Blogging Code4Lib PNW

Duncan Barth, University of Oregon on Authenticaion vs. Authorization

  • authentication:  is the user who s/he says s/he is?
  • authorization:  what does the user get to do on the site/resource?
  • passwords stink.  hard for end user to use unique passwords, hard for web manager to manage passwords and reset mechanisms
  • stay out of the authentication business if you can!
  • UO intranet:  MediaWiki, Drupal, custom applications.  use Apache standard authentication mechanism, pointing to LDAP server
  • using Shibboleth as authentication system (single sign-off) set up with EZProxy.  ultimately want to make system one log-in for all systems (including ILLiad, Xerxes, etc.)
  • for non-university systems (public libraries etc.) without user id databases, can use OpenID (Google provides OpenID.)  I.e., Basecamp login can be done with OpenID from Google account.
  • how to promote OpenID as a mechanism?
  • can use identity information from Facebook API to log in.
  • OpenID has authorization component called OAuth

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s