Services/Sync/WEP/110: Difference between revisions

	THIS PAGE IS A WORKING DRAFT
	The page may be difficult to navigate, and some information on its subject might be incomplete and/or evolving rapidly. If you have any questions or ideas, please add them as a new topic on the discussion page.

WEP 110 - Site Auto-registration and Password Change

• Status: Draft
• Created: 28 Oct 2009
• Reference Implementation: None
• WEP Index

Introduction

As part of the Weave Identity extension, we should support auto-registration of user accounts at websites and also manage passwords on behalf of the user. This WEP tackles the specific issue of the metadata that a site must provide to Weave in order to enable these features.

Metadata

Websites should include a <link rel> tag on every page that requires the presence of an identity (pages behind authentication, or registration pages).

<link rel="identity" href="/identity.json" />

Suggested alternate values for rel value: autoregister

JSON Format

The href attribute of the identity <link rel> should point to a JSON file that describes the interface the website provides to auto-register accounts and manage them. The format of the JSON file is described in this section. The JSON file must be present on the same domain as the web page that pointed to it, or could alternatively be a chrome URI.

{
 domain: "http://example.org/",
 methods:
  {
   "login":
    {
     path: "/login",
     method: "POST",
     params:
      {
       userName: "usr",
       password: "pwd"
      }
    },
   "register":
    {
     path: "/register",
     method: "POST",
     params:
      {
       userName: "name_field",
       givenName: "first_name_field",
       familyName: "last_name_field",
       emailHome: "email_field",
       password: ["pw_field", "pw_field2"]
      }
    },
   "password":
    {
     path: "/pwchange",
     method: "POST",
     params:
      {
       userName: "usr",
       oldPassword: "pwd1",
       newPassword: "pwd2"
      }
    }
  }
}

The identity JSON object MUST contain the domain and methods properties. The domain property MUST match both the domain which hosts the identity JSON object as well as the page that contained the <link rel> pointing to it.

The methods property MUST contain at a minimum the login property and MAY contain additional register and password properties. Each of these properties, if present, MUST contain a single "Form Definition Object", which is described as follows.

FDO

A Form Definition Object (FDO) describes the fields usually present in a standard HTML form and provides information on where and how to submit it in order to execute an action (currently, one of "register", "login" or "password" change).

An FDO MUST contain the path and params properties, and MAY contain the method property.

path represents a URI endpoint on which the operation will be performed, relative to the previously described domain.

method CAN be one of POST or GET. If not present, POST is assumed. This represents the HTTP method used to reach the URI endpoint for the action.

params describes the data included with the POST or GET method. Each property in this object MUST correspond with a key that describes some portion of the user's identity. Key available are (they match those used in the People Store):

• userName
• givenName
• familyName
• emailHome
• emailWork
• password
• address1
• address2
• city
• state
• country
• pincode
• gender

Function

When Weave detects the presence of an identity tag, it will act as follows:

• If the user is currently not logged in:
  • If there is an identity in local store corresponding to the current domain:
    • Offer the user to login with that identity (or) auto-login
  • If there is no identity associated with the domain:
    • Offer the user to auto-register with the site using a particular local identity
• If the user is logged in:
  • Show a small UI element (key in the address bar as we did with the Weave auto-login feature?) that allows the user to log out or switch identities on the current domain.