| A3M - Account Authentication & Authorization Module |
[eluser]Peng Kong[/eluser]
[quote author="gr0uch0mars" date="1284997574"] I've just read an interesting doc about user experience on this kind of login; and referring to "username/email" I'd always choose to user email. I'm surprised you said an email can be shared by two people, because I had never thought about it (I would never share my personal email account with somebody else). [/quote] lol u got me wrong. i'm not saying share email with others. i'm saying one email can have two accounts. unlikely and it's not the intent. one user usually only would ever have one acc. but the problem is if you don't verify what's stopping someone from putting someone else email? the point is it's pointless.. cuz email is only used for communication.
[eluser]Peng Kong[/eluser]
erm guys don't debate seriously don't. juz fork a3m and do it the way you like. just don't use the name a3m since it already represent this  for a3m. it's suppose to be the future where openid/oauth is used. native signin with username and password is only a fallback for a small minority of users. in the first place people shouldn't let small sites manage their password... let facebook or google do it man. so only a small minority of users on a3m will ever see the manage password page and care about signing in with username + password. so really this is an unimportant debate. mass majority of user should use facebook or google. small minority who use native sign will/should at some point connect their facebook or google. why even type username+password when you can click one button and be signed in? tell me what is more simple then clicking one button to sign in? nothing is more simple! users will use the most simple way cuz their lazy. i'm against email verification cuz it's troublesome like hell. it's imo an old way of doing things. you verify cuz you want a "back up" channel to verify the account owner. in the new world openid changes all that, there's no longer a need... that's why i did away with email verifications for a3m. mobile is the future. tons of pple surf the web using mobile phones. go check the statistics yourself. you think verification is not a hassle? try doing it with ur mobile phone ok let me correct myself... i'm not saying never verify users email. im saying don't face users to verify the email as part of the sign up process. currently native a3m sign up is... enter username, password, email = sign in currently native a3m sign in process is... enter username and password = sign in currently a3m sign up process is... click google/facebook/etc, enter username = sign in currently a3m sign in process is... click google/facebook = sign in a3m is MINIMALISTIC. doing away with EVERYTHING it can do away with. let users sign in freaking easily and start using your website. then later on can slowly collect the 100000 info you need and ask them verify as many emails as you like
[eluser]gr0uch0mars[/eluser]
OK, now I understand what you meant. That problem would be only in case with Untrusted IDP, because for Trusted IDP it would be necessary for the user to authenticate himself there, and if he's not the owner, no possibility to register in our site. In the other case, an email verification should be advised. That's a problem of security, but I'm focusing on connectivity. Don't get me wrong neither: I see Usernames could be more intuitive, to users and to developers; but let's be real: email could let us take advantage of Social networks, where people write all their profiles. We can use that to avoid him write a info again, excepting certain cases (email already in database, taken username, untrusted IDP...) I know it's a complicated, but I'd like to make something that won't be out-of-date in a year, where users profiles (as it seems is gonna happen) goes through Social Networks; they'll have all the profile info. Let's make the visitor enjoy his visit to our web for the content, not for having to rewrite/revalidate/remember data. EDIT: I've just read your last post. Of course I'd like to sing up/in with just a click; even just entering your email and the system detecting what kind of email it is automatically, without pressing ANY button. That's my main purpose of this!!! But we need to think of people who don't have email. All situations should be taken into account.
[eluser]Peng Kong[/eluser]
if you sign in with google. the site automatically has your email. if you do a native sign in you have to provide the email. anyway really guys it isn't that hard at all to add in email verifications and stuff. that the whole beauty of a3m. it's designed so that it's a piece of cake to extend and reuse code. as long as you understand how it's designed... so why not we discuss how it's designed... rather then our dream authentication system. once we all understand how it's designed... we can go off and built whatever best fits our need using a3m as a base to super charge kick start development. i spent 3 months developing it on an ad-hoc basis so you guys can develop exactly what you need in half the time.
[eluser]Peng Kong[/eluser]
All situations should be taken into account. exactly. that's why i didn't leave out a native sign in option
[eluser]Peng Kong[/eluser]
ok so let's get to how it's designed and what every code does. so that if you wan change password must enter old password. you can add it urself in 5 mins then we won't need to discuss which is the right way or best way... cuz there isn't one. all of us have different use case and needs.
[eluser]sirwan.me[/eluser]
well my opinion is keep it simple, i kind of agree with pk on this one. this is a powerful lightweight auth, simple for users and designers and developers to use. just keep it simple... imo.. all we really need is a roles, permissions, admin area, couple more things and thats it. users login in with one button. tho i think gr0uch had more of a 'registration' solution to get users to register quicker or something like that.. i think we should just develope and make A3M with more features. Its almost done really.
[eluser]gr0uch0mars[/eluser]
Each person will need something different, so even if we agree something every person will custom it. So let's go with the code, which is the interesting thing! Peng Kong you said you had an ACL quite developed? Could we know something about it? How you manage user's roles and permissions? It's true we have to understand the code in order to custom it. Quote:tho i think gr0uch had more of a ‘registration’ solution to get users to register quicker or something like that...I thought account authentication was a bit more delicate than authorization, because the former needs code from other people (OAuth, OpenID, Facebook Connect...) which is hard to understand sometimes (at least for me), and the latter, apart from roles and permissions which is what I'd like to know, is simply to code profiles, admin panels to update/ban... Although the discussion was interesting, let's move on to the code.
[eluser]sirwan.me[/eluser]
makes sense, id like to see how pks done the acl
[eluser]Anraiki[/eluser]
Hi Peng, I need some clarification on installing this module. I am quite new to Codeigniter and I am making my first project to have a User Authentication System, and hence you already have one built, I thought I can save some time just by installing yours. My problem is installing it. I have uploaded a clean CI to the server, and I am wondering where do I put the contents of the a3m folder, and I believe it is the root directory? What do I do after that? ----------------------- [Edit] I seem to find my way through. All I did was navigated to the folder and it seems to be working :] ----------------------- [double-Edit] It seems I can't navigate to the Sign-In or Sign Up or Facebook Connect Pages. I have Path Info enabled as well. Any other additional configuration should I make? You may ignore what I said. Unless you have further tips and tricks for me that I should consider. |
| Welcome Guest, Not a member yet? Register Sign In |
