A tiddler to manage authentication - challenges

[CHUN LI]

Hello,

I found TiddlyWiki at the beginning of last year and I am amazed by the thinking in its design - everything can be served from an HTML file and all the data is stored and presented in a nice way.

Now I come with a challenge of access control. I want our users to use Tiddlywiki in parallel with one of our application. Our application is using Oauth2 for single sign-on. So I want my users to sign in SSO then access to my Tiddlywiki HTML file. I also want them to have read access to all the text tiddlers but have write access to only a group of tiddlers based on their login.

I guess the challenges here are:

• Use Oauth2 to manage the access to the Tiddlywiki HTML file - only using a (macro) tiddler but not using a server. I found resources about how to add Oauth to tiddlywiki, e.g. in tiddlyweb. But my idea (might be not feasible) is to only use tiddlers to control the access. So I can still keep everything in one HTML file. 
• Access to a group of tiddlers. I saw this has been discussed and mentioned in Google groups and some server options like BOB. But I haven't seen a practical way to do so. 

I think this is not just a post about finding answers but also seeking the opinions about if this is worth doing and if this is a Tiddlywiki way of thinking.  

BTW, I watched the video "Intertwingling the Tiddlywiki" at CodeMesh and glad more people are hearing the beautiful idea! 

Thanks,

Chun

[Jed Carty]

I don't think that what you want to do is possible in a single file wiki. The Oauth2 authentication is based on tokens and logging in requires redirection of a url.

Also Oauth2 is designed to mediate communications between a server and a browser or other application by limiting what is able to be sent, in a single file wiki you have already sent everything so there isn't a meaningful way to give only a subset of the full wiki without a server.

I think that the best you can do with a single file wiki is have some tiddlers encrypted and allow people with a password to decrypt the tiddlers. Someone was talking about creating a plugin that would allow that but I don't know how much progress was made with it. So it may already exist and I am just not aware of it.

I have been working on improving the secure server version of Bob to allow more finely grained control over access to individual tiddlers. So far it has been much more practical to just create new wikis and control access to them, the UI for adding access controls to specific groups of tiddlers may end up being more confusing than useful, we are still working on it.

And, in all of the options, there is nothing to prevent someone from copying the tiddlers that are not public once they have them loaded.

[CHUN LI]

I was thinking about using a JSON data tiddler (it has all the names of all text tiddlers, and some text in the tiddler body) as the source to generate tiddlers. And a "user table" tiddler lists all the users and which text tiddlers the users can edit (by tiddler names). So once my users logged in to my app through SSO, Chrome will know the username then match it in the user table and generate editable tiddlers. - this is just my theory, nothing in practice yet. I noted that some discussions talked about the time consumption in parsing JSON. But I don't know other possible ways to include a 'database' within a single Tiddlywiki file. 

And, the JSON tiddler and the user table tiddler need to be protected somehow.

Thanks for working on BOB. I have it on my server :)