[cgiapp] what i'd like to be doing: new authn/authz thoughts
I want to do Stuff with OpenID. The way I see it, your OpenID right now can only replace your password, not your username, in many applications. That's because you want to be able to say: http://some.web.app/user/USERNAME/whatever Putting your OpenID, which is a URL, where USERNAME appears is just weird. I've been wondering if the correct approach for handling this is to log in using only your OpenID, and then let you choose a profile from among those available. profile would replace the traditional user concept. Most users would only have one profile, and that would be that. Here are some thoughts: I am writing a wish list system. (See a forthcoming post.) I have a seven-month old daughter. I want to be able to manage both my wishlist and hers. I want both of these URLs to work: http://wishlist.xyz.zy/wishlist/rjbs http://wishlist.xyz.zy/wishlist/mjs ...and I want to be in charge of the content for both. In fact, I'd like my wife to be able to edit the content for both: http://wishlist.xyz.zy/wishlist/gloria http://wishlist.xyz.zy/wishlist/mjs One way is to say that user 'mjs' delegates some kind of permission to users rjbs and gloria. Another would be to make mjs be a group, and have both rjbs and mjs as admins of that group. (These two options are basically identical without further definition of user v. group, but I've said it anyway.) If a user isn't actually username/openid, but rather just openid, then there is a relationship like; openid A / is / rjbs openid A / is / mjs The problem, in my mind, with this, is that if there is no primary user associated with the login, then it will be weird to see equal billing given to your own data and the data of another identity that you use only rarely. Worse, there would be these data, too: openid B / is / gloria openid B / is / mjs Well, if A and B have equal reign over mjs, can one remove the other? Ugh. We probably will end up wanting some way to give B access to something without making it equivalent to the owner. So, I think maybe delegation is the right way to go. You'd have to create a new identity for each distinct, well, identity, but you could delegate permissions to other identities easily. There would be an rjbs/openid-A login and a gloria/openid-B login. Then there are a few ways to handle mjs: 1. there is mjs/openid-? which delegates to both rjbs and gloria 2. rjbs creates a second wishlist on his account and delegates permissions on that to gloria; now there is now 'mjs' username for URLs, but there is one shared, editable list. I know this is sort of a ramble, but it's something I'm thinking about now and then. Any other thoughts? -- rjbs - Web Archive: http://www.mail-archive.com/cgiapp@lists.erlbaum.net/ http://marc.theaimsgroup.com/?l=cgiappamp;amp;amp;r=1amp;amp;amp;w=2 To unsubscribe, or change your message delivery options, visit: http://www.erlbaum.net/mailman/listinfo/cgiapp
Re: [cgiapp] what i'd like to be doing: new authn/authz thoughts
Ricardo SIGNES wrote: I want to do Stuff with OpenID. The way I see it, your OpenID right now can only replace your password, not your username, in many applications. That's because you want to be able to say: http://some.web.app/user/USERNAME/whatever Putting your OpenID, which is a URL, where USERNAME appears is just weird. Putting your login name into a URL is also weird. Your username is part of your credentials, so why are they in the URL? I've been wondering if the correct approach for handling this is to log in using only your OpenID, and then let you choose a profile from among those available. profile would replace the traditional user concept. Most users would only have one profile, and that would be that. You definitely could keep data about your users. Whether you call it a profile or not is not really critical. Most systems that allow OpenID also allow people to create normal accounts, so it's probably not common to completely throw away the concept of a user. http://wishlist.xyz.zy/wishlist/rjbs http://wishlist.xyz.zy/wishlist/mjs These aren't usernames in your URLs they are ids. It just so happens that in your system they have the same values. The id in the url doesn't mean they are logged in as that person. Or at least it shouldn't. I would think you'd be able to look at the wish lists of people who aren't you. ...and I want to be in charge of the content for both. In fact, I'd like my wife to be able to edit the content for both: This is similar to the way that Netflix works. My wife and I manage the global family queue of movies and our sons have their own queue. But we also manage that too. It's not a matter of having to change who is logged in. It's just a matter of changing the id in the url. One way is to say that user 'mjs' delegates some kind of permission to users rjbs and gloria. Another would be to make mjs be a group, and have both rjbs and mjs as admins of that group. (These two options are basically identical without further definition of user v. group, but I've said it anyway.) Yeah, you will need a concept of a profile group where I can manage any profile in my group. These groups wouldn't be all inclusive though. Just cause you can manage your daughters list doesn't mean she should manage yours. So each group is specific to a person. I know this is sort of a ramble, but it's something I'm thinking about now and then. Any other thoughts? Don't confuse who's logged in with what id is on the URL. Obviously what a person can do on that same page will be different if they are logged in and it's their profile (or a profile in their group). -- Michael Peters Developer Plus Three, LP # CGI::Application community mailing list #### ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp## #### ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ####
Re: [cgiapp] what i'd like to be doing: new authn/authz thoughts
* Michael Peters [EMAIL PROTECTED] [2007-10-19T19:28:20] I've been wondering if the correct approach for handling this is to log in using only your OpenID, and then let you choose a profile from among those available. profile would replace the traditional user concept. Most users would only have one profile, and that would be that. You definitely could keep data about your users. Whether you call it a profile or not is not really critical. Most systems that allow OpenID also allow people to create normal accounts, so it's probably not common to completely throw away the concept of a user. Yeah, mostly I'm wondering whether the issue is that user is still really needed, and whether these sites have insufficiently embraced the revolution. :) http://wishlist.xyz.zy/wishlist/rjbs http://wishlist.xyz.zy/wishlist/mjs These aren't usernames in your URLs they are ids. It just so happens that in your system they have the same values. The id in the url doesn't mean they are logged in as that person. Or at least it shouldn't. I would think you'd be able to look at the wish lists of people who aren't you. Yes, absolutely, and I didn't ever meant to imply that you had to be logged in as X to see /wishlist/X -- quite the opposite! I want a nice short identifier like that in order to make the URL comfy to give to others. The question is: if that is not a username, what is it? Is it a unique identifier associated with your user? Well, six of one... Or maybe it's a unique identifier associated with the wishlist resource. The problem there is that it's less trivial then to do things like produce a URL showing me the profile of the user: /profile/rjbs /rjbs/profile ...or the user's group memberships: /rjbs/groups ...and so on. There's a lot to be said about a simple unique name for a user. It isn't a necessity -- you could just use a number or guid, if there is no username -- but it seems like the rel'n is that a user can have either zero or one username. I know this is sort of a ramble, but it's something I'm thinking about now and then. Any other thoughts? Don't confuse who's logged in with what id is on the URL. Obviously what a person can do on that same page will be different if they are logged in and it's their profile (or a profile in their group). Definitely not. As I say in another email replying to, I think, Aristotle, the place of identifier both in the URL and in state are a big deal to me. -- rjbs # CGI::Application community mailing list #### ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp## #### ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ####