Add /help - Githubissues

gbv / login-server

https://coli-conc.gbv.de/login/

MIT License

32 stars 32 forks source link

Add /help #27

Closed nichtich closed 3 years ago

nichtich commented 5 years ago

Add an end-user friendly help page that explains the purpose and functionality of login-server and single-sign-on with basic concepts such as

Identity providers (e.g. ORCID)
Identities
Client applications (Cocoda)
Sessions
Service providers (e.g. jskos-server, Wikidata-write-access...)
API

The landing page / would only give a brief introduction and link to /help for details.

nichtich commented 3 years ago

I'm unsure about this issue. More text is not necessarily more helpful. Better cleanup the current user interface and keep it short.

stefandesu commented 3 years ago

I see some value in collecting this information, but I don't think it needs to be on a help page. Maybe a separate document inside the repo (that can then be linked form elsewhere) would be enough.

stefandesu commented 3 years ago

At the very least, we should clarify what data exactly will be publicly available. The thing is: Login Server itself does not offer any user data to the public. However, if an associated application is used, that application will have access to all the data, and the application will decide which data to use and (potentially) share to the public. Usually, it is only a URI and a name.

nichtich commented 3 years ago

The current version is better but can be improved still, especially explain the role of "associated applications". We could add it to /sessions:

don't redirect session page to login if not logged in but show a "you are not logged in so there are no active sessions" message.
add explaining text about applications and sessions

nichtich commented 3 years ago

Login Server itself does not offer any user data to the public. However, if an associated application is used, that application will have access to all the data, and the application will decide which data to use and (potentially) share to the public. Usually, it is only a URI and a name.

Well, any website visited by a logged in user can get the user data, no?

stefandesu commented 3 years ago

don't redirect session page to login if not logged in but show a "you are not logged in so there are no active sessions" message.

👍

add explaining text about applications and sessions

👍

Well, any website visited by a logged in user can get the user data, no?

Only those that are allowed by CORS, so no. If this was the case, any website could get any information from any service where the user is logged in.