Roller should not only be an OpenID relying party, it should be a server
too. If you want to leave a comment on a blog that accepts OpenID, your
blog should be able to vouch for you that you are really the owner of
the URL associated with comment.
Say I'm leaving a comment on your blog that accepts OpenID for comments.
Your Roller installation will ask mine (that acts as an OpenID server)
if I'm logged in and redirect me back to mine where I will be asked to
allow your server to verify my identity. My server should cache these
permission selections - I would imagine the Roller OpenID data model
would be adapted to accommodate this.
So I think there are two model additions:
*) associate a Roller user profile with external OpenID URLs that vouch
for them. Yes, #4 below implies a plurality, though asking users to just
pick one may be a fine place to start.
*) track a Roller user's selections of OpenID relying parties that are
permitted to verify his/her ownership of the Roller blog URL
Also, perhaps this is an enhancement to requirement #3 below: Enable
blog owner to configure their roller blog comment handling policy with
regards to OpenID. The use case is that if you know that the commenter
is authentic (i.e. their blog is an OpenID server), you may wish to
bypass moderation.
Sorry if this sounds convoluted... OpenID is seemingly always a lot
harder to explain and specify than to use and implement.
-Ian
Dave had written and probably intended:
Now that Matt has upgraded us to Spring Security, I'm reviewing the
Open ID for Roller proposal again.
http://cwiki.apache.org/confluence/x/zVAB
The requirements section of the proposal is a little to complicated
and mixes in implementation details. Below are what I believe to be
the core requirements for the project, in priority order.
Open ID for Roller Requirements
1) Allow new users to register and login via OpenID
2) Allow existing users to login via OpenID
i.e. by associating a Roller user account with an Open ID identity
3) Allow those who wish to leave comments to login via OpenID
4) Allow users to associate multiple OpenID accounts with one Roller account
i.e. associate multiple Open ID identities with one Roller user
Does that sound complete?
Judging from the Spring Security 2.0 docs (http://tinyurl.com/3ne8pb),
supporting #1 should be pretty easy. We'll have to figure out how to
configure Spring Security, possibly adding some extension classes, to
support #2 through #4.
Allen Gillland raised a concern with adding OpenID specific fields to
Roller tables, but we do need some way to store a user's OpenID URI
(or list of URIs) in Roller. Could we do the same thing by adding a
new 'roller_openid' table?
- Dave
--
Ian Kallen || Architect, Technorati Inc. || m: 415.505.5208
blog@ http://www.arachna.com/roller/page/spidaman
