake would be acting as an OpenID relying party, because Cake would rely on Google to authenticate you and say whether or not you should be allowed to log in.

      This still has the drawbacks I mentioned in my previous post, though. Users sometimes forget what service they used as an identity provider, or sometimes they close an account on one service without realizing that this will cause them to lose access to other services that relied on that account as an identity provider. And the identity provider still gets information about all the third party services the user uses, when they log into those services, etc.

      Allowing generic OpenID support also creates a potential security issue. While Google and other large OpenID providers have pretty good security track records, literally anyone can run an OpenID identity provider, and there's no guarantee that their security or account management practices are trustworthy. If a sketchy OpenID identity provider has a security vulnerability or gets hacked, that could compromise the Cake accounts of any user who logged in via that provider. We definitely wouldn't want that. 😬

    You've been invited!