[Haskell-cafe] Unified Haskell login

[Jason Dagit]

On Thu, Sep 16, 2010 at 11:47 PM, Michael Snoyman <michael at snoyman.com> wrote:
> Hi cafe,
>
> Let me preface this by stating that this is purposely a half-baked
> idea, a straw man if you will. I'd like to hear what the community
> thinks about this.
>
> I mentioned yesterday that I was planning on building haskellers.com.
> The first technicality I considered was how login should work. There
> are a few basic ideas:
>
> * Username/password on the site. But who wants to deal with *another* password?
> * OpenID. Fixes the extra password problem, but doesn't give us any
> extra information about the user (email address, etc).

I would love to be able to use 1 account (preferably OpenID) across
all of the haskell infrastructure, trac instances (GHC/Cabal and the
ones on community.haskell.org), wiki, and hackage.  I'm "Ok" with
using separate ssh keys for the shell login.



> * Facebook/Twitter/Google: We get the users email address, but do we
> *really* want to force users to have one of those accounts?

I thought google accounts (and maybe facebook) can be used with
openid.  I might be wrong about that.

> I then started thinking about the Yesod documentation site[1], and
> realized in the not-too-distant future I'm going to want to provide a
> feature tracker. Once again, I'll need to face the exact same problem.
> And then I realized something: I already have *two* Haskell-centric
> logins: one for Hackage, and one for the Haskell wiki.
>
> Consolidating our logins as a community could be a huge plus. If we
> keep the same kind of system as we have now with Hackage and the wiki,
> we can verify each new user to keep things "clean". Or even better: we
> could have a built-in permissions system: permissions for uploading to
> Hackage, modifying the wiki, feature requests, etc. Users get
> simplification of only needing to apply for an account once and only
> need to remember one password. (In fact, if we wanted to, we could
> bypass the password some of the time by allowing OpenID
> authentication.)

Keep in mind that we can separate identity (OpenID) from authorization
data.  We can also separate authorization from the policy enforcement.
 The terminology and degrees of separation are new to me but I've been
learning about them for work recently.

You could imagine a system where OpenID provides your identity.  Once
authenticated, you request to do something (say an hackage upload),
the hackage sever can then request your authorization data (possibly
from a different server) based on your authenticated identity.  It
could then get back a list of attributes saying what your identity is
allowed to do.  Then the enforcement could be carried out by hackage.
It looks in your attributes, sees that you do or do not have upload
privileges and then decides if the upload should work.

There are other ways to do it of course.

>
> But perhaps the biggest advantage would be the community building
> advantage. Imagine if you go to Hackage and the upload by field is a
> link to someone's Haskellers profile. Imagine going to Haskellers and
> seeing a list of all the users uploaded packages and wiki
> contributions. We could even start with some clever things like badges
> per user. I'm sure there are lots of possibilities out there I haven't
> considered.

What you're describing is exactly one of the things that having a
stable identity across sites allows for.  OpenID supports this well.
My haskell community identity could be the same as my stackoverflow
identity.

>
> Obviously there are some technical hurdles to overcome. We would
> probably need to do some significant work on the wiki to get this to
> happen. But given that we seem to have had trouble with mediawiki in
> the past (I remember hearing about some migration issues), maybe it's
> time to eat our own dog food and switch to a Haskell-based wiki[2]
> that could be more easily modified to suit our needs. We would also
> need some kind of protocol for the cross-site authentication; OAuth
> 2.0 might be worth considering for this.

I could be mistaken, but I thought OAuth allowed for delegation not
cross-site authentication.  For example, I could use OAuth to let
facebook get at my gmail contacts without giving facebook enough
information to use gmail as me.

As for switching to a haskell based wiki.  It has some perks.  The
major hesitation for me is that what we have now seems to work well
enough and I personally think the haskell community is better off not
directing a large focused effort at refining a wiki engine.  It's a
fine line though and in general I feel that infrastructure is really
important.  I suspect it's hard to do a better job than MediaWiki
simply because they have so many users and have done so much
engineering work.  I do like gitit though.

>
> All of this may just be the ramblings of a mad-man (I haven't had
> breakfast yet), but I do think that *some* form of unified login could
> really push Haskell forward.

Yes, I think you've really stumbled on a good suggestion.  We can
quibble about implementation, but at a high level you have my vote!  I
was just saying today that the new hpaste site should support OpenID.

Jason