10 Feb
2025
10 Feb
'25
12:58 p.m.
Somebody claiming to be Matthew Wild wrote:
On Mon, 10 Feb 2025 at 17:39, Stephen Paul Weber
<singpolyma(a)singpolyma.net> wrote:
The server would need to know that FAST is being used in order to know
it's not a username, but my understanding is that a reason for
proposing this is to remove the explicit indication to the server that
this is a FAST authentication. Right?
Your concern is namepace collision between username and a fast token id if
the ids are also valid usernames?
I think since the IDs are fully under the control of the server this isn't a
problem is practise is it? The server would not assign any credential
(including FAST tokens) an id that is an existing username, and would not
allow creation of an account with username that matches any existing
credential id. Username is the credential ID for the "primary account
password" as used today.
The
authcid is how we convey the authenticating username.
Yes I understand that's what currently is placed there. I'm proposing that
for FAST we put a token id there, which will of course convey the account in
question to the server as well (since a token is only valid for a single
account).