IPPC Design Docs / IPPC Common Authentication Framework - The ‘All Our Users’ Database

Subject: IPPC Common Authentication Framework - The 'All Our Users' Database
Author: Simon Griffee, International Plant Protection Convention (IPPC/AGP) Webmaster
Last Update: Thursday, 19 April 2012 at 15:50:32
URL: http://hypertexthero.com/ippc/work/reports/IPPCCommonAuthenticationFramework.html

IPPC Common Authentication Framework - The ‘All Our Users’ Database

The situation

The requirements for http://www.phytosanitary.info stated that any person should be able to register and submit resources for consideration, etc, and Phytosanitary.info was built to meet this requirement. This differs from the current http://www.ippc.int system, where there is no public registration functionality available and users are manually added when necessary.

If we want to have multiple web applications (with very different requirements) authenticating off a single user base, then we will need to either:

  1. Use/implement our own central authentication system for login/logout authentication only (a doorway which gives a ‘token’ to whoever comes in and goes out), and have each separate application access these tokens and handle user permissions themselves based on the user token they receive. This is the industry standard, recommended way of doing things (think Google Account for users using Gmail, Docs, YouTube, etc)
  2. Merge all our sites into a single web application, whether Django, Drupal or something else. I do recommend Django :)

Short term recommendation (next ten days to keep people lovely and happy)

Keep http://www.ippc.int, http://www.phytosanitary.info, etcetera, user databases separate, manually import users from one to the other as necessary, and put a note on the login screen of relevant sites reminding users that the page they are on has its own authentication system (and that we are working to integrate them). Implement urgent features in www.phytosanitary.info (running on Django) for now.

Long term recommendation (as soon as possible)

A. Implement our own common authentication system using the technique briefly described here. Or:
B. Implement FAO Common Authentication Framework (CAF) for all our sites.

Either way, given all the work we have and the things that have not been done, we need:

  1. A different way of Information Exchange working and communicating with the other groups. A nice man called Andrea Provaglio came to speak at FAO about the ‘Agile’ software development method recently. It’s not only a way to develop software, it’s a way for people to work together. It would be great if we at least tried the following (if you look at one link here make it this one): The Scrum Framework in 10 minutes – what it is, how it works (first video on page) - or if you prefer text: What is Scrum?
  2. Another good web programmer/developer to join the team, preferably someone with experience with Python, PHP, and SQL, who knows/uses Git for version control, and is looking for a challenge.
  3. Time/opportunity for Paola/myself/new programmer to develop new code from scratch instead of always 'putting out fires' and running to stand still on the treadmill of the old codebase :)

Simon