On 17 September 2010 15:47, Michael Snoyman wrote:

Hi cafe,

I mentioned yesterday that I was planning on building haskellers.com. The first technicality I considered was how login should work. There are a few basic ideas:

* Username/password on the site. But who wants to deal with *another* password? * OpenID. Fixes the extra password problem, but doesn't give us any extra information about the user (email address, etc).

Unless the site providing the OpenID is Haskell.org (for people who identify with haskell.org as their primary community ;-), or if the user opts to link an email address to the OpenID they use to log in (ie. they want to authenticate with some other auth, but trust haskell.org enough to choose to provide an email address). On the other hand if someone wants to participate in some community aspects (ranking, chatting, whatever) but doesn't want to provide an email address for fear of spam, that's cool too. Conrad.

On Fri, 17 Sep 2010 08:47:02 +0200, Michael Snoyman wrote:

Hi cafe, Hi,

Let me preface this by stating that this is purposely a half-baked idea, a straw man if you will. I'd like to hear what the community thinks about this.

I mentioned yesterday that I was planning on building haskellers.com. The first technicality I considered was how login should work. There are a few basic ideas:

* Username/password on the site. But who wants to deal with *another* password?

I don't really bother, I generate them and store them encrypted.

* Facebook/Twitter/Google: We get the users email address, but do we *really* want to force users to have one of those accounts?

No. However by nature Diaspora would become an option.

* OpenID. Fixes the extra password problem, but doesn't give us any extra information about the user (email address, etc).

I would go this way. Building a new cross-sites authentication system would a big loss of time. Then you're right one needs a place to store more information about the users, I see some options: - OpenID do provides with customizable profiles that could hold some information, I don't remember the details though. - If it is not enough, then having such a service for the community would be doable and independent of the authentication. This service could holds permissions for the different services around. Best regards, -- Nicolas Pouillard http://nicolaspouillard.fr

* Michael Snoyman [2010-09-17 08:47:02+0200]

* OpenID. Fixes the extra password problem, but doesn't give us any extra information about the user (email address, etc).

This is a popular misconception. As was noted on this thread, many OpenID provideers may provide you an email or other information if you asked for it and user had supplied it. But even if not, nothing actually prevents you from *just asking the user* for the email if you need it. See stackoverflow for an example when you authenticate yourself and then can supply more information about yourself. These things are simply unrelated. -- Roman I. Cheplyaka :: http://ro-che.info/ "Don't let school get in the way of your education." - Mark Twain

Thank you everyone for the feedback. Based on what people have been saying, here's a more concrete proposal: * Creates a website haskellers.com where people can create profiles. * Logins to haskellers.com will be via OpenID. There will probably be some kind of widget to make that simpler[1]. * Multiple OpenIDs can be tied into a single profile on Haskellers. * A profile on Haskellers will have a unique number and corresponding unique URL associated with it (http://www.haskellers.com/profile/1/, for example). * On Haskellers you will be able to associate your Hackage username somehow. I'll probably need some cooperation from the Hackage side. (Ideally, I would have wanted a system where we could do away with having a separate Hackage username, but I doubt that will happen.) * The profile's unique URL will actually be a RESTful API, providing data as HTML, JSON, possible a Haskell-specific format, etc. * There will also be a RESTful API for discovering the profiles available on Haskellers. * And here's the important bit: there will be an API to lookup a profile by OpenID URL. This is what will allow the universal login: any site can simply allow OpenID login and query any information it wants from Haskellers. * Another feature I'd like to explore is allowing some kind of OAuth protocol for other websites to gain authorization to make modifications to profiles on Haskellers. The question of *what* information we want as part of a profile is also very important, but is really a tangential discussion to the universal login issue. The question I have is whether this kind of a system will provide the support other sites/services would want? Notably absent here is the use of services besides OpenID for authentication. I personally would have thought allowing Twitter and Facebook logins would be a win, but there seems to be lackluster interest in this. Also, having some kind of "login via Hackage" probably would be nice as well, but once again does not seem like there is demand for it. Michael [1] http://code.google.com/p/openid-selector/ On Fri, Sep 17, 2010 at 8:47 AM, Michael Snoyman wrote:

Hi cafe,

Let me preface this by stating that this is purposely a half-baked idea, a straw man if you will. I'd like to hear what the community thinks about this.

I mentioned yesterday that I was planning on building haskellers.com. The first technicality I considered was how login should work. There are a few basic ideas:

* Username/password on the site. But who wants to deal with *another* password? * OpenID. Fixes the extra password problem, but doesn't give us any extra information about the user (email address, etc). * Facebook/Twitter/Google: We get the users email address, but do we *really* want to force users to have one of those accounts?

I then started thinking about the Yesod documentation site[1], and realized in the not-too-distant future I'm going to want to provide a feature tracker. Once again, I'll need to face the exact same problem. And then I realized something: I already have *two* Haskell-centric logins: one for Hackage, and one for the Haskell wiki.

Consolidating our logins as a community could be a huge plus. If we keep the same kind of system as we have now with Hackage and the wiki, we can verify each new user to keep things "clean". Or even better: we could have a built-in permissions system: permissions for uploading to Hackage, modifying the wiki, feature requests, etc. Users get simplification of only needing to apply for an account once and only need to remember one password. (In fact, if we wanted to, we could bypass the password some of the time by allowing OpenID authentication.)

But perhaps the biggest advantage would be the community building advantage. Imagine if you go to Hackage and the upload by field is a link to someone's Haskellers profile. Imagine going to Haskellers and seeing a list of all the users uploaded packages and wiki contributions. We could even start with some clever things like badges per user. I'm sure there are lots of possibilities out there I haven't considered.

Obviously there are some technical hurdles to overcome. We would probably need to do some significant work on the wiki to get this to happen. But given that we seem to have had trouble with mediawiki in the past (I remember hearing about some migration issues), maybe it's time to eat our own dog food and switch to a Haskell-based wiki[2] that could be more easily modified to suit our needs. We would also need some kind of protocol for the cross-site authentication; OAuth 2.0 might be worth considering for this.

All of this may just be the ramblings of a mad-man (I haven't had breakfast yet), but I do think that *some* form of unified login could really push Haskell forward.

Michael

[1] http://docs.yesodweb.com/ [2] http://hackage.haskell.org/package/gitit