I got slightly sidetracked on the way to the TRAC, but I’ve been
thinking about identity and blogging. I really, really, really don’t
want to have to add yet another login/password pair to a commenter’s
keychain if I can possibly help it.
But, it would be cool for people to have some way of identifying
themselves in some trusted fashion (so that, for example comments made
by signed in users get added straight away, but all other comments get
put into a queue pending approval).
My thinking on this is that we need to come up with some sort of
an identity control API. We define the ways in which Typo interacts
with an authentication service, things like:
authenticator.session_is_authenticated?(session)
authenticator.session_user(session) - returns a user object
authenticator.authenticate(controller, session) - May do redirects,
hence the
controller
Then our user object will carry information like:
user.memento - Unique string identifying this user (for use in any
authorization system)
user.email
user.display_name
user.icon
user.url
user.authenticated?
Possibly more, possibly fewer. Methods like #icon can obviously return
an empty string…
Once we’ve worked out the protocols (and tweaked our current
identification mechanism to use them) it should be relatively easy to
write adaptors for Flickr; Yahoo; Google; OpenID; some kind of dumbass
captcha system, if you really insist but don’t expect it to get
accepted into the trunk; or whatever other authentication services
exist or arise.
Of course, methods like ‘authenticator.session_is_authenticated?’ will
generally be accessed via helper methods like:
session.authenticated?
Right, brain dump over, I shall proceed to the Trac directly.
Note: Authentication is not the same as Authorization. About the
only thing I’m sure of regarding authorization is that we shall have
something.
Note2: This isn’t even remotely imminent. I’m just sketching here.