Authentication (AuthN)

[richardschneider]

Allow OAuth logins

Do we need our own username/password for non-OAuth. Requires lots of code for password maint.

What social media do we support. For NZ, facebook, google, github seem reasonable. What about HK, CN and TW.

[richardschneider]

• https://scotch.io/tutorials/authenticate-a-node-js-api-with-json-web-tokens

Authentication and password management (AuthN) is always a big issue. storm path might be a good fit.

[richardschneider]

A user should be claims based. I claim to be an guest would have permissions and/or roles for viewing of public information.

[richardschneider]

Authentication just confirms the identity of a user. It does not return any trust information (roles or permissions). So we can use Google or Facebook to identity the user, but s/he permissions are managed by our system.

I think we need a identity service that returns an authenticated user, with email being the unique ID. We then use the email to find the user in our system or do auto-enrollment.