Hey,
2016-03-31 1:02 GMT+02:00 Aarón Bueno Villares <abv15...@gmail.com>:
> First of all, sorry for my English. Second, because these email will have
> different "question" about the use of that module, I want to contextualize
> a bit my situation:
>
> A) Its the first time I deploy a "OAuth" module in a web site.
> B) I'm using the ODB library instead of Wt::Dbo. So, I have to
> implement my own user database.
> C) The Wt version I'm using is 3.3.4.
> D) I haven't implemented yet anything related to authentication. I'm
> still under a "researching stage". So, I cannot test things yet.
>
> Reading the google OAuth documentation and comparing it with which I have
> understood from the Wt::Auth::GoogleService implementation, Wt uses the
> OAuth protocol to get authorization for getting identity information, and
> the Google OpenID protocol to finally catch that information previously
> authorized. My question is about versions, because I know that Wt uses
> OAuth 2 for authorization, but OpenID 2.0, which is deprecated (Google uses
> now Open Connect), for getting the identity and the email. The thing is
> that some features (URLs) of these deprecated APIs are currently off, and I
> don't know if I need a more recent version of Wt to make the GoogleService
> class work.
>
As far as I understand, Google uses OAuth 2.0 and OpenID Connect. But
OpenID Connect has little or nothing to do with classical OpenID (which was
kind of a disaster). Instead, OpenID Connect is in fact 'use OAuth 2.0 to
retrieve identity information'. This is indeed exactly what we implement in
Wt.
I just checked to make sure, but indeed, Wt's implementation still works
with Google?
A) Which info is taken as "identity", the email or the personal name
> retrieved from Google? And when connecting through Facebook?
>
It's in fact the 'identity' which is an opaque string returned by Google
(or Facebook) which is neither the email or personal name.
B) In the second case when the "name" is used as identity and a user
> changes his Google/Facebook personal name, what does Wt do when a user
> changes is name but the e-mail matchs?, does it automatically change the
> identity name?
>
Since we use some 'account identity', I expect it not to change when the
user changes his personal information.
C) When you enable remember-me functionality and the user login again,
> does Wt connect to the "suitable" service" to know if the user identity is
> still valid? Or the "remember-me" cookie is enough to authenticate the user
> till it expires? By suitable service I mean the service (password, google
> or facebook) the user used to connect the last time the users checked the
> "remember-me" buttom.
>
No, we do not connect back to the primary identity source. That's a good
question, actually, and I hadn't considered this. I'm not entirely sure
whether we should, since we really use the cookie as a (weak) substitution
for the primary authentication.
D) If a user logouts, are the "remember-me" cookies deleted, or do I
> have to erase them manually? Because if the user disconnects and connects
> again using a different mean, there would be more than one "remember-me"
> cookie.
>
The cookie gets deleted.
Koen
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________
witty-interest mailing list
witty-interest@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/witty-interest
