nogweii
commented
7 years ago Therefore, we want to build a server that our projects can authenticate with for it to maintain a list of valid users and their oauth provider IDs. It's assumed that if you are invited into this system, you are trusted and have login access to all of our projects. What access that means is up to the app itself and not the purview of this. We only care about if the user attempting to log in is recognized as a friend of an existing user.
The primary design is solving the following problem: we want our projects to support authentication. However, having everyone remember yet another username and password is terrible. So, OAuth and OpenID! But then we would have to manage the app ID and secret for each provider for each project. A combinational explosion in the making. Also, we are lazy and often don't implement a whitelist so anyone with a Google account could login and see information we intended to be private. If we were to implement a whitelist, that would involve a invite workflow, something that isn't the most fun to reimplement time and time again. Also, we would have to build some sort of synchronization so our friends don't need to wait to be reinvited for each project, or in the worst case, server failure.