You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
How do I run a service and cnx-user on the same machine?
Under normal circumstances, cnx-user and a remote service would be on two
differing addresses or machines. And this works great because cnx-user is
setup to by-pass token generation and validation for local requests.
It's done this way to support its own underlying functionality for
editing and searching user profiles. Therefore, putting both services
in the same address or machine space is won't work by default.
To correct the problem for development or testing (never production),
you should set the allow-local-services setting to true.
This will however disable the use of cnx-user's user interface,
but will allow the remote (local in this case) service to communicate
with cnx-user as it normally would.
What is meant by "communicate with cnx-user as it normally would?"
This simply means that the service would communicate with cnx-user without
being aware of the issue or the fix.
How does an external service use cnx-user's authentication?
There are two potential ways for a service to use cnx-user's authentication.
The service can forward a user directly to cnx-user's
/server/login interface.
The service can use cnx-user's JavaScript library to produce
an in-service interface to cnx-user's authentication api.
1. Service login forwarding
In this scenario the user is forwarded from the service to cnx-user's
/server/login interface, which will lend assistance in providing a web
interface for the user to select an option for logging into the service and
track where they came from in order to forward them back there afterwards.
This is the easiest way of using cnx-user. The only interface requirement
for the service is the /valid url. Everthing else is handled by cnx-user.
2. Using the JavaScript library
In this scenario the login interface is provided within the service
application. The service application loads the cnx-user JavaScript
library, which provides a friendly web interface,
similar to that used within cnx-user's own interface,
to provide user login functionality.
This gives the service a way to customize the login in such a way that
the user never needs to see the cnx-user interface or known that it exists.
In other words, the user transparently uses cnx-user.
This way of using cnx-user is slightly more complex, but provides more
flexibility and customization from the service application perspective.
This requires the cnx-user JavaScript library and the generally required
service interface to the /valid url.
A person visiting the application via HTTP that may or may
not be authenticated.
consumer:
Connexions visitor that indents to consume content rather
than produce it.
producer:
Connexions visitor that indents to produce content.
system:
A system intending to use authentication services to user
this service or one of the connected systems.
admin:
Connexions staff and affiliates.
Ross:
Ross. And other ops folks.
developer:
The people writing the code to make this thing work.
Group types
Consumers:
Gives users the ability to view user profile information.
API-Consumer:
Gives Consumers api abilities to retrieve user
profile information.
API-Affiliate:
Gives api users the ability to add, remove and modify
user and identity information.
Admins:
Gives full access to the user.
Stories
As Ross, I want to be able to add and remove {users,
identities} to/from the system via the commandline.
As Ross, I want to be able to manage user's group membership
via the commandline.
As Ross, I want to limit access to various pieces of information
through permissions and groups, because securing user profiles is
very important.
As Michael, a developer, I want to be running on Python 3.3, because I'm more
efficient in the latest version of Python.
Cases
Splash screen
(done)
As a first time visitor, I want to know what it is I'm looking at,
because otherwise I'll just go away.
/ -
splash screen for anonymous user signup and general
information about what this application is for.
My first visit
(done)
As an anonymous visitor, I want become a memeber of the site using
my Google or OpenID account.
/ -
Activate signup link
/register -
A list of providers to signup with. This submits to the server-side
login functionality. (e.g. /server/login/openid)
set-cookie -
After registration/authentication a cookie for future requests needs set.
My second visit
As a returning visitor, I want to login so that I can use this service
as well as other connected services.
/login -
Same structure as /register except with different
wording. And it posts to the exact same location(s).
Therefore, I am...
As an authenticated visitor, I want to view the user information this
system knows about me so that I know who I am to this service and what
information will be used by connecting services.
/users/:id -
Displays the profile information in a clear and concise format
including any connected identities. This uses the server-side api to
/api/users/{user_id} and /api/users/{user_id}/identities.
As an authenticated visitor, I want to edit my user information, so
that connecting services have the correct information about me and so
that other services have a correct email address to contact.
/users/:id/edit -
Edit the user model information. Posts (PUT and PATCH) back to
/api/users/{user_id}.
As an authenticated visitor, I to connect another identity to my user
so that I can login as either.
/connect -
Same structure as /register and /login except with different
wording. And it posts to the exact same location(s).
Wardrobe choices
As a returning visitor, I want to login, but don't remember which
identity I originally used. Later I find out I originally used OpenID,
but this time I've used Google. When I login, I see nothing in my
workspace because I've created an all new identity and user profile.
Here's what I do next: 1) Get frustrated and leave 2) Contact the
non-existent Connexions support 3) Try logging in my Google identity.
All of these possibilities are not helping me easily get to my
intended location.
Potential solutions: 1) Provide the authenticated visitor with
additional information on signup about connecting more than one
identity 2) Provide user account merging after an authenticated user
authenticates with the previously used identity 3) Remove all evidence
of the authenticated users existence and walk away. ;)
Clearly number three is a joke, but both one and two should be
implemented.
Autobiography
As a returning or first time visitor, I want to edit my user profile
information, because this information is used in publications and
parts of the user interface.
From a past life
As a previous connexions visitor and/or contributor, I want to recover
my previous account details so that I can easily connect myself with
previously created content.
This would be done by sending a verification email to the email
address on record. Optionally, we can setup an index to recover
accounts by user id, but the email recover process would still be
used.
Admin and system cases
Being nosey
As an admin, I want to view a user profile to see their identity
connections.
Problems, forget about it
As an admin, I want to view a user profile to add and remove
identities from this profile.
What's 'er name?
As an admin, I want to search for user profile(s) that match a search
criteria, because with a few thousand users, it might be hard to find
the exact one I'm looking for.
Skynet would like to know you
As as an affiliate system, I want to access user profile
information, because I wish to supplement my application's
abilities. For example, I want to know a user's email address so that
I can notify them when their published content is available for
viewing.
As a connecting service, I want to verify the redirected user is who
they say they are so that I can ensure I'm giving access and
permissions to there things and things shared with them.