58
edits
(adds idp implementation references) |
(Updated current status of Persona in the contexts of Mozilla and Sudo Room.) |
||
(9 intermediate revisions by one other user not shown) | |||
Line 2: | Line 2: | ||
In terms of practical usage for sudo room, there are a sufficient number of [https://developer.mozilla.org/en-US/Persona/Libraries_and_plugins libraries and plugins] available for integrating and developing with lots of different applications and environments. This [https://hacks.mozilla.org/2013/04/mozilla-persona-for-the-non-web/ blog post from 2013] explains some more about how these libraries can be used. | In terms of practical usage for sudo room, there are a sufficient number of [https://developer.mozilla.org/en-US/Persona/Libraries_and_plugins libraries and plugins] available for integrating and developing with lots of different applications and environments. This [https://hacks.mozilla.org/2013/04/mozilla-persona-for-the-non-web/ blog post from 2013] explains some more about how these libraries can be used. | ||
In 2014, Mozilla transitioned Persona to community ownership. In January 2016, they announced plans to decommission the Mozilla-operated Persona infrastructure in November 2016. In September 2016, Sudo Room [https://github.com/sudoroom/sudo-infrastructure/issues/2 dropped Persona login support]. | |||
The browserid standard is still an open standard, and it would still be possible for us to set up an IdP, but this would be a significant undertaking. | |||
==Use Case== | |||
Our hackerspace community has an opportunity to support an environment for creative expression and new, elegant services. We have basic infrastructure including a wordpress website (with blog and shared calendar system), this mediawiki wiki, a membership application (in the works), and an issue tracker (next on deck). However, a limitation to running 2 or ''n'' services is managing more than one user account. Hackerspaces commonly write manual hacks to shim user account generation, and to propogate password updates across multiple systems. These solutions are a pain and very unstable. Persona offers a viable alternative, so at the very least we can use the same shim in each system. | |||
'''We want to create an environment where members are encouraged to create lots of new apps, rather than bottlenecking on centralized/monolithic apps. With persona, these apps may have a lower barrier to entry since existing users can authenticate without registration.''' | |||
==Identity Provider (IdP)== | |||
* Quick-and-dirty Identity Provider (IdP) implementation http://kamituel.tumblr.com/post/47604831876/mozilla-persona-implementing-idp | * Quick-and-dirty Identity Provider (IdP) implementation http://kamituel.tumblr.com/post/47604831876/mozilla-persona-implementing-idp | ||
** Based on documentation https://developer.mozilla.org/en-US/Persona/Implementing_a_Persona_IdP | ** Based on documentation https://developer.mozilla.org/en-US/Persona/Implementing_a_Persona_IdP | ||
* Another blog post on implementing an IdP: https://lukasa.co.uk/2013/04/Writing_A_Persona_Identity_Provider/ | |||
* Another blog post on implementing an IdP: http://rfk.id.au/blog/entry/persona-identity-provider/ | |||
* Option to hack a Single-Sign-On (SSO) service by implementing parent domain cookie with shared session store, or instead at least have consistent identity management across applications: https://stackoverflow.com/questions/16010168/using-mozilla-persona-auth-for-single-sign-on#comment22898509_16026019 | |||
==Verification== | |||
Interesting, there's a drop-in apache module for persona-based auth: | |||
* https://github.com/mozilla/mod_authnz_persona | |||
==Implementations== | |||
===WordPress=== | |||
Using [http://wordpress.org/plugins/browserid/ BrowserID plugin]. | |||
===MediaWiki=== | |||
Using [https://www.mediawiki.org/wiki/Extension:Persona Persona extension]. | |||
===SeltzerCRM=== | |||
====Persona Auth Module==== | |||
First-pass (not tested, development version, probably broken): https://github.com/sudoroom/seltzer/tree/persona_auth | |||
A dead-simple verification plugin that allows users to authenticate using an email address via persona. Uses MIT-licensed verification library [https://github.com/fmarier/auth-browserid Auth-BrowserID] and based on SeltzerCRM's [https://github.com/elplatt/seltzer/blob/master/crm/modules/user/user.inc.php User Module], both are dependencies. | |||
=====pseudo code===== | |||
# include BrowserID.php verification library class (gpl-compatible Mozilla license) | |||
# create alternative Persona-based login form | |||
# ensure login form shows up in the right places | |||
# write handler to catch the POST login request, perform an assertion, add user id to session data, and respond in affirmative | |||
# shouldn't need to write handler to catch the GET logout request, existing logout should simply clear session data | |||
=====notes===== | |||
Relevant sections of code: | |||
https://github.com/elplatt/seltzer/blob/master/crm/modules/user/user.inc.php#L467-L498 | |||
https://github.com/elplatt/seltzer/blob/master/crm/modules/user/user.inc.php#L623-L687 | |||
Helpful thoughts: | |||
Confirms idea of how this could work http://stackoverflow.com/a/18930982 | |||
Demonstrated hack example in php http://ubuntuforums.org/archive/index.php/t-2126891.html | |||
Libraries: | |||
Looks like I want to use this: https://github.com/fmarier/auth-browserid namely: | |||
https://github.com/fmarier/auth-browserid/blob/master/docs/demo.php |