[Mailman-Developers] Architecture for extra profile info

Richard Wackerbarth rkw at dataplex.net
Mon Apr 29 06:24:26 CEST 2013 

Steve,

Here I agree with you.

It is useful for MM to be able to accept enterprise information when it is available.
OAuth is a mechanism that will be useful for some enterprises.
To the general public, being able to use enterprise identification from common sources such as Google or Twitter, is a "friendly" way identify a user and allow them to log into a MM system.

Within a MM installation, OAuth could be used in a more robust distributed implementation. However for our purposes, much simpler schemes such as Basic or Digest Auth is more than adequate for the intercommunication between components such as "core", "postorius", a message store, etc.

Richard

On Apr 28, 2013, at 11:07 PM, "Stephen J. Turnbull" <stephen at xemacs.org> wrote:

> Xu Wang writes:
> 
>> As oauth supported google's userinfo API, one need to present a valid
>> google's oauth access token to get access.
>> s/google/mailman/g  on above statement, it will be true too.
> 
> I disagree, in the sense that Google (as an OAuth provider) is in the
> business of *providing* enterprise workflows such as AppEngine.
> That's why they need to be an OAuth provider.  Mailman is a support
> function for workflows (enterprise or otherwise).
> 
> So it's not a "Mailman" token.  It's an <enterprise> token, and the
> enterprise, not Mailman, should be the provider.  If Mailman provides,
> then we have to take responsibility for foreseeing enterprise needs.
> 
> If we go Wacky's route and make everything as generic as possible, we
> may need the power of OAuth to handle all that genericity.  (We may
> also then need another 5 years to release Mailman 3....)  But if we
> stick to the current role-based authorization model with a small fixed
> set of roles, then OpenID-like workflows (whether implemented via
> OAuth protocol or otherwise) should be enough.
> 
> If a site demands more control over authentication than public OpenID
> providers can afford, then Basic Auth over HTTPS fits into the "user
> has role" authorization model as well as OpenID does.  I don't see a
> need for Mailman to provide an authentication provider, and there are
> serious downsides to the proliferation of authentication providers.
> 
> Steve

More information about the Mailman-Developers mailing list