Feedback on Zend_Auth_Adapter_Flexible?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Feedback on Zend_Auth_Adapter_Flexible?

jazzslider
Hello!

Several months ago I posted a proposal (http://framework.zend.com/wiki/display/ZFPROP/Zend_Auth_Adapter_Flexible+-+Adam+Jensen) for a new kind of authentication adapter which simplifies the process of allowing multiple modes of authentication (e.g., email/pass and OpenID) via the same controller and view code. 

Unfortunately, I haven't received any community feedback, which either means my proposal is (a) perfect, or (b) totally uninteresting :)  I was hoping I could entice some of you to take a look at it in the next couple of days to see if there's anything I can improve before I promote it to Ready for Recommendation.  Please let me know what you think; personally, I've found that this approach saves me a heck of a lot of code, and I'd love to see it added to the framework.

Thanks!
Adam
Reply | Threaded
Open this post in threaded view
|

Re: [zf-contributors] Feedback on Zend_Auth_Adapter_Flexible?

weierophinney
Administrator
-- Adam Jensen <[hidden email]> wrote
(on Tuesday, 15 September 2009, 09:40 AM -0500):

> Several months ago I posted a proposal (http://framework.zend.com/wiki/display/
> ZFPROP/Zend_Auth_Adapter_Flexible+-+Adam+Jensen) for a new kind of
> authentication adapter which simplifies the process of allowing multiple modes
> of authentication (e.g., email/pass and OpenID) via the same controller and
> view code.
>
> Unfortunately, I haven't received any community feedback, which either means my
> proposal is (a) perfect, or (b) totally uninteresting :)  I was hoping I could
> entice some of you to take a look at it in the next couple of days to see if
> there's anything I can improve before I promote it to Ready for Recommendation.
>   Please let me know what you think; personally, I've found that this approach
> saves me a heck of a lot of code, and I'd love to see it added to the
> framework.

There's actually a proposal already accepted, Zend_Auth_Adapter_Chain,
which may already do much of what you're proposing:

    http://framework.zend.com/wiki/display/ZFPROP/Zend_Auth_Adapter_Chain+-+Geoffrey+Tran

I'm not sure what Geoffrey's timeframe for completion is, however.

--
Matthew Weier O'Phinney
Project Lead            | [hidden email]
Zend Framework          | http://framework.zend.com/
Reply | Threaded
Open this post in threaded view
|

Re: Re: [zf-contributors] Feedback on Zend_Auth_Adapter_Flexible?

jazzslider
Hello!

Actually I'd spent some time looking at Zend_Auth_Adapter_Chain, but I feel like it's addressing a different use case.

It seems like the chain adapter would work best in situations where the same set of credentials could be checked against multiple authentication sources…for instance, a local username/password versus an LDAP username/password.  The chain adapter makes it easy to support both in a single action with very little additional controller logic.

However, if the user input requirements differ for each adapter (e.g., if you replace LDAP with OpenID in the above example), the chain approach isn't as viable.  You now not only need differing authentication logic; you also need differing form objects, differing view scripts, and sometimes different action methods (esp. relevant w/OpenID, since OpenID auth takes several different requests, and not all are guaranteed to be POSTs).  This is the use case that my proposal is designed to address; using the adapter I've proposed, it's a lot easier to support a wide variety of authentication adapters with a wide variety of user input requirements from within a single, tidy controller action.

All that said, I'm starting to wonder if my proposal might work better as an action helper, since the main benefit is the simplification of controller logic?  It may be more complicated than that, but it's probably worth some thought; any ideas?

Thanks!
Adam


On Tue, Sep 15, 2009 at 11:29 AM, Matthew Weier O'Phinney <[hidden email]> wrote:
-- Adam Jensen <[hidden email]> wrote
(on Tuesday, 15 September 2009, 09:40 AM -0500):
> Several months ago I posted a proposal (http://framework.zend.com/wiki/display/
> ZFPROP/Zend_Auth_Adapter_Flexible+-+Adam+Jensen) for a new kind of
> authentication adapter which simplifies the process of allowing multiple modes
> of authentication (e.g., email/pass and OpenID) via the same controller and
> view code.
>
> Unfortunately, I haven't received any community feedback, which either means my
> proposal is (a) perfect, or (b) totally uninteresting :)  I was hoping I could
> entice some of you to take a look at it in the next couple of days to see if
> there's anything I can improve before I promote it to Ready for Recommendation.
>   Please let me know what you think; personally, I've found that this approach
> saves me a heck of a lot of code, and I'd love to see it added to the
> framework.

There's actually a proposal already accepted, Zend_Auth_Adapter_Chain,
which may already do much of what you're proposing:

   http://framework.zend.com/wiki/display/ZFPROP/Zend_Auth_Adapter_Chain+-+Geoffrey+Tran

I'm not sure what Geoffrey's timeframe for completion is, however.

--
Matthew Weier O'Phinney
Project Lead            | [hidden email]
Zend Framework          | http://framework.zend.com/

Reply | Threaded
Open this post in threaded view
|

Re: Re: [zf-contributors] Feedback on Zend_Auth_Adapter_Flexible?

weierophinney
Administrator
-- Adam Jensen <[hidden email]> wrote
(on Tuesday, 15 September 2009, 05:43 PM -0500):

> Actually I'd spent some time looking at Zend_Auth_Adapter_Chain, but I feel
> like it's addressing a different use case.
>
> It seems like the chain adapter would work best in situations where the same
> set of credentials could be checked against multiple authentication sources for
> instance, a local username/password versus an LDAP username/password.  The
> chain adapter makes it easy to support both in a single action with very little
> additional controller logic.
>
> However, if the user input requirements differ for each adapter (e.g., if you
> replace LDAP with OpenID in the above example), the chain approach isn't as
> viable.  You now not only need differing authentication logic; you also need
> differing form objects, differing view scripts, and sometimes different action
> methods (esp. relevant w/OpenID, since OpenID auth takes several different
> requests, and not all are guaranteed to be POSTs).  This is the use case that
> my proposal is designed to address; using the adapter I've proposed, it's a lot
> easier to support a wide variety of authentication adapters with a wide variety
> of user input requirements from within a single, tidy controller action.

Excellent synopsis of the difference in approach -- I suspected this
might be the case, but wanted you to verify (or not). :)

> All that said, I'm starting to wonder if my proposal might work better as an
> action helper, since the main benefit is the simplification of controller
> logic?  It may be more complicated than that, but it's probably worth some
> thought; any ideas?

So, what I'm understanding is that you want functionality that makes it
possible to authenticate against any of several types of authentication
schemes, some of which may require different credentialing mechanisms.

This sounds like application logic in many ways -- even the forms would
differ for each in some cases (OpenID would require a URL only; LDAP and/or
DbTable would require user/pass, etc.). This sounds like several
cross-cutting concerns:

  * a form with multiple types of credential, and a selector to
    determine which to authenticate against
  * logic to switch based on the authentication selector that would then
    instantiate the appropriate auth adapter and validate it

The form part could be handled userland, but yes, an action helper that
takes the form input and does the adapter delegation makes sense.


> On Tue, Sep 15, 2009 at 11:29 AM, Matthew Weier O'Phinney <[hidden email]>
> wrote:
>
>     -- Adam Jensen <[hidden email]> wrote
>     (on Tuesday, 15 September 2009, 09:40 AM -0500):
>     > Several months ago I posted a proposal (http://framework.zend.com/wiki/
>     display/
>     > ZFPROP/Zend_Auth_Adapter_Flexible+-+Adam+Jensen) for a new kind of
>     > authentication adapter which simplifies the process of allowing multiple
>     modes
>     > of authentication (e.g., email/pass and OpenID) via the same controller
>     and
>     > view code.
>     >
>     > Unfortunately, I haven't received any community feedback, which either
>     means my
>     > proposal is (a) perfect, or (b) totally uninteresting :)  I was hoping I
>     could
>     > entice some of you to take a look at it in the next couple of days to see
>     if
>     > there's anything I can improve before I promote it to Ready for
>     Recommendation.
>     >   Please let me know what you think; personally, I've found that this
>     approach
>     > saves me a heck of a lot of code, and I'd love to see it added to the
>     > framework.
>
>     There's actually a proposal already accepted, Zend_Auth_Adapter_Chain,
>     which may already do much of what you're proposing:
>
>        http://framework.zend.com/wiki/display/ZFPROP/
>     Zend_Auth_Adapter_Chain+-+Geoffrey+Tran
>
>     I'm not sure what Geoffrey's timeframe for completion is, however.
>
>     --
>     Matthew Weier O'Phinney
>     Project Lead            | [hidden email]
>     Zend Framework          | http://framework.zend.com/
>
>

--
Matthew Weier O'Phinney
Project Lead            | [hidden email]
Zend Framework          | http://framework.zend.com/
Reply | Threaded
Open this post in threaded view
|

Re: [zf-contributors] Re: [fw-auth] Re: [zf-contributors] Feedback on Zend_Auth_Adapter_Flexible?

Ralph Schindler-2

>> All that said, I'm starting to wonder if my proposal might work better as an
>> action helper, since the main benefit is the simplification of controller
>> logic?  It may be more complicated than that, but it's probably worth some
>> thought; any ideas?

> This sounds like application logic in many ways -- even the forms would
> differ for each in some cases (OpenID would require a URL only; LDAP and/or
> DbTable would require user/pass, etc.). This sounds like several

> The form part could be handled userland, but yes, an action helper that
> takes the form input and does the adapter delegation makes sense.

I'd like to see you explore the controller/action-helper route.
Currently, there is not much in the way of helpers or plugins that aid
Zend_Auth in "coupling" with an applications AuthController.

Much like the viewRenderer helps the controller's job of interacting
with Zend_View, I think it makes alot of sense to have something like,
say, "authSelector" to help decide and load various pieces to the
authentication puzzle: forms, views, form helpers, and finally actual
auth adapter.

While, the term "flexible" is good, I think we need to find something
more succinct that will, by name, identify its job to the developer
immediately.  Since you haven't gotten many comments on the original
proposal, I can only guess that the naming is not something developers
are immediately drawn to as its name does not conjure up any visions of
what job it actually does.

Looking forward to your feedback now that I have a better grasp on what
it is you are attempting to do!

-ralph
Reply | Threaded
Open this post in threaded view
|

Re: [zf-contributors] Re: [fw-auth] Re: [zf-contributors] Feedback on Zend_Auth_Adapter_Flexible?

jazzslider
Thank you both for your feedback on this; I'll be adjusting the proposal to reflect the new action helper approach as soon as I can.  Seems like that's a better fit, and I'm happy to make the necessary changes.

Thanks!
Adam


On Wed, Sep 16, 2009 at 9:44 AM, Ralph Schindler <[hidden email]> wrote:

All that said, I'm starting to wonder if my proposal might work better as an
action helper, since the main benefit is the simplification of controller
logic?  It may be more complicated than that, but it's probably worth some
thought; any ideas?

This sounds like application logic in many ways -- even the forms would
differ for each in some cases (OpenID would require a URL only; LDAP and/or
DbTable would require user/pass, etc.). This sounds like several

The form part could be handled userland, but yes, an action helper that
takes the form input and does the adapter delegation makes sense.

I'd like to see you explore the controller/action-helper route. Currently, there is not much in the way of helpers or plugins that aid Zend_Auth in "coupling" with an applications AuthController.

Much like the viewRenderer helps the controller's job of interacting with Zend_View, I think it makes alot of sense to have something like, say, "authSelector" to help decide and load various pieces to the authentication puzzle: forms, views, form helpers, and finally actual auth adapter.

While, the term "flexible" is good, I think we need to find something more succinct that will, by name, identify its job to the developer immediately.  Since you haven't gotten many comments on the original proposal, I can only guess that the naming is not something developers are immediately drawn to as its name does not conjure up any visions of what job it actually does.

Looking forward to your feedback now that I have a better grasp on what it is you are attempting to do!

-ralph

Reply | Threaded
Open this post in threaded view
|

Re: [zf-contributors] Re: [fw-auth] Re: [zf-contributors] Feedback on Zend_Auth_Adapter_Flexible?

jazzslider
Hello!

Just thought I'd let y'all know that I've made a significant overhaul to my original proposal (now at http://framework.zend.com/wiki/display/ZFPROP/Zend_Controller_Action_Helper_AuthSelector+-+Adam+Jensen), reflecting what we discussed yesterday.  I think it's a lot clearer now, but I'm open to any further suggestions.  Thanks again for your help!

Adam


On Wed, Sep 16, 2009 at 7:36 PM, Adam Jensen <[hidden email]> wrote:
Thank you both for your feedback on this; I'll be adjusting the proposal to reflect the new action helper approach as soon as I can.  Seems like that's a better fit, and I'm happy to make the necessary changes.

Thanks!
Adam


On Wed, Sep 16, 2009 at 9:44 AM, Ralph Schindler <[hidden email]> wrote:

All that said, I'm starting to wonder if my proposal might work better as an
action helper, since the main benefit is the simplification of controller
logic?  It may be more complicated than that, but it's probably worth some
thought; any ideas?

This sounds like application logic in many ways -- even the forms would
differ for each in some cases (OpenID would require a URL only; LDAP and/or
DbTable would require user/pass, etc.). This sounds like several

The form part could be handled userland, but yes, an action helper that
takes the form input and does the adapter delegation makes sense.

I'd like to see you explore the controller/action-helper route. Currently, there is not much in the way of helpers or plugins that aid Zend_Auth in "coupling" with an applications AuthController.

Much like the viewRenderer helps the controller's job of interacting with Zend_View, I think it makes alot of sense to have something like, say, "authSelector" to help decide and load various pieces to the authentication puzzle: forms, views, form helpers, and finally actual auth adapter.

While, the term "flexible" is good, I think we need to find something more succinct that will, by name, identify its job to the developer immediately.  Since you haven't gotten many comments on the original proposal, I can only guess that the naming is not something developers are immediately drawn to as its name does not conjure up any visions of what job it actually does.

Looking forward to your feedback now that I have a better grasp on what it is you are attempting to do!

-ralph