Authenticating Piggy Bank to Semantic Bank through OpenID using Appalachian. It's not as straightforward as it sounds, and it doesn't sound straightforward.
Contents |
Semantic Bank
Semantic Bank needs to have its account management changed to OpenID. I do not imagine SB instances accepting both the old style and the OpenID accounts. This is precisely the thing we want to avoid. Semantic Bank can currently do OpenID authentication, but it isn't tied to accounts yet. After authentication comes authorization (JAAS) as well.
There is a looming question about how, if at all, to update an account from the older style to an OpenID. What it basically entails is a user interface on the SB side and some sort of warning system that will work on older and newer version of PB to make it clear a version difference is blocking the flow of data and visiting the SB is now needed to fix the issue.
Accounts
What constitutes a Semantic Bank account presently is a folder named with the same name as a user's nickname, which they input when creating the account via Piggy Bank.
The intended change is to make an SB account identified by an OpenID and associated with a folder based on a hash of the ID, with a "human-friendly" nickname of the OpenID minus the protocol. The nickname does nothing other than provide an rdfs:label internally. Account creation will go through the browser; when PB recognizes an SB, it will bring up a new status bar icon indicating account creation can take place at that bank. Clicking it creates a nonce and a pending account entry, using the Appalachian-based OpenID of choice to login to the SB for the first time. Once the login is successful, the SB responds with the nonce, and the PB-internal association to the SB is finalized.
The account manager within PB will no longer do account creation on new SBs.
Piggy Bank
Piggy Bank needs to record both styles of accounts and to understand which bank uses which style of authentication. It should rely on Appalachian for all of the underlying OpenID management tasks. PB should be able to create accounts on banks and publish data to banks at user request with minimal hassle - a login to the OpenID server should be all that's possibly necessary.
Architecture
Time to buy OmniGraffle...
- User browses Piggy Bank
- User decides to publish some data
- To all banks, as is the current set up? Or via a popup list or something?
- Piggy Bank sends the full publish command to Semantic Bank with the account that matches the SB
- (Old style SB will report data is published and would end here as PB reports success)
- OpenID-based SB may already see the user-agent is logged in and report publication success
- If not, SB reports authentication needed to Piggy Bank
- Piggy Bank requests Appalachian login with the given OpenID and SB
- Appalachian opens a new window to step through the login process, seeding a continuation when the state machine reaches its conclusion
- If needed, User will have to login to their OpenID server
- When login is concluded (successfully, or failed, or aborted), new window closes and control is handed back to PB via continuation
- PB will repeat above publication attempt
- If it fails, don't repeat this cycle.
