Some feedback from Collaboraid design reviews, which I'm detailing here because a few may be open community issues. If items don't make sense, check the spec at the top of the forum, and bear with us as we keep improving our documentation process.
- We are going to assume that auth::authenticate, which is the new function responsible for authenticating any login (local or remote), does all of the error handling for unreliable drivers. That is, even if the remote authentication server croaks, auth:authenticate will not fail. This means that we should try to incorporate a timeout mechanism into auth::authenticate, even if the drivers also have timeouts. (affects Peter, EXT-AUTH-01)
- Auth::authenticate must always return an auth_message if auth_status is not ok. (affects Peter, EXT-AUTH-01)
- auth::register needs to detect if it was called by a new user or by an admin (presumably, if the connection has a user id). If called by a registering new user, it should set a cookie for the new user_id. If called by an admin, it should not. (affects Peter, EXT-AUTH-01)
- acs-subsite.EmailForgottenPasswordP should be checked in concert with the appropriate authentication driver. Only if both are true should a link be offered to email a forgotten password (affects Lars, EXT-AUTH-05)