Anonymous user
Authentication integration: Difference between revisions
no edit summary
imported>Paulproteus No edit summary |
No edit summary |
||
Line 8:
* Users only have to authenticate once to all (web) services within openhatch.org.
* Simple implementation.
* Users can't impersonate other users.
* Even if the forum is compromised, it's not totally trivial for the forum admin to impersonate OpenHatch users to other openhatch.org applications (especially openhatch.org itself).
* Applications outside openhatch.org should not be able to use this system to gain information about users. (They might be able to use ''other'' mechanisms, but not this one.)
* These applications don't have to be particularly securely maintained. (Specifics...?)
Line 14 ⟶ 16:
m_stone's notes:
* You should plan to rotate authenticators.▼
* Maybe use separate HMAC keys for separate "apps"?
* I'm a bit nervous about having splittable cookies. Maybe add an index cookie? (fun link: [http://wiki.laptop.org/go/Canonical_JSON canonical json])
Line 59 ⟶ 60:
** We can fix this by constraining usernames on the Django side to be case-insensitively unique.
*** Right now, Django usernames [http://code.djangoproject.com/ticket/2273 seem to be case sensitive].
▲* me_stone says, "You should plan to rotate authenticators [keys for the hash]."
** Asheesh says, "Okay, fine. We should revisit this in September, 2011, and probably rotate them. (That's one year from now.)"
Some usability issues:
| |||