Reputation: 9185
Google App Engine Go - using OpenID, should I also use captcha?
Currently I'm developing a GAE application in golang that would allow the users to log into the service using OpenID from Google. Each account would be mapped to one Google account obviously. Should I implement captcha for user registration, or does using the OpenID already prevent the service from a bot attack?
Upvotes: 0
Views: 398
Answers (2)
Reputation: 699
First of all, fear of a bot attack is really a preliminary caution. Parsing CSRF tokens (which you should use anyway) and dealing with cookies would already cause enough pain to an attacker. I doubt anyone would trouble himself into setting up very own OpenID provider which is the only way one can do that.
Secondly, App Engine's OpenID Federated Login is the User API feature, not Go runtime's one — you can use any OP with it (Facebook, Yahoo!, Steam... Google). User API provides two modes (configurable via Application Settings): OpenID Federated Login and Google Accounts sign in. Which to pick depends on requirements. If all you need is user's Google account you'd better use the latter, when if it's simple password-less sign in with nearly everything, choose OpenID. From the app's perspective both look identical. Best way to go is OAuth, though.
Getting back on the question, both Google Accounts API and OAuth would make such attacks almost impossible and with OpenID it is a little simpler.
https://developers.google.com/appengine/docs/go/users/overview
Upvotes: 1
Reputation: 29579
Are you accepting any OpenID? Then this is not sufficient protection. Anyone can put up an OpenID site on their own domain, use a script to create a billion accounts, and log in with one of them on your site.
Are you accepting only specific OpenID providers? Then you're not using OpenID as it was meant to be used (and, in fact, expressly the opposite of why it was created). But the answer then would be: do you trust that the OpenID providers have done their own due diligence at the time of account creation to prevent spam accounts?
Regardless, you'll likely find that captcha's a poor solution, and currently all implementations of it are broken (but that's a whole different topic).
Upvotes: 3
Related Questions
- Allowing Google to bypass CAPTCHA verification - sensible or not?
- Bot protection or addition of CAPTCHA to sign up experience in Azure AD B2C
- Captcha With Google AppEngine
- Can I have captcha in google apps script?
- Is there a need for CAPTCHA verification on native android apps?
- do I have to add captcha in all forms?
- best CAPTCHA framework for gae
- Can I just use AjaxControlToolKit NoBot, instead of a Captcha?
- Are captchas need for my online form
- Captcha solution which can be used with App Engine?