Index: openacs-4/packages/acs-core-docs/www/ext-auth-requirements.html =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-core-docs/www/ext-auth-requirements.html,v diff -u -r1.40 -r1.41 --- openacs-4/packages/acs-core-docs/www/ext-auth-requirements.html 27 Oct 2014 16:39:18 -0000 1.40 +++ openacs-4/packages/acs-core-docs/www/ext-auth-requirements.html 7 Aug 2017 23:47:49 -0000 1.41 @@ -1,5 +1,5 @@ -External Authentication Requirements

External Authentication Requirements

Vision

People have plenty of usernames and passwords already, we +External Authentication Requirements

External Authentication Requirements

Vision

People have plenty of usernames and passwords already, we don't want them to have yet another. We want people to be able to log in to OpenACS with the same password they use to log in to any other system.

Besides, administrators have better things to do than create @@ -45,7 +45,7 @@ only one implementation of the authentication API, namly the one included in OpenACS Core.

  • Authentication Driver API: The service contract which authentication drivers implement.

  • Conceptual Pictures

    Authentication:

    -

    Account Management (NO PICTURE YET)

    Batch Synchronization (NO PICTURE YET)

    Requirements

    New API

    FeatureStatusDescription
    New API
    EXT-AUTH-01AExtend Authentication/Acct Status API
    EXT-AUTH-03AAccount Creation API
    EXT-AUTH-05APassword Management API
    EXT-AUTH-30AAuthority Management API

    Login

    FeatureStatusDescription
    Login
    EXT-AUTH-04ARewrite login, register, and admin pages to use APIs
    EXT-AUTH-38Aad_form complain feature
    EXT-AUTH-19ARewrite password recovery to use API
    EXT-AUTH-21ARewrite email verification with API
    EXT-AUTH-28AUsername is email switch

    Users will log in using a username, a authority, and a +

    Account Management (NO PICTURE YET)

    Batch Synchronization (NO PICTURE YET)

    Requirements

    New API

    FeatureStatusDescription
    New API
    EXT-AUTH-01AExtend Authentication/Acct Status API
    EXT-AUTH-03AAccount Creation API
    EXT-AUTH-05APassword Management API
    EXT-AUTH-30AAuthority Management API

    Login

    FeatureStatusDescription
    Login
    EXT-AUTH-04ARewrite login, register, and admin pages to use APIs
    EXT-AUTH-38Aad_form complain feature
    EXT-AUTH-19ARewrite password recovery to use API
    EXT-AUTH-21ARewrite email verification with API
    EXT-AUTH-28AUsername is email switch

    Users will log in using a username, a authority, and a password. The authority is the source for user/password verification. OpenACS can be an authority itself.

    Each user in OpenACS will belong to exactly one authority, which can either be the "local" OpenACS users table, in which case the @@ -117,9 +117,9 @@ the "local" authority, meaning we'll authenticate as normal using the local users table. This will, just like any other authority, be implemetned using a service contract.

    Synchronizing -and Linking Users

    FeatureStatusDescription
    Synchronizing and linking users
    EXT-AUTH-28ACreate service contract for Batch Sync.
    EXT-AUTH-38ABatch User Synchronization API
    EXT-AUTH-38AIMS Synchronization driver
    EXT-AUTH-08AAutomation of batch Synchronization
    EXT-AUTH-15BOn-demand syncronization

    Regardless of the login method, the user needs to have a row +and Linking Users

    FeatureStatusDescription
    Synchronizing and linking users
    EXT-AUTH-28ACreate service contract for Batch Sync.
    EXT-AUTH-38ABatch User Synchronization API
    EXT-AUTH-38AIMS Synchronization driver
    EXT-AUTH-08AAutomation of batch Synchronization
    EXT-AUTH-15BOn-demand synchronization

    Regardless of the login method, the user needs to have a row in the OpenACS users table. This can happen through a batch job, in -real-time, or both in combination. We use the IMS Enterprise 1.1 specification.

    Batch job means that we do a synchronization (import new +real-time, or both in combination. We use the IMS Enterprise 1.1 specification.

    Batch job means that we do a synchronization (import new users, modify changed, purge deleted) on a regular interval, e.g. every night. You can also decide to have a monthly full synchronization, plus daily incremental ones. That's up to you. The @@ -221,7 +221,7 @@ site configured to expire people's login after e.g. 2, 4, or 8 hours.

    The other advantage is that we can still offer certain functionality to you, even when your login is not trusted. For -example, we could let you browse publically available forums, and +example, we could let you browse publicly available forums, and only when you want to post do you need to log in. This makes it even more feasible to have a more secure login expiration setting.

    By default, auth::require_login would @@ -368,12 +368,11 @@ in Python can be found in the exUserFolder module for Zope -(documentation).

    Feedback

    We'd really appreciate feedback on this proposal. Please -follow up at +(documentation).

    Feedback

    We'd really appreciate feedback on this proposal. Please follow up at this -openacs.org forums thread.

    References

    References

    Revision History

    Document Revision #Action Taken, NotesWhen?By Whom?
    1Updated work-in-progress for consortium-sponsored ext-auth work at Collaboraid.20 Aug 2003Joel Aufrecht
    View comments on this page at openacs.org
    +CAS, a central authentication service a' la + Passport.

    Revision History

    Document Revision #Action Taken, NotesWhen?By Whom?
    1Updated work-in-progress for consortium-sponsored ext-auth work at Collaboraid.20 Aug 2003Joel Aufrecht