Authentication FAQ

From iDigBio
Revision as of 15:14, 28 November 2011 by Kevinlove (talk | contribs) (Created page with "== Whats Going on Here? == iDigBio is trying out an authencation scheme we call "Social Authencation", this means that instead of requiring a username and password to log in, yo...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Whats Going on Here?

iDigBio is trying out an authencation scheme we call "Social Authencation", this means that instead of requiring a username and password to log in, you can use one of the accounts you probably already have to sign in.

How does all this work?

When you click the sign in link, we redirect your browser to a special URL for each provider. This URL asks the provider to sign you into your account if you're not signed in already. Your provider then looks to see if you've previously indicated that you trust iDigBio, and if you haven't the provider asks you if you want to trust us. Once you've agreed to the trust relationship, the provider sends you back to our website with a unique identifier that we can use to associate your provider account with your iDigBio account

Is this safe?

Yes. iDigBio never sees your provider username and password, and all communication with the provider is done via standards compliant communication channels. The communities developing these standards have put a lot of effort into them to make sure that they are both secure, and pass only the minimum ammount of information neccessary to complete the transaction. The providers are also supposed to provide you the ability to cancel a trust relationship at any time, so you could in theory dissasociate your provider account with idigbio without even visiting our site.

I was asked to provide you access to X, what do you need that for?

Many of the provider interfaces we're using were designed to allow developers to create applications that interact with your provider account for you. iDigBio requests the minimum permissions possible when connecting to your account, but sometimes this can still seem like a lot of access. Rest assuired, iDigbio values its relationships with the community and the only thing we use this access for is authentication. The standards we're using for communcation also require the user to be currently logged in for any account access, so if you're not currently logged in to iDigBio its impossible for us to do anything.

Different providers give us different levels of default access, so if you're still uncomfortable with the level of access we'd get from a specific provider, you can use a different provider, or simply use a username and password to sign in instead. The whole idea behind Social Authentication is to allow you flexibility with the way you identify yourself to us so that you can do whatever is most comfortable for you.

How many identifiers can I have?

You can have any number of Social Identifiers associated with your iDigBio account, including multiple accounts per provider.

How are you doing all this?

The provider authentication logic is provided by a php library called HybridAuth (http://hybridauth.sourceforge.net/). At its core, HybridAuth is a wrapper around the OpenID (http://openid.net/) and OAuth (http://oauth.net/) protocols.

Other notable technologies that we're employing are Twitter's Bootstrap (http://twitter.github.com/bootstrap/) CSS framework and the Less (http://lesscss.org/) CSS pre-processor.

Retrieved from "http://www.idigbio.org/wiki/index.php?title=Authentication_FAQ&oldid=53"