Hey Wil,
On Mon, Dec 5, 2011 at 11:06 PM, Wil Moore III <
[hidden email]> wrote:
> Evan,
>
> I like where this is headed. I've got some initial thoughts written below:
>
>> EdpUser must provide...such as forgot password, etc) out of the box.
>
>
> As for things like "forgot password", this is where I would expect extreme
> extensibility as this is an area that differs greatly between applications.
> Also, I wonder how much of this should be handled by the user module itself
> vs. a service...then again, you are probably thinking to bundle related
> services with the module. If that is your thinking, I'd certainly be happy
> with that.
Yeah, my thought was that EdpUser would bundle some related services.
You're right that stuff like forgot password will vary greatly between
apps. My ideas are (and I should/will add these to that wiki page):
A) EdpUser should out of the box provide a fairly complete user
registration/authentication experience that works for "most" common
scenarios.
B) EdpUser should be flexible enough that it can be overridden or
extended so that the cases it doesn't support out of the box can
easily be supported without the need for developing more redundant
user modules.
C) Using the provided features like forgot password would be
completely optional, and of course could easily be overridden by third
party modules or simply disabled. For example, a site that simply
performs all of its authentication via GitHub like travis-ci.org would
have no forgot password feature. However, maybe a two-factor SMS
authentication module (as descried on the wiki page) could provide a
setting to override the default 'forgot password' behavior which
e-mail a password reset link, and instead send an SMS code after
answering security questions if the user has two-factor authentication
enabled.
>>
>> Authentication
>
>
> Are you thinking of using and extending Zend\Authentication (or whatever it
> will be named going forward) and integrating it into EdpUser? Just
> wondering if EdpUser will be providing all of this or if it will be using
> something that is extracted which could be used even outside of EdpUser.
Yeah, right now EdpUser is using Zend\Authentication. I'm thinking
that in the spirit of re-usability that I'd like to make any
authentication adapter used by EdpUser simply be a Zend\Authentication
adapter so that the adapter itself could be freely used outside of
EdpUser.
> Overall, I love this concept. I'm looking forward to seeing this in action
> (in my own apps going forward). I'd also love to see something that works
> well in a _semi_ stateless arena. In other words, authenticating REST
> clients.
Yep, I'd like this too. Generally with REST API's, I've seen this
happen via an OAuth provider which I covered in the doc. Typically the
flow is something like this:
http://developer.github.com/v3/oauth/Is that sort of like what you'd be looking for?
>> What I'd like to accomplish is to set a high bar for a few quality modules
>> built with input from the community, and use the experience as an
>> opportunity to start putting together some best practices based on
>> actual experience.
>
>
> This is awesome.
Glad I'm not the only one who thinks so. :)
--
Evan Coury
--
List:
[hidden email]
Info:
http://framework.zend.com/archivesUnsubscribe:
[hidden email]
Locked
