Loomio
Thu 22 Aug 2013

Login with Mozilla Persona

RJ
Raphaël Jadot Public Seen by 166

Hi,

this is my first contribution to this workgroup, so excuse me if I start it wrongly :)

https://login.persona.org/about and http://www.mozilla.org/en-US/persona/

Mozilla Persona is imho the SSO to support, which has a chance to succeed as a standard and decentralized open SSO where, in a way, OpenId failed.

Instead of connecting with gmail, yahoo, facebook, whatever, you simply connect with your email address.

As said the main developer: "Persona is an easy way to sign in that enables you to use your existing email account. It's an open technology on the path to standardization."

RJ

Raphaël Jadot Thu 22 Aug 2013

I'd like to make a proposal, which is more a question: would you like implementation of Persona in Loomio? but not considering the development part (I may try to help there), I'd like to know if someone needs more explanation about how Persona works, what it would imply to use it etc. :)

MPR

Miguel Prados Rodriguez Fri 23 Aug 2013

Easy and intuitive, I tried it myself and I will use it for new sites developments, thanks for the info.

RDB

Richard D. Bartlett Mon 26 Aug 2013

Yeah Persona looks great, and ethically it is squeaky-clean! SSO can be such a messy issue because you have a whole complex marketplace to worry about, and so many of the actors are ethically dubious. It would be nice if Loomio could support Persona and contribute a little to it's popularity.

BK

Benjamin Knight Tue 27 Aug 2013

I'd love to see Loomio support Persona!

RJ

Raphaël Jadot Tue 27 Aug 2013

@benjaminknightloom @richarddbartlett @miguelpradosrodrig do you think this would deserve a proposal, not for a decision by itself - how could I decide something :p - but mainly for seeing if people are sensible or not to the idea of this integration (an indicator of interest)?

CT

Chris Taklis Tue 27 Aug 2013

i agree with persona.

RF

Richard Fortune Tue 27 Aug 2013

Definitely! Please do give it your support!

MPR

Miguel Prados Rodriguez Tue 27 Aug 2013

It definitively worth a proposal

MB

Matthew Bartlett Tue 27 Aug 2013

What proportion of visitors are likely to have a Persona account?

RDB

Richard D. Bartlett Wed 28 Aug 2013

Single Sign-on (SSO) tries to solve the 'too many accounts' problem, but unfortunately it has introduced a new problem: too many SSO's! As a user, how am I supposed to recall if I used Facebook or Google or a site-specific account to log in to a particular service?

@matthewbartlett if we were just looking at popularity we'd roll out Facebook, Google, and Twitter etc before Persona, but in my opinion that would be a negative contribution to the ecosystem.

Of all the SSO solutions I know about, Persona is the only one I feel that is likely to make the ecosystem a better place over time.

FYI I came to this conclusion after scanning the docs, which I recommend if you're interested.

MB

Matthew Bartlett Wed 28 Aug 2013

The plan (and baldamiq mockups) as I understood it is to start with Google, then add Facebook soon after. Though the plan may have evolved; Loomio's a dynamic place.

RG

Rob Guthrie Wed 28 Aug 2013

@raphaeljadot! Great to hear you supporting Persona. I personally really want to get it implemented. We've been working on SSO for Loomio, starting with Google Accounts support, once that is in there will be an obvious template for developers to follow when they want to implement another sign on service.

So in a few weeks it'll be pretty straight forward to implement Persona. I love the principals of Persona and really want to see Loomio embrace it too.

Thanks again.

MPR

Miguel Prados Rodriguez Wed 28 Aug 2013

You only need to put persona in or persona & facebook. If you have gmail, most probably it will be your email account linked to persona, so there is no need to put in gmail login. I found amazing not to have to remember passwords with persona, I think its a winner.

BK

Benjamin Knight Wed 28 Aug 2013

Hi @raphaeljadot , great to see you in here! It would be totally appropriate for you to put up a proposal on this if you'd like :)

The Loomio Community group isn't a decision-making forum, but it's a good place for anyone to raise things that they'd like to discuss.

Proposing something like "do people think it would be a good idea to support Persona?" could work very well

BK

Benjamin Knight Wed 28 Aug 2013

@matthewbartlett , I think it's a really important point to consider - realistically, a tiny proportion of our users would have pre-existing Persona accounts, and only a small proportion would be likely to set up Persona accounts as a result of stumbling across it via Loomio - but this would still be a good thing.

I'd personally be in favour of implementing SSO with Google, FB, and Persona (possibly in that order) to give people the option, then in the ideal situation that Persona starts to become more and more common, could promote it as a preferred option in some way.

RJ

Raphaël Jadot started a proposal Wed 28 Aug 2013

Log in with Persona? Closed Sat 31 Aug 2013

Outcome
by Raphaël Jadot Mon 27 Feb 2017

Persona is an interesting SSO that could be taken in account, both for practical and ethical reasons (see discussions)

Would you like the possibility to log in loomio with Persona?

http://www.mozilla.org/en-US/persona/

For people who do not have a Persona account:

It's not a question about the implementation of Persona before, after or over Google account or Facebook account, but mainly about supporting a saner single sign on system (simple, universal, non centralized, letting users control their data, open-source)

Results
Agree - 12
Abstain - 12
Disagree - 12
Block - 12
12 people have voted (1%)
RJ

Raphaël Jadot
Agree
Wed 28 Aug 2013

In my opinion, loomio team should support this :) for letting users breaking their digital jails :)

Other advantage, it's well documented, and even if i did not implemented it myself, some colleagues dev told me it's easy to implement.

CT

Chris Taklis
Agree
Wed 28 Aug 2013

JVD

Jaco van der Merwe
Agree
Wed 28 Aug 2013

introduces a degree of SSO & superficial multi-platform integration

DG

Dazza Greenwood Wed 28 Aug 2013

The value of enabling login with externally issued/managed federated credentials is very high. There's a lot more practical value in going after "SSO with Google, FB, and Persona (possibly in that order)" than just supporting Persona alone, partly because there are larger architectural and policy dimensions at play. In my experience, it is useful to start identity/SSO initiatives to have a working general agreement on the priority intended goals to guide the work... eg: "increase user adoption" or "ease of use" or "provide simple integration point with other discussion apps/services using federated identity" etc. Bottom line: any SSO is better than no SSO for Loomio, and so I hope something results from this discussion.

RDB

Richard D. Bartlett
Agree
Wed 28 Aug 2013

I love Persona :)

BK

Benjamin Knight
Agree
Wed 28 Aug 2013

I'd love to see us support Persona alongside other SSO options

ST

Sean Tilley Wed 28 Aug 2013

It's not too hard to integrate Mozilla Persona with Devise. I have an example app demonstrating how to use the Devise-BrowserID-Authenticatable gem, if you folks are really interested in integrating Mozilla's single-sign-on solution.

ST

Sean Tilley
Agree
Wed 28 Aug 2013

Mozilla Persona is awesome, and I'd love to see more platforms supporting it. :)

RDB

Richard D. Bartlett Wed 28 Aug 2013

Hey @jessedoud check out the links in Sean's comment here :)

JV

Joshua Vial
Agree
Thu 29 Aug 2013

JL

Jon Lemmon
Agree
Thu 29 Aug 2013

JD

Jesse Doud
Agree
Thu 29 Aug 2013

DS

Danyl Strype Fri 30 Aug 2013

I have been keen to support Persona, but the only way I can currently do that is to encourage the online services I use to adopt it. If I could login to Loomio with Persona, I could get into a habit of using it regularly, and make a stronger case for CoActivate and permaculture.org.nz to support it too. If that happened, more people could get into the habit of using it regularly, and the positive influence could spread.

An increasing number of people who are making an ethical decision not to use FaceBook or Google, just as people might choose to Boycott McDonalds, or eggs laid in battery cages. I think it would make a strong ethical statement for Loomio to support Persona (and perhaps OpenID) first. It would make an even stronger ethical statement to not support people logging in with FB or Google credentials at all.

DS

Danyl Strype
Agree
Fri 30 Aug 2013

I think this is an obvious first choice for Loomio supporting SSO. OpenID second choice. Currently popular corporate-owned social media empires third, if at all.

JD

Josef Davies-Coates
Agree
Fri 30 Aug 2013

VM

vivien maidaborn Fri 30 Aug 2013

@strypey love the clarity of your call for not using google Facebook sign ins to send a message about our ethics and it seems we will reach easy agreement on Persona.
I am keen to see volume of people using Loomio though. We need 20,000 users to even break even so right now my focus is much more on making Loomio really easy to get to and this will involve starting where people are at I suspect.

VM

vivien maidaborn
Agree
Fri 30 Aug 2013

Persona our starting point for lots of good reasons

DS

Danyl Strype Sun 1 Sep 2013

Thanks Vivien, I understand the need to meet people where they are. Even the Pirate Party has a FaceBook page, and GoogleGroups atm ;)

This is why I suggest supporting an open standards like Person first, as an ethical statement, then rolling out FB/ G+ as a pragmatic statement (maybe a couple of weeks later to give people time to try out Persona).

If @robertguthrie is right that the code that's being developed to support G+ can be easily extended to support other SSOs, this needn't slow you down too much.

RJ

Raphaël Jadot Mon 2 Sep 2013

@benjaminknightloom and anyone whou could be interested, here is for your information a link to a related discussion in dev-identity (ml of Mozilla Persona)

Two quotes that may interest:

Sean MA:

If anyone needs help implementing, we're always here."

Andrew C:

100% and in fact, I'm always in Wellington (which I just found out in a
totally unrelated way that you're also here).

I may be popping into Enspiral for a beer o'clock in the next few weeks but ping me if you'd like me to come into town if you need any help or just fancy a chat before that.

RJ

Raphaël Jadot Sat 7 Sep 2013

Here is a copy of a reply sent by Dan Callahan in the identity/persona discussion about loomio..

I don't know if it's still possible to add comments to the discussion, but a few notes based on concerns that were raised:

  • "What proportion of visitors are likely to have a Persona account?"

All Gmail and Yahoo users effectively have an account today. That's over 700 million active addresses, or likely 60-80% of users on most English-language websites.

More importantly: People don't need an account beforehand. Persona is simply a nice, federated implementation of "Sign in with your email." If you have an email address, Persona will work for you today. In the worst case, it falls back to acting just like a traditional login system (verification email, etc), so the base case is identical.

  • "We've been working on SSO for Loomio, starting with Google Accounts support"

I'd humbly suggest that Loomio explore Persona first, as it acts as a superset of Google login, with additional privacy-preserving features. More info.

RJ

Raphaël Jadot started a proposal Sat 7 Sep 2013

Implement Persona before Google/Yahoo login Closed Tue 10 Sep 2013

For the reason given in a comment on the left (email from Dan Callahan), people having a google or yahoo account already have a persona account. (And for people not having a google or yahoo account, creating a new one is straightforward)

Compared to the login with google/facebook/yahoo, it has the advantage of preserving privacy, so I suggest implementation of persona first, as the userbase is already huge and the privacy-preserving feature is a clear advantage.

Results
Agree - 13
Abstain - 13
Disagree - 13
Block - 13
17 people have voted (1%)
RJ

Raphaël Jadot started a proposal Sat 7 Sep 2013

Implement Persona before Google/Yahoo login Closed Tue 10 Sep 2013

For the reason given in a comment on the left (email from Dan Callahan), people having a google or yahoo account already have a persona account. (And for people not having a google or yahoo account, creating a new one is straightforward)

Compared to the login with google/facebook/yahoo, it has the advantage of preserving privacy, so I suggest implementation of persona first, as the userbase is already huge and the privacy-preserving feature is a clear advantage.

Results
Agree - 13
Abstain - 13
Disagree - 13
Block - 13
17 people have voted (1%)
CT

Chris Taklis
Abstain
Sat 7 Sep 2013

CT

Chris Taklis
Abstain
Sat 7 Sep 2013

RJ

Raphaël Jadot
Agree
Sat 7 Sep 2013

RJ

Raphaël Jadot
Agree
Sat 7 Sep 2013

O

OpenLifeChallenge
Agree
Sat 7 Sep 2013

Definitely go for implementation of privacy-preserving login before any other, also good to help other open-source projects.

O

OpenLifeChallenge
Agree
Sat 7 Sep 2013

Definitely go for implementation of privacy-preserving login before any other, also good to help other open-source projects.

JV

Joshua Vial
Abstain
Sat 7 Sep 2013

JV

Joshua Vial
Abstain
Sat 7 Sep 2013

ST

Sean Tilley
Agree
Sat 7 Sep 2013

ST

Sean Tilley
Agree
Sat 7 Sep 2013

RG

Rob Guthrie
Agree
Sat 7 Sep 2013

I really do like persona.

RG

Rob Guthrie
Agree
Sat 7 Sep 2013

I really do like persona.

RJ

Raphaël Jadot Sun 8 Sep 2013

I'd really like to insist on what has been said in my previous comment: there are in fact more people "ith a persona account than a google account :)

CT

Chris Taklis Sun 8 Sep 2013

@raphaeljadot you don't know that. i mean that more people have persona account than a google account.

i think the best it to have a multiple option to login with what everyone has. It can be google, yahoo, hotmail, facebook, persona, openid, etc.

It is more equal to all than to say to other before you login you must have account to persona or to google only.

RJ

Raphaël Jadot Sun 8 Sep 2013

@christaklis it's simply because every one who has a google account has a persona account (explained in a previous comment) or in this link in addition to yahoo accounts (yahoo + google + other persona account > only google :)

RJ

Raphaël Jadot Sun 8 Sep 2013

@christaklis in fact, a persona account is not an account by itself (it's not openid, for example). It's only related to your email address, which means by only having an email address you have a "persona account". The advantage is that if you are already connected with yahoo or google, you don't have to enter a different password thanks to identity bridge

CT

Chris Taklis Sun 8 Sep 2013

Look @raphaeljadot ... i didn't know what was Persona and i of course haven't account. Now i know because of this discussion and i have made an account.

In Greece, very few people know about persona or openid. The most people want to register or login with their google/hotmail/yahoo/facebook account. and mostly of facebook account.

That general means that loomio "must" have as much options can for login. Look in some countries there have more knowledge of computers and some not. That mean that Loomio or general each tool must be as easy for everyone. That is my opinion.

RJ

Raphaël Jadot Sun 8 Sep 2013

@christaklis I totally understand what you mean In fact you consider persona as an account by itself. It's not. It's a login system. To make it simple You have a gmail account? It's a persona account. You have a yahoo account, it's a persona account.

About "facebook' it's another problem, because it's not related to an email address, unless you use a "@facebook.com" address. In this case, contrary to gmail and yahoo, a facebook account is not a persona account, still to make it simple (but the email address you used for creating your facebook account is a persona account)

It's why I made the proposal of implementing Persona "before" google and yahoo.

CT

Chris Taklis Sun 8 Sep 2013

i read that to create persona account you have to choose what email address you want. that i did it to login in persona.

but how it is different. i still can't understand it.

you mean that all email adresses like google, yahoo and other is made by persona?

RJ

Raphaël Jadot Sun 8 Sep 2013

@christaklis have to run just now, but i'll come back with something i hope will be clear explanations :p

CT

Chris Taklis Sun 8 Sep 2013

ok i am waiting...

CT

Chris Taklis
Agree
Sun 8 Sep 2013

CT

Chris Taklis
Agree
Sun 8 Sep 2013

RF

Richard Fortune
Agree
Mon 9 Sep 2013

Definitely the way to go. Open and not feeding into any of "malicious" existing services! :)

RF

Richard Fortune
Agree
Mon 9 Sep 2013

Definitely the way to go. Open and not feeding into any of "malicious" existing services! :)

RDB

Richard D. Bartlett
Abstain
Mon 9 Sep 2013

I am not too worried about the order we deploy them in, so long as we have maximum coverage

RDB

Richard D. Bartlett
Abstain
Mon 9 Sep 2013

I am not too worried about the order we deploy them in, so long as we have maximum coverage

MPR

Miguel Prados Rodriguez
Agree
Mon 9 Sep 2013

Simpler

MPR

Miguel Prados Rodriguez
Agree
Mon 9 Sep 2013

Simpler

NM

Neil Morris
Agree
Mon 9 Sep 2013

NM

Neil Morris
Agree
Mon 9 Sep 2013

T

thomas
Agree
Mon 9 Sep 2013

T

thomas
Agree
Mon 9 Sep 2013

CD

Charlie DeTar Mon 9 Sep 2013

I strongly support signin with persona. I've been following its development closely, and implemented it as the only sign in option for a collection of decision making tools I built (intertwinkles). A few caveats to be aware of:

  • Persona might require a little more redesign than just dropping in facebook connect etc. Its API is very javascript-native and ajaxy; to use it properly would require loading scripts on every page.
  • A fair number of users are confused about the privacy implications of persona. In my work with InterTwinkles, many users interpreted it as the opposite of what it is -- they thought it was an SSO that would reduce their privacy and collect more info about them.
  • Implementing more than one sign-in option can result in user confusion. I recommend choosing a minimum set -- loomio-specific login and persona is a good minimum, especially because persona bridges to other major services like Google and Yahoo.
CD

Charlie DeTar
Agree
Mon 9 Sep 2013

Persona is our best hope for a reasonable SSO.

CD

Charlie DeTar
Agree
Mon 9 Sep 2013

Persona is our best hope for a reasonable SSO.

MI

mix irving
Abstain
Mon 9 Sep 2013

I'm leaning towards yes but trust the group on this

MI

mix irving
Abstain
Mon 9 Sep 2013

I'm leaning towards yes but trust the group on this

DC

Dan Callahan
Agree
Mon 9 Sep 2013

Loomio and Mozilla's values are closely aligned, and Persona feels like a strong fit, both philosophically and pragmatically. The core Persona team is ready and available to assist Loomio with any issues that arise.

DC

Dan Callahan
Agree
Mon 9 Sep 2013

Loomio and Mozilla's values are closely aligned, and Persona feels like a strong fit, both philosophically and pragmatically. The core Persona team is ready and available to assist Loomio with any issues that arise.

DC

Dan Callahan Mon 9 Sep 2013

Chris is raising some important points to consider when implementing Persona. Namely, very few people will click on a button that says "Sign in with Persona," because people don't know what Persona is.

The simple fix? Label the button "Sign in with your email," since that's what Persona is. The "Persona" part is just an implementation detail for developers. :)

RDB

Richard D. Bartlett Mon 9 Sep 2013

@dancallahan what about putting, say, the Google and Yahoo logos on the button too?

BK

Benjamin Knight Tue 10 Sep 2013

Welcome to the community @dancallahan! Great to have your first-hand experience in here :)

There's really strong alignment between the values driving Persona and the motivations of Loomio, so I love the idea of working together.

I think there are real benefits in implementing Persona as an initial SSO for Loomio. The only potential downside I can see is that things might not be quite as accessible as having stock standard 'sign in with FB' 'sign in with gmail' buttons, but I'm sure we can design our way around things to maximise clarity and accessibility

BK

Benjamin Knight
Agree
Tue 10 Sep 2013

keen!

BK

Benjamin Knight
Agree
Tue 10 Sep 2013

keen!

AI

Alanna Irving
Abstain
Tue 10 Sep 2013

Sounds good. I defer to the knowledgeable people in this discussion.

AI

Alanna Irving
Abstain
Tue 10 Sep 2013

Sounds good. I defer to the knowledgeable people in this discussion.

AT

Aaron Thornton
Agree
Tue 10 Sep 2013

AT

Aaron Thornton
Agree
Tue 10 Sep 2013

RJ

Raphaël Jadot Tue 10 Sep 2013

@dancallahan thank you for joining and helping me in explaining with simple words :)
@christaklis dan is the man for better technical explanations :)
@richarddbartlett I think it could be a good idea to make a button such as sign with your email or yahoo or gmail :)

RJ

Raphaël Jadot Thu 10 Oct 2013

It's working now Woohoo!

MB

Matthew Bartlett Thu 10 Oct 2013

@robertguthrie I notice on my iPhone 3GS, using SSO Google, that it now asks me to sign in every time; and it doesn't go to the page I requested before sign-in (inbox).

RG

Rob Guthrie Thu 10 Oct 2013

Thanks Matthew.

DS

Danyl Strype Sat 12 Oct 2013

Great to see Persona on the Loomio front page! Who would I have to buy a sandwich for to make it the first of the three (before FB and Goog)?

DS

Danyl Strype Tue 15 Oct 2013

Also, if there were some experts who helped you with Persona integration, could someone from the Loomio crew put me in touch with them? We'd like to do the same thing for permaculture.org.nz.

MB

Matthew Bartlett Tue 15 Oct 2013

@robertguthrie's the expert!

RG

Rob Guthrie Tue 15 Oct 2013

@strypey At first I built our own stuff to connect to Persona, down to http requests, following mozilla developer guides, then I dropped it all in favour of OmniAuth.

The nice thing we did was create an identity model (User has many Identities) so that users can authorise against many services and link each one to their user account.

DS

Danyl Strype Wed 16 Oct 2013

Thanks to @matthewbartlett for the tip, and @robertguthrie (I see the resemblance now!) for the explanation. Being a power user rather than a coder, I have a rough idea what you're describing, but it would be good to get a more detailed explanation. What I need to understand is to what degree what you've done can cross over to a Drupal site.