#424: Nicknames Vs. email addresses to be the master identifier in external
authentication
--------------------------+-------------------------------------------------
Reporter: skaplun | Owner: skaplun
Type: enhancement | Status: new
Priority: major | Milestone: v1.1
Component: WebSession | Version:
Resolution: | Keywords: external authentication
--------------------------+-------------------------------------------------
Comment (by skaplun):
One issue I see arising is for installations that have multiple external
authentication method.
* Suppose each method is providing a different way to identify (possibly
different than the email), say A is using idA and B is using idB.
* Now, suppose a user has setup the same email, emailA in A and emailA in
B.
* The first time he log in Invenio using method A, a new local account is
created for the user, associating him with external idA for method A and
with local id as emailA.
* Then he log in as well using method B, and so since method B is sporting
the same emailA, the user is recognized to be the same, and hence the same
local account emailA is mapped to external method B with idB.
* Finally user changes his email in B to emailB and then tries to login
into Invenio using B. What happens is that emailB is considered as new
email, and the local account for the user is updated to use emailB. This
provided the user didn't had already registered into Invenio with another
method using emailB.
* If the user then login again using method A, the email will be switched
back to emailA, and potentially there might be a ping-pong effect.
Would this be a problem? I can imagine the user having used a personal
account in emailA and e.g. a service account in emailB (which is used e.g.
by several people - this should not happen but how to avoid it?).
Of course this should be a rare situation...
Moreover what to do in an environment where authentication methods
changes? E.g. when a new method is introduced, while before everything was
local. Take e.g. this other use case:
* user registered locally using emailA with idA
* user registered locally using emailB with idB
* new external method is introduced
* user is using emailA in the external method which identifies him as X
and the first time he logs in using the external method, the external
method id X is associated with idA.
* the user changes in the external provider the email and switch to use
emailB.
* then user logs into Invenio using again the external method. The user is
recognized again as X, and the new emailB is noticed. However emailB is
locally associated to idB, that was thought to be a different user by
Invenio.
* The solution here should be to merge the local idA and idB users (by
updating any table), and then delete idA.
Would this be the safest and most correct solution?
--
Ticket URL: <http://invenio-software.org/ticket/424#comment:1>
Invenio <http://invenio-software.org>
