couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob Dionne <>
Subject Re: Merge in new authentication code
Date Sat, 25 Aug 2012 11:11:25 GMT

On Aug 25, 2012, at 4:46 AM, Benoit Chesneau <> wrote:

> On Aug 25, 2012 3:27 AM, "Jason Smith" <> wrote:
>> Hi, developers.
>> At Iris Couch, we have used two third-party CouchDB extensions for a
>> very long time. I would like to merge both of them into master. They
>> provide alternative ways to create a CouchDB user and to log in to
>> CouchDB.
>> Both mechanisms use a third-party authenticator which basically tells
>> CouchDB that the person is who they say they are. Both mechanisms then
>> create a local CouchDB _users document. So you can set a .password
>> value and have both types of authentication.
>> ## Mozilla Persona
>> Written by Randall, used in production here for a year. This is
>> hands-down the easiest way for developers to add logins to their Couch
>> apps. See
>> ## CouchDB-XO_Auth
>> Created by Ocasta, this is basically a general OAuth implementation.
>> It already works against Facebook and I am now making sure it works
>> with GitHub too. It has the same autovivication feature for
>> newly-authenticated users.
> These extensions are nice but I don't think they should be part of the
> couchdb distribution.
> In my opinion we should keep the couchdb simple and only target core
> features which are imo Document oriented, Views, CouchApps . (couchapps
> and views could be also considered as core features extensions).  Which
> doesn't mean we shouldn't support new addons, and for me the best way to
> do that is to ease their installation and management in couch and
> provide tools to make your own distribution.


> Also, adding these addons in couch will slow down the development of such
> extensions. Fix would only happen when couch is released which is imo
> bad. Especially for the 2 extensions you mention since theyr are moving
> target (persona is not yet a stable protocol nor widely used and the
> other connect to proprietary oauth extensions which can be changed ahen
> the commercial entity want). Keeping them out the core distribution is
> better for them.
> Maybe as sub-projects? Not sure it worth the admin stuff.
> - benoit

View raw message