• LoginProcess

last modified March 15, 2014 by feesh


Entry Points to Login

  • Bookmarks/Links *  (#1 method for general users to end up at login screen)
  • Login Button   (#2 method for general users to end up at login screen)
  • Insufficient Privileges redirect *
  • Commenting on content (where login is required to do so) *
  • Rating content (where login is required to do so) *
  • Starting as anonymous then needing to login for some reason *
  • Password Reset
  • Failed Password Attempt
  • Federated Login integrations
  • Site Lockdown (The blocked site setup) *

 

 * = entry points driven by permissions issues/PAS challenges.

Additional Points to Consider 

Important to preserve state throughout the entire process, along every potential path.

Save page requested, save anchor in page, implies simple and easy-to-use state saving mechanism 

Do not want users to lose mental state either, if possible should preserve context visually as well as technically

Login Failure should not be a different case than simple Login.  

Federated Login integration prevents remaining "in context" through login process, as a trip out and a redirect back are usually required, but technical state should be preserved if possible.

 

Joining The Site 

Break this into two pieces

  • the minimum required information Plone wants for join 
  • the additional profile information integrators/clients may wish to require
    • nagging/requiring completed profiles for membership role
    • must preserve use-case for HR creating profile or "by invite" membership

bulk user adding should be easy

Join workflow:

  • provide username, email address password and confirmation.
  • Get email with 'confirmation link'.
  • Click link, "active" field is set. message user that they have been confirmed
  • redirect to login form to log in. 
  •  

Invitation Workflow:

  • HR sets up profile, clicks 'invite user' 
  • User gets email with link
  • Click link, set password and confirm (this is like/can be same as password reset form?), submitting form sets "active" bit on profile
  • Redirect to login page to log in.

 

OAuth / Federated Login  

OpenID Connect
(and general federated auth issue)


  - make sure we are attach logins to an existing user
  - make sure there’s a way to revoke access

Resources:


github.com/plone/plone.openid
github.com/plone/plone.app.openid

David: it's important that member properties afix to identities created this way

Steve: email address usernames are an easy path
Will we be able to have users be able to login via password AND federated login



Chores:

Explore Python OAuth2.0 module, ideally by writing tests that establish our understanding of how it works

A plone.* namespace module that does the OpenID Connect handshake
  1) as tests with a mock server
  2) as tests with mock server with browser tests
  3) pay lots of attention to the CSRF session token. It needs to be solid. We may want a security team review.
  
Examine plone.openid. How much functionality can we pirate? Note that it does not handle member creation/properties. Check plonesocial.auth.rpx for that.

How to connect to login form? https://github.com/collective/collective.pluggablelogin has a pluggable solution. Tabs on the login form are probably not ideal, as they'll be missed by  

 

Mockups!

login-mockup.jpg 

signup-mockup.jpg 

trouble-mockup.jpg