[OSM-talk] forum.openstreetmap.org

Frederik Ramm frederik at remote.org
Sat Sep 15 19:07:24 BST 2007 

Hi,

> > 5. Single sign-on would be great but I think we need a proper concept
> > for that; what you (Spaetz) have set up is nice but, as you say, still
> > doesn't integrate account creation (and won't work for the Wiki), so
> > I'd suggest to postpone that until we get it working properly.
> 
> That would be... never? We won't get it working properly if we don't
> work towards that goal.

Yes but working towards single sign-on requires (assuming API is our
identity provider):

1. User wants to log in with Application.
2. Application calls API to initiate identification process, sends
where-do-you-come-from URL, gets transaction id.
3. Application redirects User to API with transaction id.
4. User authenticates with API.
5. API redirects User to where-do-you-come-from URL.
6. Application checks transaction ID with API, gets identity
information.

That's how these things are done. Call it "Passport", call ist
"Liberty Alliance", they all work (roughly) like that. The most
important thing about this is that you can handle and authenticate a
user on your site *without* (a) the user having to tell you his
password and (b) having access to our database. This is a great thing
because it would allow third parties to create editing applications
etc. that access the API.

I'd like to have something like this in the long run.

As long as you're in trusted terrain you can of course make a forum
where users have to type in their real OSM password and it is verified
against the API but that's cheating a bit, and restricting single
sign-on to trusted platforms (i.e. stuff operated by us). Such a step
is, in my eyes, not the first step in the right direction, but a step
that will enable single sign-on in a very limited way and block the
path for better solutions (because "we have something already").

But yeah, well, I guess I can't complain so if people want a special
solution single-sign on that works for a forum and the wiki and
nothing else, let them have it.

> I'd say there is a significant advantage of being sure that the
> "woodpeck" in the forum is the same guy who was mapping all those
> road in southern germany.

Single sign-on is mostly about user comfort. Most of these services
actually allow *different* user names in the different realms, you
only have to set up the proper federation ("dear forum, I am Fred the
Furious, please let me in under this name whenever I authenticate
against the server as Mike the Meek").

Single sign-on is not about being known under the same name
everywhere. That would be the OpenID line of things which is not
primarily about single sign-on, but primarily about reputation - you
want to know that this is the same guy who writes that blog and so on.
I would not necessarly advocate this for OSM.

Bye
Frederik

-- 
Frederik Ramm  ##  eMail frederik at remote.org  ##  N49°00.09' E008°23.33'

More information about the talk mailing list