This is pretty cool, I might try it one day if I build a site that needs login.
But this is a lot different than Persona, right? Portier is passwordless login via email (with special handling for Gmail), whereas Persona is another of those "Log in via" buttons (simply speaking)?
I'd see it a bit differently, even if in practice you are right, at least the moment Persona added an account system. But also persona had the core idea that you get authenticated by proving that you control the email address entered, see https://developer.mozilla.org/en-US/Persona/FAQ#How_does_Per.... On top of that there was the browserid API.
Portier is passwordless login via email, with optional special handling right now only for Gmail, yes.
However, ideally you would not "Login with Portier", you would simply "Login". There is no need to mention the infrastructure used (and in our current modules, we simply generate a plain Login-Form without any branding).
You also do not have to click on the link, you can enter the code which is in the email. Useful when mixing clients.
And finally, when using a email provider with special support (currently: Gmail) you don't click on the email and also don't get one. You just login via Google-Sign-In and get then redirected to the site you are trying to login to. I hope we can support more providers (and custom domains soon). Not having to go into the emails is pretty nice.
Yep, though hopefully we'll be able to avoid reinventing wheels and instead re-use something like WebFinger / WebFist and... something... from OpenID Connect. My immediate concern between now and the end of the Persona shutdown is getting the Gmail + fallback loop stable, audited, and easy to deploy. After that it should be trivial to integrate a federated, email-driven discovery protocol. Just haven't had time to give that proper consideration, yet.
Exactly! And you can run one instance for all your projects, regardless of language, instead of having to set up Django-All-Auth for one and Ruby OmniAuth for another. Plus, if we can succeed at the federated discovery protocol part, users gain the ability to host their own authentication endpoint that Portier will automatically delegate to.
No. They work pretty much the same, except Portier is stateless, and Personal needed you to create an account before use, which was unnecessary. Persona also had special handling for Gmail. Portier will probably add more "special handling" cases in the near future.
Persona only required you to create an account if your email provider didn't support it (or your custom domain doesn't delegate it) or they didn't have special handling for your email provider. There was a bunch of confusion about this early on because a lot of potential early adopters were generally geeks like us who have our own email domains and didn't automatically fall into the special handling (which Persona supported Gmail and Yahoo, which remain the two largest email domains).
Technically, you always created an account when you used Persona. Sometimes with a password, sometimes without. Sometimes old passwords would come back to haunt you if your domain added and then removed support for BrowserID. Sometimes you would accidentally set up two accounts, because you added a new address to the Persona UI in the wrong order. Sometimes addresses would mysteriously bounce between Persona accounts, because we updated the address/account association on each use. Sometimes you needed a password and sometimes you didn't for the same address, because we supported un-decentralizing Persona on a per-website basis.
...the account story in Persona was way more complicated than it should have been, mainly stemming from the notion that per-login email confirmation loops were too onerous to be viable, and from the idea that users wouldn't succeed with Persona unless it remembered and displayed all of their email addresses in a consistent, persisted account chooser.
If you're a fan of the idea behind Persona, it looks like there's a spiritual successor from some Mozilla veterans called Portier, which can be self-hosted (and is written in Rust, if that's your thing :P ). Recent announcement and HN discussion here: https://news.ycombinator.com/item?id=12837669
Persona was many things to many people -- arguably too many -- everyone from the old core team has a different idea of what features defined Persona. :) For me, it was the developer experience: trivial setup, email in/authentication out workflow, and no secrets to store in a database. Portier focuses narrowly on making that facet work well. Browser integration, identity aggregation, and privacy from users' own email providers are all non-goals for Portier: https://github.com/portier/portier.github.io/blob/master/Non...
That said, I'd love to ask what you found compelling about Persona's promise of browser integration. The privacy aspects? User experience? The finality of a standard successor to HTTP Basic / Digest authentication? Something else entirely?
Same here. Mozilla giving up on this is really disappointing to me. When I first heard about it, I was really excited about how it provided more privacy that OAuth/OpenID, but the impression I got from reading the mozilla documentation/blogs was that the javascript client and mozilla operated servers were a temporary stop-gap to facilitate faster development, but sacrificed some of the benifits that the final end-goal would provide. Given that, I spent the time reading the whitepaper and playing with the API to give me a headstart, but delayed integrating it into production websites, because I thought that they were saying it wasn't production ready yet. Then they canceled the project because not enough people were using it.
I think this is one of a few areas where a browser or extension developer can create something that will force every other browser vendor to adapt, sooner or later.
Last time I feel that happened was with tabs, so IMO this should is a high-value target even if nobody seems to be interested ATM.
A decentralized way to authenticate users securely and privately would be an exceptional addition to the open internet.
Unfortunately in this case the financial incentive and favors those building "information silos" where the purpose is information collection for profit.
I wonder if SMTP would ever see the light of the day with the current mindset as opposed to a "Facebook Messenger"-like multitude of services, much like what happened with the IM fragmentation.
"Why is persona.org being shut down?
Our metrics show that usage of persona.org is low, and has not grown over the last two years.
Hosting a service at the level of security and availability required for an authentication system is no small undertaking, and Mozilla can no longer justify dedicating limited resources to this project. We will do everything we can to shut it down in a graceful and responsible manner."
I find this a bit confusing because citing low usage and lack of growth is something I'd expect to hear from a for-profit corporation, not a well funded non-profit. Have they shared information on how expensive it is to maintain Persona? I'm also unaware of any pledge drives to get funding for it.
I found it confusing that they expected growth over the last 2 years when in 2014 they functionally announced they were going to abandon it, transitioning it to "community ownership"
They have the right to set their level of involvement or investment, and it is only polite to peg that level of involvement to whether any significant number of people are using the thing. It doesn't mean they were obligated to try to actively market persona while also planning to shut it down, that would make even less sense.
Just because they aren't running it for profit doesn't mean they don't have a bottom line. The additional effort to run a pledge drive is probably not worth the administrative overhead.
Persona had grown into a gigantic, unmaintainable, big ball of mud. If I recall correctly, the ongoing operational expenses were in the very low 5-figures annually, but it was bitrotting, we weren't able to transition Persona to community ownership, and we couldn't convince Mozilla to reinvest. Which is fine -- I think Persona tried to do too much, and came with too much legacy baggage -- but it left us in a place where shutting it down was the most responsible course of action. Unmaintained critical infrastructure is bad news.
I'll be presenting a keynote on this topic at linux.conf.au in January, which should hopefully add some nuance around it.
> Unmaintained critical infrastructure is bad news.
(article author here)
To add to @callahad's excellent points: unmaintained critical infrastructure on your security perimeter is even worse, and a service like Persona is about as security-critical as you can get!
Persona was (and will remain until the end of November) covered by Mozilla's bug bounty program, meaning that it has been getting regular security bugs filed against it. Most have been spurious, some have not, but each of them has been a fire-drill because Persona gates access to so many of Mozilla's internal services.
We have been able to respond effectively so far, because there's a core of ex-Persona developers kicking around other projects at Mozilla, who we've been able to pull back in for these critical maintenance tasks. But that's not sustainable indefinitely.
The only responsible choices for a security-sensitive service like this are (a) staff it properly, or (b) tear it down gracefully. I'm personally quite disappointed that we couldn't find a path to success for Persona at Mozilla, but I'm grateful we've at least found the resources to do (b).
Identity services are literally the thing that allows Mozilla to drive a more open and transparent web, whilst maintaining user privacy and ensuring that no corporate interests dominate such a critical aspect of the Internet.
So now we must rely on Google, Facebook or other mega corporation for identity services and let them hold our critical, private personal information that they can exploit for commercial and other unknown ways.
Mozilla seems to wonder why people don't seem to understand its mission and purpose any more. Perhaps that's because - despite what it's achieved in the past - as an organisation they no longer seem to want to tackle truly important but difficult issues like identity management.
Was it ever made open source? I tried installing it a few years ago, and IIRC one of my complaints was that I could not self-host it. Am I remembering correctly?
All components of Persona were fully open source from the beginning, but we unintentionally built a few intractable points of centralization into the system that made it impossible to meaningfully self-host without native protocol support in browsers. Put another way, our decentralization story didn't fully account for the possibility of Mozilla decommissioning Persona's fallback servers.
Such a shame. Persona was a hugely exciting project. It always disappointed me that Mozilla never fully implemented the vision of Persona integration in the browser, and it puzzles me that Mozilla seem surprised that Persona didn't get much adoption.
I still think there's potential for improving user authentication in a way that's usable, privacy conscious and fast, without a costly shim service like persona.org. Maybe Firefox could finally implement the Persona API in the browser for sites to use?
I tried Persona back then when it was new, and found it pretty confusing (as a user). Still, it feels like a lost opportunity that it is shutting down.
Can someone tell, in a nutshell, what the difference was between OpenID/OAuth (I mean whatever the heck it is that allows me to "log in using my Google/Facebook/GitHub account". I always mix up those two.)?
Is it just that you use your e.g. Gmail or other third party email address, but then the authentication is not done by your email account provider, but by Mozilla?
╔════════════════════════════════════════╦═══════════════════════════════════════════╦══════════════════════════════════════════╦════════════════════════════╗
║ ║ Persona with browser and email server ║ persona.org shim ║ OpenID ║
║ ║ integration ║ ║ ║
╠════════════════════════════════════════╬═══════════════════════════════════════════╬══════════════════════════════════════════╬════════════════════════════╣
║ User identifier ║ email address ║ email address ║ URI ║
╠════════════════════════════════════════╬═══════════════════════════════════════════╬══════════════════════════════════════════╬════════════════════════════╣
║ Auth provider ║ Email server ║ persona.org ║ OpenID server ║
╠════════════════════════════════════════╬═══════════════════════════════════════════╬══════════════════════════════════════════╬════════════════════════════╣
║ Passwordless ║ Just one password for your email server ║ One for the shim, and one for your email ║ One for your OpenID server ║
╠════════════════════════════════════════╬═══════════════════════════════════════════╬══════════════════════════════════════════╬════════════════════════════╣
║ Provider sees where you log in ║ No ║ No ║ Yes ║
╠════════════════════════════════════════╬═══════════════════════════════════════════╬══════════════════════════════════════════╬════════════════════════════╣
║ Provider must stay online at all times ║ No, auth tokens are cached ║ No, but persona.org must stay online ║ Yes ║
╠════════════════════════════════════════╬═══════════════════════════════════════════╬══════════════════════════════════════════╬════════════════════════════╣
║ Requires Javascript ║ Yes ║ Yes ║ unknown ║
╠════════════════════════════════════════╬═══════════════════════════════════════════╬══════════════════════════════════════════╬════════════════════════════╣
║ Fallback available ║ Yes, just use the email ║ Yes, just use the email ║ None ║
╠════════════════════════════════════════╬═══════════════════════════════════════════╬══════════════════════════════════════════╬════════════════════════════╣
║ Ability to contact user ║ Yes, just use the email ║ Yes, just use the email ║ None ║
╠════════════════════════════════════════╬═══════════════════════════════════════════╬══════════════════════════════════════════╬════════════════════════════╣
║ Implemented ║ In no desktop browsers or email providers ║ Yes ║ Yes ║
╚════════════════════════════════════════╩═══════════════════════════════════════════╩══════════════════════════════════════════╩════════════════════════════╝
that's a great chart, but a few corrections about OpenID:
Provider must stay online at all times: the OpenID provider needs to be online when you login to the consumer site, after that, you have a session with that site and the provider doesn't need to be online.
Requires Javascript: there's a fallback in OpenID.
Ability to contact owner: there are extensions to propagate attributes like email addresses that are commonly supported.
I think the key point is that by design, OpenID Connect doesn't necessitate that the identity provider reveals the users email address to the service provider. The identity provider can choose to include that in the token (or the UserInfo endpoint) or they can hide it behind another OAuth scope and explicit permission.
Whereas by design, Persona does mean the service provider has access to your email address. For consumer applications, this is probably fine, but it's a very different assumption than most access and authorization use.
I understand ( it's been a while since I looked at it) that with persona, your identity is stored and handled by your browser, rather than an external service. I could have miss remembered, though.
Yeah, this one https://news.ycombinator.com/item?id=12862355 is weird too. I think it's "((Identity/Persona Shutdown) Guide) for Reliers", i.e., a guide to the shutdown of Identity/Persona for people who rely on Identity/Persona.
The fact that they keep throwing money at useless stuff like that new design for their logo, while at the same time they refuse to keep useful services online, is a clear sign of the downfall of the Mozilla Foundation.
The project failed to gain widespread adoption. An org that runs marginally valuable side projects indefinitely is an org that is going to face a downfall.
Like you, I'd love to see a better authn mechanism, but Persona wasn't going to be it. So, this frees their resources to focus on what is going to continue making Mozilla relevant. Certainly a declining user base on Persona wasn't going to be it.
My opinion is that Persona was still untested, we will never know whether Persona was going to be it or not because they never launched the browser integration.
They bailed out after failing to displace the most ubiquitous form of authentication in three years. They didn't even have it implemented on their own site for the first six months, and they never built the browser chrome component that would have made Persona appealing to users.
It kinda feels like they gave up before they really got started.
