10 Feb
2025
10 Feb
'25
12:32 p.m.
On Mon, 10 Feb 2025 at 17:39, Stephen Paul Weber
<singpolyma(a)singpolyma.net> wrote:
The server would need to know that FAST is being used in order to know
it's not a username, but my understanding is that a reason for
proposing this is to remove the explicit indication to the server that
this is a FAST authentication. Right?
Well, passwords don't have such identifiers, only the username. It
feels somewhat hacky to override the meaning of authcid in this way.
I'd perhaps be okay with defining the authcid as a credential id,
except that it currently is not, and I definitely don't like the idea
of it sometimes containing a username and sometimes something else.
That's just asking for mix-ups, with potentially bad consequences.
Regards,
Matthew
The authcid is
how we convey the authenticating username.
Yes I understand that's what currently is placed there. I'm proposing that
for FAST we put a token id there, which will of course convey the account in
question to the server as well (since a token is only valid for a single
account). 1) The type of
credential being used (password, FAST token, bearer token, etc.)
2) In some cases, some identifier of the credential being used (when
the same user has multiple credentials of the same type, common with
tokens)
I think these are basically the same thing. We need to know what credential
is being used. If we have an identifier then we will also know the type of
that credential based on the id.