You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
How do I run a service and cnx-user on the same machine?
Under normal circumstances, cnx-user and a remote service would be on two differing addresses or machines. And this works great because cnx-user is setup to by-pass token generation and validation for local requests. It's done this way to support its own underlying functionality for editing and searching user profiles. Therefore, putting both services in the same address or machine space is won't work by default.
To correct the problem for development or testing (never production), you should set the allow-local-services setting to true. This will however disable the use of cnx-user's user interface, but will allow the remote (local in this case) service to communicate with cnx-user as it normally would.
What is meant by "communicate with cnx-user as it normally would?" This simply means that the service would communicate with cnx-user without being aware of the issue or the fix.
How does an external service use cnx-user's authentication?
There are two potential ways for a service to use cnx-user's authentication.
The service can forward a user directly to cnx-user's /server/login interface.
The service can use cnx-user's JavaScript library to produce an in-service interface to cnx-user's authentication api.
1. Service login forwarding
In this scenario the user is forwarded from the service to cnx-user's /server/login interface, which will lend assistance in providing a web interface for the user to select an option for logging into the service and track where they came from in order to forward them back there afterwards.
This is the easiest way of using cnx-user. The only interface requirement for the service is the /valid url. Everthing else is handled by cnx-user.
2. Using the JavaScript library
In this scenario the login interface is provided within the service application. The service application loads the cnx-user JavaScript library, which provides a friendly web interface, similar to that used within cnx-user's own interface, to provide user login functionality.
This gives the service a way to customize the login in such a way that the user never needs to see the cnx-user interface or known that it exists. In other words, the user transparently uses cnx-user.
This way of using cnx-user is slightly more complex, but provides more flexibility and customization from the service application perspective. This requires the cnx-user JavaScript library and the generally required service interface to the /valid url.
A person visiting the application via HTTP that may or may not be authenticated.
consumer
Connexions visitor that indents to consume content rather than produce it.
producer
Connexions visitor that indents to produce content.
system
A system intending to use authentication services to user this service or one of the connected systems.
admin
Connexions staff and affiliates.
Ross
Ross. And other ops folks.
developer
The people writing the code to make this thing work.
Group types
Consumers
Gives users the ability to view user profile information.
API-Consumer
Gives Consumers api abilities to retrieve user profile information.
API-Affiliate
Gives api users the ability to add, remove and modify user and identity information.
Admins
Gives full access to the user.
Stories
As Ross, I want to be able to add and remove {users, identities} to/from the system via the commandline.
As Ross, I want to be able to manage user's group membership via the commandline.
As Ross, I want to limit access to various pieces of information through permissions and groups, because securing user profiles is very important.
As Michael, a developer, I want to be running on Python 3.3, because I'm more efficient in the latest version of Python.
Cases
Splash screen
(done)
As a first time visitor, I want to know what it is I'm looking at, because otherwise I'll just go away.
/ - splash screen for anonymous user signup and general
information about what this application is for.
My first visit
(done)
As an anonymous visitor, I want become a memeber of the site using my Google or OpenID account.
/ - Activate signup link
/register - A list of providers to signup with. This submits to the server-side
login functionality. (e.g. /server/login/openid)
set-cookie - After registration/authentication a cookie for future requests needs set.
My second visit
As a returning visitor, I want to login so that I can use this service as well as other connected services.
/login - Same structure as /register except with different
wording. And it posts to the exact same location(s).
Therefore, I am...
As an authenticated visitor, I want to view the user information this system knows about me so that I know who I am to this service and what information will be used by connecting services.
/users/:id - Displays the profile information in a clear and concise format
including any connected identities. This uses the server-side api to /api/users/{user_id} and /api/users/{user_id}/identities.
As an authenticated visitor, I want to edit my user information, so that connecting services have the correct information about me and so that other services have a correct email address to contact.
/users/:id/edit - Edit the user model information. Posts (PUT and PATCH) back to
/api/users/{user_id}.
As an authenticated visitor, I to connect another identity to my user so that I can login as either.
/connect - Same structure as /register and /login except with different
wording. And it posts to the exact same location(s).
Wardrobe choices
As a returning visitor, I want to login, but don't remember which identity I originally used. Later I find out I originally used OpenID, but this time I've used Google. When I login, I see nothing in my workspace because I've created an all new identity and user profile. Here's what I do next: 1) Get frustrated and leave 2) Contact the non-existent Connexions support 3) Try logging in my Google identity. All of these possibilities are not helping me easily get to my intended location.
Potential solutions: 1) Provide the authenticated visitor with additional information on signup about connecting more than one identity 2) Provide user account merging after an authenticated user authenticates with the previously used identity 3) Remove all evidence of the authenticated users existence and walk away. ;) Clearly number three is a joke, but both one and two should be implemented.
Autobiography
As a returning or first time visitor, I want to edit my user profile information, because this information is used in publications and parts of the user interface.
From a past life
As a previous connexions visitor and/or contributor, I want to recover my previous account details so that I can easily connect myself with previously created content.
This would be done by sending a verification email to the email address on record. Optionally, we can setup an index to recover accounts by user id, but the email recover process would still be used.
Admin and system cases
Being nosey
As an admin, I want to view a user profile to see their identity connections.
Problems, forget about it
As an admin, I want to view a user profile to add and remove identities from this profile.
What's 'er name?
As an admin, I want to search for user profile(s) that match a search criteria, because with a few thousand users, it might be hard to find the exact one I'm looking for.
Skynet would like to know you
As as an affiliate system, I want to access user profile information, because I wish to supplement my application's abilities. For example, I want to know a user's email address so that I can notify them when their published content is available for viewing.
As a connecting service, I want to verify the redirected user is who they say they are so that I can ensure I'm giving access and permissions to there things and things shared with them.
