Sounds like we have a pretty good idea of how this should work.
On Jun 2, 2009, at 6:08 PM, Caius Durling wrote: > On 2 Jun 2009, at 22:29, Arthus Erea wrote: > >> Ideally, once logged into hp.o, you won't have to login anywhere >> else within Habari. You also shouldn't have to type your OpenID >> login. >> >> I think this could be accomplished by setting a site-wide cookie >> with your OpenID url/username, which the various systems could then >> auth against. > > I think thats the point of open id, you just store the open id url > in a cookie as I understand it, and then everytime you need to auth > the app requests auth from the openid server. If the server hasn't > timed out your session, then it just sends you back to the app - > you're transparently logged in. If a timeout has occurred then the > user enters their password and is sent back to the app. Right, but at some point users do have to enter their URL, right? Ideally, I don't think users should have to enter their hp.o url at any step. Instead, I was thinking we'd add an additional feature to the standard OpenID implementation: sitewide cookies. Most OpenID relationships span multiple servers, but ours would be constrained to the hp.o domain. Thus, we *should* be able to set a cookie when the user logs into the hub, setting their OpenID url. Subsequent apps would then automatically query that url without ever having to prompt for the url. Maybe I misunderstand OpenID? Is the visitor URL usually stored in an accessible cookie? > From the user's perspective, they'd have to (sometimes) login, no > matter where they were, but once they were logged in then they could > go anywhere within the habari ecosystem without having to relogin. Right, but would they have to type their URL on each site? > >> I do think all contributors should have a "hub" profile, since that >> will include Habari-specific information. Maybe we could set it up >> so the hub is both an OpenID client & server. If you have an >> external OpenID, authentication would be delegated to it. Profile >> information would be pulled in, then fed out to the various apps. >> >> So, everyone would have a hp.o profile, with the option of >> delegating. Does that sound like it would work? > > > That sounds exactly like my mental model of how OpenID works. > > A neat thing I like about it for end-users is they can have their > authorative URL (mine is http://caius.name/) but then delegate that > URL to an OpenID provider (mine's pointing to http://myopenid.com), > but because the end-user controls their auth url, they can delegate > to a new provider, so I could switch to using habari's oid server by > changing one line in my index.html on http://caius.name/. Right, I wonder how well auth chains will work though... habari -> caius.name -> myopenid seems a little slow. > > C > --- > Caius Durling > [email protected] > +44 (0) 7960 268 100 > http://caius.name/ > --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/habari-dev -~----------~----~----~----~------~----~------~--~---
