[geeklog-devtalk] Remote Authentication ;-)

[Michael Jervis]

> The part I don't understand (and, frankly, don't like) is why 

> you have to extend the username to hold up to 60 characters.

> If this is only to be able to use the login block for 

> remotely authenticated users, then I'd rather have them log 

> in from a separate form anyway.


No, it isn't.

When I log in to my server as a remotely authenticated user, then I have no
garentee that the username is unique.

For example, on my site I am THEMike. I am also THEMike on geeklog.net,
blogger.com and drupal.org. However, on livejournal I am eyeh8u because
someone already had everything else I regularly use. I expect there is
already a THEMike on typekey.

So, if I go and authenticate using remote authentication on
somenewgeeklogsite.com where THEMike already exists, and THEMike from
livejournal.com has already logged in, who am I?

My prefered solution is to register the remote users as
username at remoteservice which clearly marks their accounts as something else,
to users who are reading who commented.

If I let someone register as THEMike with a new uid and record they are
authenticated via blogger.com in the users table, how can someone tell that
the person who commented on an article was THEMike (me at fb.com), THEMike
(me at blogger.com) or THEMike (some fool at livejournal.com)?

I could display (blogger account) or (livejournal account) or @blogger.com
by spitting out the remote authentication details perhaps. But how many
places in core would I have to make the change? How many plugin authors
would have to update their modules (forum, journal, staticpages (in core of
course)...)

TO be fair, I didn't spend too much time thinking about the mechanism here.
I just did it. There may be a way that is more obvious to you, as you
clearly know core better than me. I increased the length to a value long
enough to allow a 16 char user name at a 43 char domain.

Not being sure what size was appropriate, I took my lead from drupal's auth
system.


> I.e. something like 

> users.php?mode=remote (linked from the login block) that 

> would display a login form just for those users. They may 

> even want to select which remote authentication they're 

> using, in case they have several to choose from (I, for 

> example, have both a TypeKey and a Blogger account). Also, 

> clicking on a "authenticate via Blogger" button is probably 

> more user friendly than having to add the @blogger.com as if 

> it were an email address.


Now, that is a good solution to the next question I had, which was "how
would be a nice geeklog friendly way of pointing out all the ways someone
can authenticate?", and I guess on the block and the login page having
"Authenticate via: blogger, livejournal, drupal, typekey" is a nice solution
and allows the typekey aspect to hook into the same mechanism (for
displaying it's prescence to the user) the server to server method could
take.


> Or am I missing something here?


Personaly, I think so. I think it's the site unique username that's
important here. But it might be me that's missing something. Always open to
suggestions now I've explained my thinking.
 

> On a technical note: It may make sense to integrate your 

> remoteauth table into the users table, i.e. add the two fields there.


Yes, that would make more sense wouldn't it? I guess there is already an
index on username? So I could do a fast select authmodule from users where
username=''?

My other question I had to ask, was about adding to a custom group. I've not
spent much time around the group/feature stuff to be honest. How would you
suggest doing this? Just a new core group with a name? Do I need to add any
features to it? Or would that all come from Authenticated User?

Cheers for taking the time to look,

Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3030 bytes
Desc: not available
Url : <http://eight.pairlist.net/pipermail/geeklog-devtalk/attachments/20050203/071a8df0/attachment.bin>