[cgiapp] what i'd like to be doing: new authn/authz thoughts

Ricardo SIGNES rjbs-perl-cgiapp at lists.manxome.org
Fri Oct 19 07:24:56 EDT 2007 

I want to do Stuff with OpenID.  The way I see it, your OpenID right now can
only replace your password, not your username, in many applications.  That's
because you want to be able to say:

  http://some.web.app/user/USERNAME/whatever

Putting your OpenID, which is a URL, where "USERNAME" appears is just weird.

I've been wondering if the correct approach for handling this is to log in
using only your OpenID, and then let you choose a profile from among those
available.  "profile" would replace the traditional "user" concept.  Most users
would only have one profile, and that would be that.

Here are some thoughts:

I am writing a wish list system.  (See a forthcoming post.)  I have a
seven-month old daughter.  I want to be able to manage both my wishlist and
hers.  I want both of these URLs to work:

  http://wishlist.xyz.zy/wishlist/rjbs
  http://wishlist.xyz.zy/wishlist/mjs

...and I want to be in charge of the content for both.  In fact, I'd like my
wife to be able to edit the content for both:

  http://wishlist.xyz.zy/wishlist/gloria
  http://wishlist.xyz.zy/wishlist/mjs

One way is to say that user 'mjs' delegates some kind of permission to users
rjbs and gloria.  Another would be to make mjs be a group, and have both rjbs
and mjs as admins of that group.  (These two options are basically identical
without further definition of user v. group, but I've said it anyway.)

If a user isn't actually username/openid, but rather just openid, then there is
a relationship like;

  openid A / is / rjbs
  openid A / is / mjs

The problem, in my mind, with this, is that if there is no primary "user"
associated with the login, then it will be weird to see equal billing given to
your own data and the data of another identity that you use only rarely.

Worse, there would be these data, too:

  openid B / is / gloria
  openid B / is / mjs

Well, if A and B have equal reign over mjs, can one remove the other?  Ugh.  We
probably will end up wanting some way to give B access to something without
making it equivalent to the owner.

So, I think maybe delegation is the right way to go.  You'd have to create a
new identity for each distinct, well, identity, but you could delegate
permissions to other identities easily.

There would be an rjbs/openid-A login and a gloria/openid-B login.  Then there
are a few ways to handle mjs:

  1. there is mjs/openid-? which delegates to both rjbs and gloria
  2. rjbs creates a second wishlist on his account and delegates permissions on
     that to gloria; now there is now 'mjs' username for URLs, but there is one
     shared, editable list.

I know this is sort of a ramble, but it's something I'm thinking about now and
then.  Any other thoughts?

-- 
rjbs

More information about the cgiapp mailing list