[cgiapp] what i'd like to be doing: new authn/authz thoughts

Michael Peters mpeters at plusthree.com
Fri Oct 19 19:28:20 EDT 2007 

Ricardo SIGNES wrote:
> I want to do Stuff with OpenID.  The way I see it, your OpenID right now can
> only replace your password, not your username, in many applications.  That's
> because you want to be able to say:
> 
>   http://some.web.app/user/USERNAME/whatever
> 
> Putting your OpenID, which is a URL, where "USERNAME" appears is just weird.

Putting your login name into a URL is also weird. Your username is part of your
credentials, so why are they in the URL?

> I've been wondering if the correct approach for handling this is to log in
> using only your OpenID, and then let you choose a profile from among those
> available.  "profile" would replace the traditional "user" concept.  Most users
> would only have one profile, and that would be that.

You definitely could keep data about your users. Whether you call it a profile
or not is not really critical. Most systems that allow OpenID also allow people
to create normal accounts, so it's probably not common to completely throw away
the concept of a user.

>   http://wishlist.xyz.zy/wishlist/rjbs
>   http://wishlist.xyz.zy/wishlist/mjs

These aren't usernames in your URLs they are ids. It just so happens that in
your system they have the same values. The id in the url doesn't mean they are
logged in as that person. Or at least it shouldn't. I would think you'd be able
to look at the wish lists of people who aren't you.

> ...and I want to be in charge of the content for both.  In fact, I'd like my
> wife to be able to edit the content for both:

This is similar to the way that Netflix works. My wife and I manage the global
family queue of movies and our sons have their own queue. But we also manage
that too. It's not a matter of having to change who is logged in. It's just a
matter of changing the id in the url.

> One way is to say that user 'mjs' delegates some kind of permission to users
> rjbs and gloria.  Another would be to make mjs be a group, and have both rjbs
> and mjs as admins of that group.  (These two options are basically identical
> without further definition of user v. group, but I've said it anyway.)

Yeah, you will need a concept of a "profile group" where I can manage any
profile in my group. These groups wouldn't be all inclusive though. Just cause
you can manage your daughters list doesn't mean she should manage yours. So each
group is specific to a person.

> I know this is sort of a ramble, but it's something I'm thinking about now and
> then.  Any other thoughts?

Don't confuse who's logged in with what id is on the URL. Obviously what a
person can do on that same page will be different if they are logged in and it's
their profile (or a profile in their group).

-- 
Michael Peters
Developer
Plus Three, LP

More information about the cgiapp mailing list