Supporting multiple credentials for resource owners
12 views
Skip to first unread message
Werner Strydom
Mar 27, 2012, 7:26:35 PM3/27/12
to dotnet...@googlegroups.com
Hello,
Consider a user that has several credentials. For example, the user can use a username or any of their email addresses with their password to login. I have implemented IAuthorizationServer.IsResourceOwnerCredentialValid as well as a custom WCF ServiceAuthorizationManager. When testing with the different credentials, say "b...@example.com" and then "bob", the OAuthPrincipal.Identity.Name returns respectively "b...@example.com" or "bob". From the system's perspective it looks like two different principals. Additional processing is required to determine the actual user.
I'd like to propose that IAuthorizationServer.IsResourceOwnerCredentialValid allows an implementor to return an identifier. For simple scenarios, the implementor can return the username, however, in more complex scenarios, the implementor can return a unique identifier that represents the user. That would allow the WCF service implementations to perform a simple query to determine whether users have access to the resource or not.
Consider a user that has several credentials. For example, the user can use a username or any of their email addresses with their password to login. I have implemented IAuthorizationServer.IsResourceOwnerCredentialValid as well as a custom WCF ServiceAuthorizationManager. When testing with the different credentials, say "b...@example.com" and then "bob", the OAuthPrincipal.Identity.Name returns respectively "b...@example.com" or "bob". From the system's perspective it looks like two different principals. Additional processing is required to determine the actual user.
I'd like to propose that IAuthorizationServer.IsResourceOwnerCredentialValid allows an implementor to return an identifier. For simple scenarios, the implementor can return the username, however, in more complex scenarios, the implementor can return a unique identifier that represents the user. That would allow the WCF service implementations to perform a simple query to determine whether users have access to the resource or not.
If there are no objections, I'd like to file an issue in github. However, this is open for discussion.
Werner
Werner
Andrew Arnott
Mar 27, 2012, 8:08:05 PM3/27/12
to dotnet...@googlegroups.com
I like that idea. Essentially you want the authorization server to be able to transform the username to some canonical representation, which seems fine. Please file the issue.
--
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
--
You received this message because you are subscribed to the Google Groups "DotNetOpenAuth" group.
To view this discussion on the web visit https://groups.google.com/d/msg/dotnetopenid/-/ttJ3_7qj6iQJ.
To post to this group, send email to dotnet...@googlegroups.com.
To unsubscribe from this group, send email to dotnetopenid...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/dotnetopenid?hl=en.
--
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
Reply all
Reply to author
Forward
0 new messages