Discussion:
[Wt-interest] About OAuth module: several questions
Aarón Bueno Villares
2016-03-30 23:02:22 UTC
Permalink
First of all, sorry for my English. Second, because these email will have
different "question" about the use of that module, I want to contextualize
a bit my situation:

A) Its the first time I deploy a "OAuth" module in a web site.
B) I'm using the ODB library instead of Wt::Dbo. So, I have to
implement my own user database.
C) The Wt version I'm using is 3.3.4.
D) I haven't implemented yet anything related to authentication. I'm
still under a "researching stage". So, I cannot test things yet.

Reading the google OAuth documentation and comparing it with which I have
understood from the Wt::Auth::GoogleService implementation, Wt uses the
OAuth protocol to get authorization for getting identity information, and
the Google OpenID protocol to finally catch that information previously
authorized. My question is about versions, because I know that Wt uses
OAuth 2 for authorization, but OpenID 2.0, which is deprecated (Google uses
now Open Connect), for getting the identity and the email. The thing is
that some features (URLs) of these deprecated APIs are currently off, and I
don't know if I need a more recent version of Wt to make the GoogleService
class work.

Finally, the database and remember-me related questions:

A) Which info is taken as "identity", the email or the personal name
retrieved from Google? And when connecting through Facebook?

B) In the second case when the "name" is used as identity and a user
changes his Google/Facebook personal name, what does Wt do when a user
changes is name but the e-mail matchs?, does it automatically change the
identity name?

C) When you enable remember-me functionality and the user login again,
does Wt connect to the "suitable" service" to know if the user identity is
still valid? Or the "remember-me" cookie is enough to authenticate the user
till it expires? By suitable service I mean the service (password, google
or facebook) the user used to connect the last time the users checked the
"remember-me" buttom.

D) If a user logouts, are the "remember-me" cookies deleted, or do I
have to erase them manually? Because if the user disconnects and connects
again using a different mean, there would be more than one "remember-me"
cookie.

Best regards,
Peregring-lk.
Koen Deforche
2016-03-31 20:38:48 UTC
Permalink
Hey,
Post by Aarón Bueno Villares
First of all, sorry for my English. Second, because these email will have
different "question" about the use of that module, I want to contextualize
A) Its the first time I deploy a "OAuth" module in a web site.
B) I'm using the ODB library instead of Wt::Dbo. So, I have to
implement my own user database.
C) The Wt version I'm using is 3.3.4.
D) I haven't implemented yet anything related to authentication. I'm
still under a "researching stage". So, I cannot test things yet.
Reading the google OAuth documentation and comparing it with which I have
understood from the Wt::Auth::GoogleService implementation, Wt uses the
OAuth protocol to get authorization for getting identity information, and
the Google OpenID protocol to finally catch that information previously
authorized. My question is about versions, because I know that Wt uses
OAuth 2 for authorization, but OpenID 2.0, which is deprecated (Google uses
now Open Connect), for getting the identity and the email. The thing is
that some features (URLs) of these deprecated APIs are currently off, and I
don't know if I need a more recent version of Wt to make the GoogleService
class work.
As far as I understand, Google uses OAuth 2.0 and OpenID Connect. But
OpenID Connect has little or nothing to do with classical OpenID (which was
kind of a disaster). Instead, OpenID Connect is in fact 'use OAuth 2.0 to
retrieve identity information'. This is indeed exactly what we implement in
Wt.

I just checked to make sure, but indeed, Wt's implementation still works
with Google?

A) Which info is taken as "identity", the email or the personal name
Post by Aarón Bueno Villares
retrieved from Google? And when connecting through Facebook?
It's in fact the 'identity' which is an opaque string returned by Google
(or Facebook) which is neither the email or personal name.

B) In the second case when the "name" is used as identity and a user
Post by Aarón Bueno Villares
changes his Google/Facebook personal name, what does Wt do when a user
changes is name but the e-mail matchs?, does it automatically change the
identity name?
Since we use some 'account identity', I expect it not to change when the
user changes his personal information.

C) When you enable remember-me functionality and the user login again,
Post by Aarón Bueno Villares
does Wt connect to the "suitable" service" to know if the user identity is
still valid? Or the "remember-me" cookie is enough to authenticate the user
till it expires? By suitable service I mean the service (password, google
or facebook) the user used to connect the last time the users checked the
"remember-me" buttom.
No, we do not connect back to the primary identity source. That's a good
question, actually, and I hadn't considered this. I'm not entirely sure
whether we should, since we really use the cookie as a (weak) substitution
for the primary authentication.

D) If a user logouts, are the "remember-me" cookies deleted, or do I
Post by Aarón Bueno Villares
have to erase them manually? Because if the user disconnects and connects
again using a different mean, there would be more than one "remember-me"
cookie.
The cookie gets deleted.

Koen

Loading...