User:Clouserw/AMO/Auth

From MozillaWiki
< User:Clouserw
Revision as of 20:59, 5 January 2012 by Clouserw (talk | contribs) (Created page with "=== Current flow and challenges === User is given a single button for login/register and a link underneath for admins/editors. Regular users click the "log in/register" button,...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Current flow and challenges

User is given a single button for login/register and a link underneath for admins/editors. Regular users click the "log in/register" button, go through browserid flow, and are logged in. Privileged users click the link, are prompted with the local authentication form, and are logged in after that. This is a potentially confusing split for the end users and also leads to two code paths which I'd like to avoid. Security has made it a requirement that privileged users must give an additional token (with more requirements) before they are authenticated to AMO so browserid is not good enough.

Proposed Solution

  1. User is shown a login/register button that launches browserid
  2. User authenticates (regular users are done at this point)
  3. If User is privileged they are shown a second form with a single password field[1]
  4. User must authenticate here before they are allowed to continue. Failure to authenticate results in no session created.

This provides us with a single branch out of the "normal" flow but fulfills the additional requirements Security has requested.

[1] The single password field is for legacy reasons only. It would be possible to use other forms of verifying a users identity here also.

Retrieved from "https://wiki.mozilla.org/index.php?title=User:Clouserw/AMO/Auth&oldid=384156"