Upgraded to WordPress 2.5. My OpenID plugin may be broken. Investigating.
Update: I’ve been saddened by the state of OpenID integration in WordPress — none — for quite some time. 2.3 and below just didn’t offer enough logic to be able to satisfactorily integrate it. Everyone that uses OpenID gets a user account in WordPress and when breaches in security occur — and yeah, I do mean when, not if — these people will be able to elevate their privileges.
The user interface offered by, as far as I can tell, all WordPress OpenID plugins piggy-back onto their own security model, which means that you have to “log in” and then be able to post a comment. This is unqualified bullshit - you should easily be able to enter your name, your OpenID endpoint and your comment, hit Submit and be done with it. Minus a spam-and-troll-mitigating preview-screen, this is how Sam Ruby does it in his own system. In fact, that post was written just 13 days following the last update of the OpenID plugin I chose; my plugin was last updated December 15, 2006. I know how to pick ‘em, right?
So when I upgraded to WordPress 2.5, I noticed that OpenID was indeed broken. The bastards had retooled the API hooks for authentication and remade the login page in a way that makes it not see the added OpenID fields by explicitly only including the login fields there from the start. Even after working around that, it hit me that I am now required to either keep adding workarounds to every WordPress upgrade I do, or to commit to maintain that parallel API (which provides a way to login when you don’t have the plain text password, which is the case when people use OpenID and you have to use the unified user system which assumes everyone has a password) for every new WordPress upgrade.
If I return to 2.3.3, I’ll lose out on the new features and new interface and maintain my sanity temporarily just to know that I’ve now adopted the hat of backporting every single security fix from the new WordPress release branch to my old branch, and to never upgrade. And if I’m to switch OpenID plugins now, I’ll have to wait for them to be certified to use 2.5, and past that it’ll be a lot of work with no supported migration process. And I’ll still have the same crappy user experience.
I don’t blame the WordPress team for performing hardening on their codebase and I realize that the sacrifice of plugin support was unintentional and unfortunate, but I blame them for having shown absolutely no interest in supporting OpenID at the heart of the product. For WordPress to pride itself on listening to its users when in fact OpenID has been one of the top requests for quite some time is a bit hard for me to stomach.
With apologies to Mark Pilgrim, it appears that I am trapped like a velvet, paisley-covered Chesterfield in a hallway: unable to move either forwards or backwards. It must be time for a complete redesign.