subject:"\[cgiapp\] what i'd like to be doing\: new authn\/authz thoughts"

[cgiapp] what i'd like to be doing: new authn/authz thoughts

2007-10-19 Thread Ricardo SIGNES


I want to do Stuff with OpenID.  The way I see it, your OpenID right now can
only replace your password, not your username, in many applications.  That's
because you want to be able to say:

  http://some.web.app/user/USERNAME/whatever

Putting your OpenID, which is a URL, where USERNAME appears is just weird.

I've been wondering if the correct approach for handling this is to log in
using only your OpenID, and then let you choose a profile from among those
available.  profile would replace the traditional user concept.  Most users
would only have one profile, and that would be that.

Here are some thoughts:

I am writing a wish list system.  (See a forthcoming post.)  I have a
seven-month old daughter.  I want to be able to manage both my wishlist and
hers.  I want both of these URLs to work:

  http://wishlist.xyz.zy/wishlist/rjbs
  http://wishlist.xyz.zy/wishlist/mjs

...and I want to be in charge of the content for both.  In fact, I'd like my
wife to be able to edit the content for both:

  http://wishlist.xyz.zy/wishlist/gloria
  http://wishlist.xyz.zy/wishlist/mjs

One way is to say that user 'mjs' delegates some kind of permission to users
rjbs and gloria.  Another would be to make mjs be a group, and have both rjbs
and mjs as admins of that group.  (These two options are basically identical
without further definition of user v. group, but I've said it anyway.)

If a user isn't actually username/openid, but rather just openid, then there is
a relationship like;

  openid A / is / rjbs
  openid A / is / mjs

The problem, in my mind, with this, is that if there is no primary user
associated with the login, then it will be weird to see equal billing given to
your own data and the data of another identity that you use only rarely.

Worse, there would be these data, too:

  openid B / is / gloria
  openid B / is / mjs

Well, if A and B have equal reign over mjs, can one remove the other?  Ugh.  We
probably will end up wanting some way to give B access to something without
making it equivalent to the owner.

So, I think maybe delegation is the right way to go.  You'd have to create a
new identity for each distinct, well, identity, but you could delegate
permissions to other identities easily.

There would be an rjbs/openid-A login and a gloria/openid-B login.  Then there
are a few ways to handle mjs:

  1. there is mjs/openid-? which delegates to both rjbs and gloria
  2. rjbs creates a second wishlist on his account and delegates permissions on
 that to gloria; now there is now 'mjs' username for URLs, but there is one
 shared, editable list.

I know this is sort of a ramble, but it's something I'm thinking about now and
then.  Any other thoughts?

-- 
rjbs
-
Web Archive:  http://www.mail-archive.com/cgiapp@lists.erlbaum.net/
  
http://marc.theaimsgroup.com/?l=cgiappamp;amp;amp;r=1amp;amp;amp;w=2

To unsubscribe, or change your message delivery options, visit: 
http://www.erlbaum.net/mailman/listinfo/cgiapp

Re: [cgiapp] what i'd like to be doing: new authn/authz thoughts

2007-10-19 Thread Michael Peters

Ricardo SIGNES wrote:
 I want to do Stuff with OpenID.  The way I see it, your OpenID right now can
 only replace your password, not your username, in many applications.  That's
 because you want to be able to say:
 
   http://some.web.app/user/USERNAME/whatever
 
 Putting your OpenID, which is a URL, where USERNAME appears is just weird.

Putting your login name into a URL is also weird. Your username is part of your
credentials, so why are they in the URL?

 I've been wondering if the correct approach for handling this is to log in
 using only your OpenID, and then let you choose a profile from among those
 available.  profile would replace the traditional user concept.  Most 
 users
 would only have one profile, and that would be that.

You definitely could keep data about your users. Whether you call it a profile
or not is not really critical. Most systems that allow OpenID also allow people
to create normal accounts, so it's probably not common to completely throw away
the concept of a user.

   http://wishlist.xyz.zy/wishlist/rjbs
   http://wishlist.xyz.zy/wishlist/mjs

These aren't usernames in your URLs they are ids. It just so happens that in
your system they have the same values. The id in the url doesn't mean they are
logged in as that person. Or at least it shouldn't. I would think you'd be able
to look at the wish lists of people who aren't you.

 ...and I want to be in charge of the content for both.  In fact, I'd like my
 wife to be able to edit the content for both:

This is similar to the way that Netflix works. My wife and I manage the global
family queue of movies and our sons have their own queue. But we also manage
that too. It's not a matter of having to change who is logged in. It's just a
matter of changing the id in the url.

 One way is to say that user 'mjs' delegates some kind of permission to users
 rjbs and gloria.  Another would be to make mjs be a group, and have both rjbs
 and mjs as admins of that group.  (These two options are basically identical
 without further definition of user v. group, but I've said it anyway.)

Yeah, you will need a concept of a profile group where I can manage any
profile in my group. These groups wouldn't be all inclusive though. Just cause
you can manage your daughters list doesn't mean she should manage yours. So each
group is specific to a person.

 I know this is sort of a ramble, but it's something I'm thinking about now and
 then.  Any other thoughts?

Don't confuse who's logged in with what id is on the URL. Obviously what a
person can do on that same page will be different if they are logged in and it's
their profile (or a profile in their group).

-- 
Michael Peters
Developer
Plus Three, LP


#  CGI::Application community mailing list  
####
##  To unsubscribe, or change your message delivery options,  ##
##  visit:  http://www.erlbaum.net/mailman/listinfo/cgiapp##
####
##  Web archive:   http://www.erlbaum.net/pipermail/cgiapp/   ##
##  Wiki:  http://cgiapp.erlbaum.net/ ##
####

Re: [cgiapp] what i'd like to be doing: new authn/authz thoughts

2007-10-19 Thread Ricardo SIGNES

* Michael Peters [EMAIL PROTECTED] [2007-10-19T19:28:20]
  I've been wondering if the correct approach for handling this is to log in
  using only your OpenID, and then let you choose a profile from among those
  available.  profile would replace the traditional user concept.  Most
  users would only have one profile, and that would be that.
 
 You definitely could keep data about your users. Whether you call it a
 profile or not is not really critical. Most systems that allow OpenID also
 allow people to create normal accounts, so it's probably not common to
 completely throw away the concept of a user.

Yeah, mostly I'm wondering whether the issue is that user is still really
needed, and whether these sites have insufficiently embraced the revolution. :)

http://wishlist.xyz.zy/wishlist/rjbs
http://wishlist.xyz.zy/wishlist/mjs
 
 These aren't usernames in your URLs they are ids. It just so happens that in
 your system they have the same values. The id in the url doesn't mean they
 are logged in as that person. Or at least it shouldn't. I would think you'd
 be able to look at the wish lists of people who aren't you.

Yes, absolutely, and I didn't ever meant to imply that you had to be logged in
as X to see /wishlist/X -- quite the opposite!  I want a nice short identifier
like that in order to make the URL comfy to give to others.

The question is: if that is not a username, what is it?  Is it a unique
identifier associated with your user?  Well, six of one...

Or maybe it's a unique identifier associated with the wishlist resource.  The
problem there is that it's less trivial then to do things like produce a URL
showing me the profile of the user:

  /profile/rjbs
  /rjbs/profile

...or the user's group memberships:

  /rjbs/groups

...and so on.  There's a lot to be said about a simple unique name for a user.
It isn't a necessity -- you could just use a number or guid, if there is no
username -- but it seems like the rel'n is that a user can have either zero or
one username.

  I know this is sort of a ramble, but it's something I'm thinking about now
  and then.  Any other thoughts?
 
 Don't confuse who's logged in with what id is on the URL. Obviously what a
 person can do on that same page will be different if they are logged in and
 it's their profile (or a profile in their group).

Definitely not.  As I say in another email replying to, I think, Aristotle,
the place of identifier both in the URL and in state are a big deal to me.

-- 
rjbs

#  CGI::Application community mailing list  
####
##  To unsubscribe, or change your message delivery options,  ##
##  visit:  http://www.erlbaum.net/mailman/listinfo/cgiapp##
####
##  Web archive:   http://www.erlbaum.net/pipermail/cgiapp/   ##
##  Wiki:  http://cgiapp.erlbaum.net/ ##
####

[cgiapp] what i'd like to be doing: new authn/authz thoughts

Re: [cgiapp] what i'd like to be doing: new authn/authz thoughts

Re: [cgiapp] what i'd like to be doing: new authn/authz thoughts

3 matches

Site Navigation

Mail list logo

Footer information