New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support account recovery via email? (email uniqueness) #128
Comments
If someone wants to register multiple subdomains it could be noted that with plus sign in email address it is possible to have multiple unique email addresses with a single mailbox (not all mail servers support this). |
Ahh, good point. So then, uniqueness would only be needed in the case of oidc login with email (instead of username). |
First of all , I would challenge an assumption..in """If we do decide to support that functionality, we will also need to Enforce the uniqueness of account emails. Specifically, an email has to resolve to a unique user account. (Otherwise, if multiple accounts have the same email, how will the server know which account to send a reset link for?)""" a) Many users may end up with multiple accounts especially during testing and asking people to experiment. |
And yes I think we should provide login with email or username. That is the current thing to do. A username is faster for people who do it all the time, a email is easier for people who do this occasionally and can't keep track of all their usernames easily of their many accounts. |
What usually happens is that if one has a login with email then one gets a username/password to login to that server. In that case, in order to make things as machine friendly as possible, it would be good to have a username/password access control mechanism. There exists one already in the HTTP-Standard, namely So for example, and as a first thought, one could have an ACL that is read only by the user of the password that contains something like [] acl:accessTo <>;
acl:mode acl:Write, acl:Read;
acl:agent [
foaf:account [
foaf:accountName "alice";
foaf:accountServiceHomePage <http://alice.databox.me/>;
passwordHash "cafebabe" // <- probably not the right place to put this
]
]. For the password one could either:
Even if 2) does not work out, it would be good if a client on reading the ACL (when allowed) could work out that it can access a given file with a password. First the client would know that he can log in with a password, because in addition to other modes of authentication, the server would return a Perhaps this should be developed in its own issue... Let me know. |
Context
Account Names
A User Account is what gets created when a user goes through the signup process on a Solid server running in Multi-User (identity provider) mode.
A user account typically:
alice.databox.me
). In that example,alice
would be the account name -- uniquely identifies that user on a given provider.Also, (at least on
node-solid-server
), you can discover a user's WebID URI given their account domain name (see nodeSolidServer/node-solid-server#359).Account Emails
The Signup app prompts the user to enter an account name, but also an email that's associated with the account, and used for account recovery. These are stored in the account's root ACL resource (e.g.
https://alice.databox.me/.acl
), as a statementacl:agent <mailto:alice@alice.com>
.Account Recovery
The Account Recovery page currently prompts the user to enter their account name. It then constructs and loads the root .acl, parses the account email out of it, and sends them a recovery email. (This is either to recover their WebID-TLS certificate, or in the upcoming WebID-OIDC feature, to recover their account passwords.)
If the account does not have an email associated with it (and stored in its root .acl), it cannot be recovered by the user (they must contact the service provider out of band).
The Problem
What if the user forgot their account name? (This has happened several times in practice, on databox). Should we support account recovery by the user entering their account email (if they forgot their account name)? This is basically the ubiquitous 'Forgot your username?' link on login pages everywhere.
If we do decide to support that functionality, we will also need to Enforce the uniqueness of account emails. Specifically, an email has to resolve to a unique user account. (Otherwise, if multiple accounts have the same email, how will the server know which account to send a reset link for?)
The other issue influencing whether or not we should enforce email uniqueness is the upcoming WebID-OIDC integration (which will involve users signing in with a username and password as one of their authentication options). If we are to support user logins with either emails or account names (as is the case with most modern service providers -- Yahoo, Google, Twitter, Facebook, Github, Dropbox, etc etc), we will also need to enforce that an email resolves to only one user account.
Open Questions:
The text was updated successfully, but these errors were encountered: