Categories
server admin startup advice Web 0.1

Don’t use BitBucket – broken OpenID authentication

We’re starting a new client project, and the client uses Mercurial exclusively, all through BitBucket.

BitBucket has a stupid user-accounts system, that demands you invent a globally-unique username. Oh dear lord – how amateurish are you guys?

Aha! BUT! … they have a (very subtle) link to let you use OpenID instead. Phew! My day is saved – I don’t have to be “dodgy-69-sucker-11111” just in a desperate attempt to work around a naive website architect.

OpenID FAIL

Except … once you’ve sacrificed your private account details to Atlassian, they … don’t allow you to login. It reports “success” but tells you that you’re not allowed to use OpenID to access the site, you STILL have to create a non-OpenID account, using a globally unique ID.

I’m sure they’re doing “something” with OpenID, but I get the impression that the folks at BitBucket don’t grok what most of the world is using it for…

How do I take back my Identity, you fraudsters?

Well, Atlassian won’t help you there.

Fortunately, Google did…

Google’s UI designers FTW

I used Google as my OpenID source this time around. And, *fortunately*, Google’s process for de-authorizing a website is very simple.

I usually assume Google’s UI is great, and I usually only blog about it when it fails badly, but here’s an example where it works beautifully.

(hint: there’s a shortcut – but Google might change the link in future. You can go directly to: https://www.google.com/accounts/IssuedAuthSubTokens)

Just go to your account page (https://www.google.com/accounts/), and *right at the top of the page* (thanks, Google!) is a link to all your authorized websites – it’s in a big white space on it’s own, VERY easy to find.