Open LukasKalbertodt opened 6 months ago
An alternative idea by @LukasKalbertodt: We could let the auth layer provide a realm_name
or something like it that overrides the username as the user realm root path. That way, institutions could implement hashing and other obfuscation or even "beautification" steps in their auth server, for example.
One client of ours voiced interest in this feature as they consider disclosing usernames as a security risk, putting Tobira and other of their systems at risk. I have not yet fully grasp the details here.
The idea would be to (if configured that way) either create a random ID for new user pages (like we do for events) or hash the username. As a separate feature, we could allow users to change their user-page ID, basically like a channel ID on youtube, on a first-come-first-serve basis. Though I imagine follow-up complications there: preventing impersonation, giving lecturers higher priority in the user-page ID choice, ...
In any case, not a big priority right now.