Closed leplatrem closed 10 years ago
We need to check if Hawk can be an alternative for users, if persona isn't alright; I'm not sure persona won't work, actually, but this need some time from us to identify how we could integrate with this service. I think we should do that before removing any authentication page we have for now.
— Alexis
How does a login html page make sense on a Web API ? It's not a rhetorical question, I am wondering for real :)
I find Persona very convenient in our case ! Once CORS will be enable on /login
, and once there is a way to obtain csrf before posting credentials, the implementation of Persona in Daybed will be just fine !
I guess as an example of JS persona implementation. As an easy backend to get started faster. I used this template for persona authentication in my JS example apps.
After a rather long discussion with @ametaireau yesterday. This page is relevant because :
We can imagine removing this page, only if we confirm the following assomption :
When prompting for Persona credentials on the client application (using Persona JS lib), the assertion obtained can be posted on daybed
/login
view to authenticated the user. This may depend on the audience value to '*' specified on daybed.
Once this confirmed, we can update #103 and rethink about this one :)
Since we last discussed that in january, things have evolved a bit. Persona is not developed actively at Mozilla and its relevance for Daybed is not really clear.
One reasonable course of action seem to ditch persona out and implement a "normal" accounts system with a way to authenticate with hawk.
rationale :
Instead we should allow login and logout pages to be opened to the world :) cf. #103