User:Clouserw/AMO/Auth: Difference between revisions
m (Created page with "=== Current flow and challenges === User is given a single button for login/register and a link underneath for admins/editors. Regular users click the "log in/register" button,...") |
mNo edit summary |
||
| Line 1: | Line 1: | ||
{{draft}} | |||
=== Current flow and challenges === | === Current flow and challenges === | ||
Revision as of 21:00, 5 January 2012
|
THIS PAGE IS A WORKING DRAFT | 
|
| The page may be difficult to navigate, and some information on its subject might be incomplete and/or evolving rapidly. If you have any questions or ideas, please add them as a new topic on the discussion page. |
Current flow and challenges
User is given a single button for login/register and a link underneath for admins/editors. Regular users click the "log in/register" button, go through browserid flow, and are logged in. Privileged users click the link, are prompted with the local authentication form, and are logged in after that. This is a potentially confusing split for the end users and also leads to two code paths which I'd like to avoid. Security has made it a requirement that privileged users must give an additional token (with more requirements) before they are authenticated to AMO so browserid is not good enough.
Proposed Solution
- User is shown a login/register button that launches browserid
- User authenticates (regular users are done at this point)
- If User is privileged they are shown a second form with a single password field[1]
- User must authenticate here before they are allowed to continue. Failure to authenticate results in no session created.
This provides us with a single branch out of the "normal" flow but fulfills the additional requirements Security has requested.
[1] The single password field is for legacy reasons only. It would be possible to use other forms of verifying a users identity here also.