couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thad Guidry <thadgui...@gmail.com>
Subject Re: Cookie Auth
Date Sat, 11 Jul 2009 00:14:39 GMT
I myself would like to see OAuth support down the road.  Also there's
numerous OASIS standards that could be applied with a little help.

Anyone else?
-THAD

On Fri, Jul 10, 2009 at 6:50 PM, Mark Hammond <skippy.hammond@gmail.com>wrote:

> On 11/07/2009 2:50 AM, Chris Anderson wrote:
>
>  One man's feature creep is another's requirement... I try to keep a
>> level head about CouchDB features by leaving out the ones that every
>> application will do differently. If we can make a session handler that
>> CouchApps all use by default, it will take an entire territory of pain
>> away from application developers. If we leave it out, everyone will
>> implement it differently and that starts to be it's own problem.
>>
>
> I agree with the sentiment, but do wonder if this session handler really
> will be a handler everyone can use by default.  My experience with web based
> authentication has been that the biggest challenges are *integration* with
> existing auth schemes and concepts of 'session'. Integration directly with
> an external auth system (eg, NTLM), or with existing applications (eg,
> working with something like Zope's concept of security/roles) quickly means
> that one size rarely fits all in sophisticated environments.
>
> So while I don't question the utility of simple auth handlers (I agree many
> people will use them *first* while determining their real requirements or
> for simple environments), I still believe the focus should be on ensuring
> all the right hooks are in place so people can contribute or write handlers
> suited to a specific purpose, rather than trying to cover all these
> 'specific purposes' in a core module. Offering simple cookie or http-based
> auth scheme handlers as a 'sample' handler makes more sense and implicitly
> acknowledges we can't predict their specific use case.  Isn't that (from
> 1000 feet above) how Apache itself manages auth?  It is how IIS does.
>
> This is obviously just my opinion though - please take it for what it cost
> you ;)
>
> Cheers,
>
> Mark
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message