Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

TAs should be able to login from multiple locations as the same person. #82

Closed
pwightman opened this Issue Jan 16, 2013 · 2 comments

Comments

Projects
None yet
2 participants
Owner

pwightman commented Jan 16, 2013

No description provided.

This probably needs devise to provide a central model, in which clients can be added.

There are 2 common conventions, each with drawbacks:

Associated Accounts

Through this process, people have to sign in, then they can add providers to control auth to their accounts.

Advantages

  • Secure: every provider is authentic, and the user controls them. Another user can't sign up an account in their name/email and get access
    • Not generally a problem with services that provide verification, like twitter/github
  • Explicit: The user knows exactly how to get into their account, and if an external provider is compromised they can void its access

Disadvantages

  • Cumbersome: The user has to go into their control panel to add a new account.
  • Not-simplistic:: see above

Examples

  • Stackoverflow
  • Yahoo

Automatic association

This is the simpler process, in which someone coming from a provider we've never seen before is compared to existing users based on emails, and if there is a match, the new oAuth account is associated with existing users

Advantages

  • Simple: The user just clicks the github/twitter/google/facebook/reddit/etc button and is signed in, after going through the oAuth handshake. No preference panes
  • Fast: can make logins tremendously easy

Disadvantages

  • Insecure: As I outlined earlier, this can be compromised, although with large services, the risk is low
  • Implicit: No easy way to revoke access (and keep it revoked)

Examples

  • Imgur
  • Lighthouse

@pwightman pwightman closed this in a6d6204 Jan 16, 2013

Owner

pwightman commented Jan 16, 2013

The TA Queue is kind of doing its own thing in terms of logins. Logging in just means you are being created in the DB, and logging out removes you from the DB, so it's all very transient. This decision was made based on a number of factors not worth enumerating here. Thank you for your input, though, as that advice has lots of application outside of this case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment