On Fri, May 16, 2014 at 5:19 PM, Chad innocentkiller@gmail.com wrote:
I'm mostly worried about security issues in 3rd party implementations of oAuth that we can't control. I asked Chris S. about this earlier today and I hope he'll expand on this some more--especially concerning to me was the concrete example he gave with Facebook's own oAuth. Also he mentioned that Twitter's oAuth is known to be insecure in its implementation.
Depending on how Github's oAuth is implemented that's the one I could see the strongest case being made for.
I think we all know there are many insecure things about most login systems, including our own. The question is what do we get for the potential cost/risk. Obviously with Google and Facebook as options we don't stand to gain a lot in terms of technical contributions. With GitHub, the balance is probably tipped the other way. If we try it and in the long run, it provides very little benefit, we could consider phasing it out.
Enabling all of them seems like it'll just make the login page cluttered with options used by about 1-2 people each but I could be wrong.
Yes, absolutely. The login page of Phabricator's own phabricator instance is an example of providing too many choices. This slows people down when they have evaluate all the options.