• LoginProcess

last modified March 15, 2014 by feesh

Entry Points to Login

  • Bookmarks/Links *  (#1 method for general users to end up at login screen)
  • Login Button   (#2 method for general users to end up at login screen)
  • Insufficient Privileges redirect *
  • Commenting on content (where login is required to do so) *
  • Rating content (where login is required to do so) *
  • Starting as anonymous then needing to login for some reason *
  • Password Reset
  • Failed Password Attempt
  • Federated Login integrations
  • Site Lockdown (The blocked site setup) *


 * = entry points driven by permissions issues/PAS challenges.

Additional Points to Consider 

Important to preserve state throughout the entire process, along every potential path.

Save page requested, save anchor in page, implies simple and easy-to-use state saving mechanism 

Do not want users to lose mental state either, if possible should preserve context visually as well as technically

Login Failure should not be a different case than simple Login.  

Federated Login integration prevents remaining "in context" through login process, as a trip out and a redirect back are usually required, but technical state should be preserved if possible.


Joining The Site 

Break this into two pieces

  • the minimum required information Plone wants for join 
  • the additional profile information integrators/clients may wish to require
    • nagging/requiring completed profiles for membership role
    • must preserve use-case for HR creating profile or "by invite" membership

bulk user adding should be easy

Join workflow:

  • provide username, email address password and confirmation.
  • Get email with 'confirmation link'.
  • Click link, "active" field is set. message user that they have been confirmed
  • redirect to login form to log in. 

Invitation Workflow:

  • HR sets up profile, clicks 'invite user' 
  • User gets email with link
  • Click link, set password and confirm (this is like/can be same as password reset form?), submitting form sets "active" bit on profile
  • Redirect to login page to log in.


OAuth / Federated Login  

OpenID Connect
(and general federated auth issue)

  - make sure we are attach logins to an existing user
  - make sure there’s a way to revoke access



David: it's important that member properties afix to identities created this way

Steve: email address usernames are an easy path
Will we be able to have users be able to login via password AND federated login


Explore Python OAuth2.0 module, ideally by writing tests that establish our understanding of how it works

A plone.* namespace module that does the OpenID Connect handshake
  1) as tests with a mock server
  2) as tests with mock server with browser tests
  3) pay lots of attention to the CSRF session token. It needs to be solid. We may want a security team review.
Examine plone.openid. How much functionality can we pirate? Note that it does not handle member creation/properties. Check plonesocial.auth.rpx for that.

How to connect to login form? https://github.com/collective/collective.pluggablelogin has a pluggable solution. Tabs on the login form are probably not ideal, as they'll be missed by