About Pundit Server

[Amanpreet Singh]

Hi everyone,

I have written the API[1] for OAuth with Wikimedia. I am waiting for OAuth application proposal acceptance. In the meantime, I thought I should clear some doubts. I want to know about how we can interact with Pundit Server using this OAuth api, I know about Authenticated requests function in Pundit, and I think it is core to this functionality. But I have some doubts:

1. Does Pundit server checks for login at every step?

    

   if yes, then it will be difficult to integrate API at every step since Pundit would be calling its internal server function to check login probably.

   

   if no, then its probably good,  we can one time login through API and set username etc. and then interact with Pundit server

2. Other thing is simple, I want to know what info Pundit server stores with annotation with respect to user.

[1]: https://github.com/apsdehal/Mediawiki-login-api

Thanks.

--

Amanpreet Singh,

IIT Roorkee

[Christian Morbidoni]

Dear Aman,

As you know, Pundit supports authentication via OpenID only. The Open Id workflow is initiated the first time you call one of the authenticated APIs (e.g. /notebooks/current) and it is done only once. Subsequent calls are handled by the server locally. Now I'm not an expert in this specific kind of issues. I first would like to understand if I'm getting it right:

Wikidata currently implements a OAuth API for authentication (not authorization). Right? Is it a OAuth 2.0? 

What do we want to do exactly, from a users view point? 

We want WikiData to be listed among the other identity providers (e.g. Google, Yahoo!, etc?)? Or rather we want a specialized version of Pundit where the only identity provider is WikiData?

What is your idea Aman? Do you want to modify the Pundit Server code (where the OpenId is implemented), and perhaps deploy an other server that supports OAuth? Or you think about adding OAuth as an alternative to OpenId (probably best)? I think this would be non trivial work...

Or you think the behaviour can be enabled somehow working on client side and combining Oauth with OpenId in some way?

--
You received this message because you are subscribed to the Google Groups "Annotation tool GSoC" group.
To unsubscribe from this group and stop receiving emails from it, send an email to annotation-tool-...@googlegroups.com.
Visit this group at http://groups.google.com/group/annotation-tool-gsoc.
For more options, visit https://groups.google.com/d/optout.

[Amanpreet Singh]

Dear Christian and all,

I was hoping to use OAuth as an alternative to OpenID used in Pundit (meaning replace it with OpenID, specially for Wikidata browser plugin). Wikimedia currently employs OAuth 1.0 so we have two tokens, one secret and one consumer's.

 
The overall workflow assumed by me is as follows:

1. Start OAuth workflow as soon as user clicks on Login button.

    

    OAuth workflow:

• Redirect the user to Wikimedia login page using the OAuth token generated using consumer token and secret token.
  
• User logins there and is redirected back to website where he started the login workflow through the plugin,
• But now we have user's details through the OAuth API and thus user can now we identified.

2. Now I wanted to store all the annotations made by the user using the details received through the OAuth API, thus maybe we don't need to change server's code, and use the same server we already have as you say server only once go through the login flow.

So, I want to know what I should do to make the end result (meaning end picture cookies set etc.) same as after the OpenID workflow, such that things go on as they usually do with OpenID workflow.

Thanks

On Mon, May 26, 2014 at 8:30 PM, Christian Morbidoni <christian...@gmail.com> wrote:

Ops...I forgot to replay to the mailing list...please ignore the provious mail and le'ts discuss using hte other one (where the ML is in CC).....

On Mon, May 26, 2014 at 4:57 PM, Christian Morbidoni <christian...@gmail.com> wrote:

Dear Aman,

As you know, Pundit supports authentication via OpenID only. The Open Id workflow is initiated the first time you call one of the authenticated APIs (e.g. /notebooks/current) and it is done only once. Subsequent calls are handled by the server locally. Now I'm not an expert in this specific kind of issues. I first would like to understand if I'm getting it right:

Wikidata currently implements a OAuth API for authentication (not authorization). Right? Is it a OAuth 2.0? 

What do we want to do exactly, from a users view point? 

We want WikiData to be listed among the other identity providers (e.g. Google, Yahoo!, etc?)? Or rather we want a specialized version of Pundit where the only identity provider is WikiData?

What is your idea Aman? Do you want to modify the Pundit Server code (where the OpenId is implemented), and perhaps deploy an other server that supports OAuth? Or you think about adding OAuth as an alternative to OpenId (probably best)? I think this would be non trivial work...

Or you think the behaviour can be enabled somehow working on client side and combining Oauth with OpenId in some way?

Christian 

On Mon, May 26, 2014 at 9:22 AM, Amanpreet Singh <amanpreet...@gmail.com> wrote:

--

You received this message because you are subscribed to the Google Groups "Annotation tool GSoC" group.
To unsubscribe from this group and stop receiving emails from it, send an email to annotation-tool-...@googlegroups.com.
Visit this group at http://groups.google.com/group/annotation-tool-gsoc.
For more options, visit https://groups.google.com/d/optout.

[Christian Morbidoni]

OpenId and OAuth workflows have similar steps but are different and I doubt you can switch from OpenId to OAuth (or add OAuth as an alternative authentication mechanism) without modifying the Pundit Server code.

I do not know in details the code, however I think the workflow is partially implemented server side.

This should be the Java servlet handling the Authenticated requests:

https://github.com/net7/pundit-server/blob/master/src/java/eu/semlibproject/annotationserver/servlets/OpenIDAuthentication.java

Honestly I do not have a clear solution in mind. What does the others think?

best,

Christian

[David Cuenca]

Well, I'm no expert in authentication systems either, but as I see it both Wikimedia and Pundit require of an external trigger. It seems to me that Pundit login should have precedence, since it is the initiator of the events and the whole chain looks strikingly similar to a "proactor pattern". What about:

a) the user logs in pundit using the normal method (OpenID or whatever)

b) a new button appears, "connect [your pundit account] with Wikimedia"

c) the OAuth login process is triggered as Aman described

It would be a 2-step login, and perhaps the OAuth token can be saved for future uses?

What do you think of this approach?

Micru

Etiamsi omnes, ego non

[Christian Morbidoni]

I think what David proposes makes sense. However I have a some doubts...

1. At this point I'm not sure about the purpose of connecting the two accounts... Do we want to import some user data from WikiData to Pundit? 

Or rather we would like WikiData to remember the connection so that it knows what annotations belongs to WikiData users, when it later wants to import the annotations?  

2. The connection have to be repeated at each login in Pundit, or rather we still need to remember it and store it server side.

[Amanpreet Singh]

Its seems good at first sight, but in the end we have to send some data to server to identify that user was actually logged in from Wikimedia. Then there remains no point in double login, since we are already alternating server code.

Also it is too shabby to make a user login twice, I don't think people will care about the second login.
In meantime, I am getting into server's code to check whats actually happening.

[David Cuenca]

There is another way of seeing, instead of making the user log twice from the very beginning, you can assume that they will work first with the pundit, and when they are done they will transfer the annotations to Wikidata. Then perhaps it makes more sense to the user conceptually speaking. 

Other than that or saving the login token in the pundit server, there are not that many options left.