Tatyana wrote:
Hello,
Thanks for your comment upon proposal. I'll try to answer the
questions that you've stated.
* Adding columns to the db for "openid_*" seems a little hokey to me.
Is it not better to find a generic (meaning non-openid specific) way of
accomplishing this? We are bound to run into a situation like this
again in the future and I don't think messing with the schema every time
is the best solution.
If it is not recommended to modify database schema, then we can store
that information on the xml file or any other type of file. If you
can think of any other ways of accomplishing this, I'll take it into
consideration.
One of the issues to discuss in the proposal was the question whether
the user can have one or more openid_urls mapped to his account. In
the case when user can have multiple openid_urls, it's essential to
create one more database table to store userids and corresponding
openid_urls. If the user can have only one openid_url, it would be
possible not to create one more table, just add column to the
rolleruser table, or reuse any of the existing columns
I am not against extensions to the database schema at all, what I am
against are extensions to the schema which apply only to a non-standard
feature of the application. You could easily find 10+ other variants of
identity systems Roller users "might" want to integrate with, but I
don't want all of them to require schema changes to work. There are
various solutions to this ...
1. The extension to the db could be generic enough to fit all possible
uses. Such as adding a "user_attribute" table which keeps key/value
attributes which pertain to a user. This way you can associate any
extra data you want about a user.
2. Another alternative is to reuse the existing columns in new ways. I
don't know a lot about OpenID, but I thought that with OpenID your url
is effectively your id, so maybe that should go in the existing userName
column. Is there any real need for a "userName" when the user is
authenticating against OpenID?
As for the question about supporting multiple openid urls, I don't have
an answer for that. Why would someone want to do that? What would be
the purpose of authenticating against different systems? Is that even
secure?
* Is it expected that openid users will get a local account provisioned?
or are we planning this such that these users would be managed
externally, similar to an ldap directotry scenario?
Yes, users with openid will have the same type of account as regular
users. As far as existing users would have the opportunity to attach
openid_url to their account. I guess, it'll increase usability, as far
as compatibility and speed.
* A tricky part that will need more consideration is the comment
authentication part. In particular, Roller currently does not allow a
situation where an authentic user is not also available via lookup in
the UserManager. This will need some revising.
I guess, openid authentication won't change any of the user lookup methods, so
everything
except the authentication process will be the same. The result of the
authentication will be the User class instance, and all other methods
will use its id, name, etc. the same way.
I was talking about this item in the proposal ...
4. If the user is not logged-in and wants to leave a comment, the system
will redirect him to the login page;
I am doing that exact thing right now and I know that there are code
changes required to make that work because Roller currently does not
allow a user to be considered "authentic" but not have their account
come from a call to UserManager.getUserByXXX().
-- Allen
Tatyana
