You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@rave.apache.org by Jasha Joachimsthal <j....@onehippo.com> on 2011/11/07 20:02:35 UTC

Multiple users with the same email address

In the current model a User has an email address that is supposed to be
unique in the database. This works fine if there is only one source for
user accounts.
There are situations where users login with OpenId or Facebook and use
their university account.
These different accounts may have the same email address.
Are we going to "merge" these accounts or are we going to allow multiple
Users to have the same email address?

Jasha Joachimsthal

Europe - Amsterdam - Oosteinde 11, 1017 WT Amsterdam - +31(0)20 522 4466
US - Boston - 1 Broadway, Cambridge, MA 02142 - +1 877 414 4776 (toll free)

www.onehippo.com

Re: Multiple users with the same email address

Posted by Niels van Dijk <ni...@surfnet.nl>.

Hi Jasha,

Merging of accounts seems like a rather bad idea to me.
First of all, it seems that this is not a core capability of a portal
platform, but should be done somewhere else, like in a system that
manages identities
Second, if a user has multiple accounts, like e.g. in the scenario you
describe below (university account as well as google account) the so
called 'level of assurance' between these accounts differs very much.
The same goes for an account coming from a enterprise ldap and one from
e.g. google.

The first accounts are rather trustworthy as these were issued by either
the uni or the company of the user, which most likely will have included
some real checking of the identity of the user (e.g. confirmation of the
identity by passport). The google account is totally self asserted. In a
federated Identity management scenario, the actual authentication
process may also be different than googles uername/password.

As portal (and gadgets) will leverage the accounts to grant rights,
these types of accounts should therefore not be mixed. As an example: If
I grant a 'company' account the right to admin the portal, I do so
because I trust the company to have gotten their identity management
right. The self asserted process of the other identity of the user is
beyond my control. Perhaps this provider of identities allows everyone
to login using the provided credentials. It these 2 were merged based on
email, that would open up my admin account for all kinds of nastiness...

cheers,
Niels

On 11/07/2011 08:02 PM, Jasha Joachimsthal wrote:
> In the current model a User has an email address that is supposed to be
> unique in the database. This works fine if there is only one source for
> user accounts.
> There are situations where users login with OpenId or Facebook and use
> their university account.
> These different accounts may have the same email address.
> Are we going to "merge" these accounts or are we going to allow multiple
> Users to have the same email address?
>
> Jasha Joachimsthal
>
> Europe - Amsterdam - Oosteinde 11, 1017 WT Amsterdam - +31(0)20 522 4466
> US - Boston - 1 Broadway, Cambridge, MA 02142 - +1 877 414 4776 (toll free)
>
> www.onehippo.com
>