[cgiapp] what i'd like to be doing: new authn/authz thoughts

Ricardo SIGNES rjbs-perl-cgiapp at lists.manxome.org
Fri Oct 19 19:37:01 EDT 2007

* Michael Peters <mpeters at plusthree.com> [2007-10-19T19:28:20]
> > I've been wondering if the correct approach for handling this is to log in
> > using only your OpenID, and then let you choose a profile from among those
> > available.  "profile" would replace the traditional "user" concept.  Most
> > users would only have one profile, and that would be that.
> You definitely could keep data about your users. Whether you call it a
> profile or not is not really critical. Most systems that allow OpenID also
> allow people to create normal accounts, so it's probably not common to
> completely throw away the concept of a user.

Yeah, mostly I'm wondering whether the issue is that user is still really
needed, and whether these sites have insufficiently embraced the revolution. :)

> >   http://wishlist.xyz.zy/wishlist/rjbs
> >   http://wishlist.xyz.zy/wishlist/mjs
> These aren't usernames in your URLs they are ids. It just so happens that in
> your system they have the same values. The id in the url doesn't mean they
> are logged in as that person. Or at least it shouldn't. I would think you'd
> be able to look at the wish lists of people who aren't you.

Yes, absolutely, and I didn't ever meant to imply that you had to be logged in
as X to see /wishlist/X -- quite the opposite!  I want a nice short identifier
like that in order to make the URL comfy to give to others.

The question is: if that is not a username, what is it?  Is it a unique
identifier associated with your user?  Well, six of one...

Or maybe it's a unique identifier associated with the wishlist resource.  The
problem there is that it's less trivial then to do things like produce a URL
showing me the profile of the user:


...or the user's group memberships:


...and so on.  There's a lot to be said about a simple unique name for a user.
It isn't a necessity -- you could just use a number or guid, if there is no
username -- but it seems like the rel'n is that a user can have either zero or
one username.

> > I know this is sort of a ramble, but it's something I'm thinking about now
> > and then.  Any other thoughts?
> Don't confuse who's logged in with what id is on the URL. Obviously what a
> person can do on that same page will be different if they are logged in and
> it's their profile (or a profile in their group).

Definitely not.  As I say in another email replying to, I think, Aristotle,
the place of identifier both in the URL and in "state" are a big deal to me.


More information about the cgiapp mailing list