Skip to content

Account invitations by SMS and email notifications

Jump to bottom Edit New page
Rémy HUBSCHER edited this page Dec 22, 2016 · 1 revision

Context

For the Pass the Torch project, we would like to invite people by SMS and email and notify them that an account have been created for them.

The flow is the following:

  • One create a new project and define a worflow of steps. They define for each step someone who is responsible to sign-off.
  • They can either enter an email address or a phone number.

This will generate a new account for that person and give permissions to them while the credentials are sent in a invitation email or text message on their phone.

Linked to the Account API, this would allow administrators to create account for people before they actually register for one and start to setup the account: adding the user to groups and giving them permissions before their first connection.

Issues

The issue is about generating a user ID before users actually create one.

Today Kinto is not handling any kind of user accounts.

  • people can have a BasicAuth session (that we could generated from a random client_id and secret_key generation send to them
  • Using portier or LDAP the email address is the user ID
  • Using most OpenID provider (FxA, Google), it is impossible to know it before the user logs in

Plan A: Guess what the userID will be

A first solution would be to limit the number of authentication mechanisms for a server and we adapt the generation of the client ID to those methods. We cannot use OpenID authentication mechanisms for this solution.

Basic Auth

  • We generate a random client_id, client_secret that we send by SMS or email
  • Users can use it to authenticate

Portier / LDAP

  • We can invite only using emails and we use the email address to give permissions
    • If people use ldap, the userID will be ldap:email
    • If people use portier, the userID will be portier:email
  • The guest has to use the same email address as the one they were invited with, which can be cumbersome.

Plan B: Create password-less user accounts and attach authentication method to them on first login.

  • We can use the Account API to create new account with an invitation link
  • This one time link, once clicked, ask the user to authenticate and will automatically link their authentication method to the account.
  • Multiple authentication method can link to the same user account ID i.e account:natim
  • This means that Kinto become Account aware, but it looks like it is a concept easier for people to grasp that authentication without user accounts.

Join us on irc.freenode.net #kinto or on our Slack Workspace for more info.

Add a custom sidebar
Clone this wiki locally