Hello, team!
I was sorry i couldn't be present for the IRC meeting last night.
The next few messages will contain some comments i'd like to add
to the conversation -- i hope they can be useful.
I'm splitting up my comments into several messages by topic so
that replies can go on separate threads with reasonable subject
lines. I hope you'll reply to my messages with your thoughts.
Thanks!
P.S. Moshe: I'm in Cambridge! Drop me a line and let's meet.
| <mosheWeitzman> you can certainly make it so that one only needs to
| register at a single dean site and get instant access to the rest
| <mosheWeitzman> but a user will still have to login to each site using
| the same sign on
| <mosheWeitzman> it isn't like you can browse freely and auto-login
| <Zacker> right
| <Zacker> well - if we used cookies?
| <Zacker> or is that real bad idea
As far as i know, it isn't possible to share cookies across separate
domains. So you can't automatically have one site authenticate a user
on another site.
I can think of one way to get around this problem: for the special case
in which the user is clicking on a link from one Site to another Site,
the originating Site can include credentials in the link. (For example,
a signed token containing the name of the origin Site together with the
authenticated userid.) Then the destination Site can check the token,
and if the origin Site is one that it trusts, it can accept the login.
However, that solution requires dynamically generating all cross-site
links, which may turn out to be too much trouble. I don't see any way
to get user-specific information between sites without embedding it in
the link, though.
| <eponics> So, is the the auth database distributed itself, or centralized?
Authentication is centralized in the sense that each user's login
resides on, and is validated by, only one server. But it is
distributed in the sense that many login servers can participate.
Currently Drupal supports a small number of large, well-known
login servers (Yahoo, Blogger, Delphi) that everyone can trust.
If we start using Drupal's authentication scheme with lots of little
servers, then there may start to be questions about who trusts whom.
That is why it is absolutely crucial to understand, and decide,
what authority a username will convey.
Key Question: What can i do when i'm logged in as "Alice" that
i can't do when i'm logged in as "Bob"?
- Post articles with the author name Alice.
- Use Alice's reputation rating. (Only works if i trust the
server that claims to know her reputation rating.)
- What else? Anything?
-- ?!ng
