HI there,
I have created a prototype of my application and it is working! Incredible…
Currently my prototype is completely non authenticated and I would now like to start adding authentication. But having read around the forums a little on authentication for applications, I suddently realised how little I knew about the topic beyond email/password type authentication schemes.
I was looking for some module that would “do it all for me”
After reading said forum posts, it was made clear by several power users that no such module exists because there are lots of different ways of authenticating and its really a per application decision as to how you will authenticate your resources. All of this makes sense to me.
This is what I know about my application so far:
- It is most likely to be accessed from within the LMS (Moodle, Blackboard etc) of Universities who have an identity provider that can authenticate users on my behalf (e.g Shibboleth or something similar). If an institution adopts my application, I plan on working with them 1 on 1 to integrate their authentication scheme. But I thought it would be beneficial to provide support for common identity providers out of the box so that it is an attractive option for Universities to use my platform. Having worked inside universities, I know how much resistance there can be to adopting new platforms that don’t follow their rules.
While I would also like to support single users at a later date who want to get access to my free and paid content, this is not the major focus of my initial release and will be likely to be something that is added later.
I have currently defined the following two roles in my system:
- Educator (someone who can create and edit content)
- Student (someone who can view content)
While there is a relationship between students and what content they can access, I don’t feel this needs to be strictly enforced at a database level and would effectively be controlled by the LMS of an organisation when the educators publish courses. It is up to the educators who they want to share content created on my platform with.
As long as they are an authenticated user, then that is fine with me. I might consider locking it down to making sure that the student is from the same organisation as the educator who created the content. The super cautious among us might think that this would still mean that content on my application created for a Nursing student could still be accessed by a Engineering student (if they were manually provided the link) - but I see no great security risk in this, let alone there being much chance of a University student having any interest in content from a different department. I hope that attitude is not considered lax on my part.
Anyway, this is turning into quite a long winded post and part of me feels like I might be thinking about this a little too soon, but part of me realises also thinks that how easily my system can be integrated into existing IT systems of educational institutions will be an important selling feature of my application…assuming I ever get a sale
While this has pretty much turned into a “Dear Diary” post… I guess the vague questions I have are:
- Is there a particular process that is recommended for planning out authentication schemes into your application?
- When is a good time to start integrating authentication into your application
- Am I going insane?!