Forem Creators and Builders 🌱

Cover image for Should all forems share an authentication system?
Alberto Pérez de Rada Fiol
Alberto Pérez de Rada Fiol

Posted on

Should all forems share an authentication system?

Hey! 👋 It's nice to be here!

I wonder if it would make sense to have a shared authentication system among all forems. I'm not sure if "authentication system" is the correct concept for the feature I'm picturing, so let me try to explain how it would work so we are all on the same page:

  • A user visits a forem, whose community they want to join. They register and create their profile, which gets saved into an upstream database.
  • Later on, the same user visits another forem, whose community they also want to join. Instead of registering again and creating a new profile from scratch, their information is fetched from the upstream database. Everything could be ready to go in ONE click!

I think this would provide a better user experience. What do you think about this?

Top comments (9)

Collapse
 
ben profile image
Ben Halpern

This comes into the topic of pseudo-centralization, where we offer one centralized forem identification.

We want Forem to work in such a way where it doesn't need this centralized approach, but yes, I think a central Forem authentication service is probably something that should exist to complement things.

We could build a central forem.com identity management app which plugs into Forems and gives folks functionality to simplify their identity across platforms. It's important that individual forems remain independent, and also that the ecosystem "trust" us (just as they do Twitter, Google, GitHub and any other auth providers)...

All that is to say, it's good you bring it up. If we didn't want to value the decentralized components of this system and went the "traditional" authoritarian route, we might have already built this. It's probably a natural step to have some components of optional pseudo-centralization.

Collapse
 
nektro profile image
Meghan

I think the idea is more about making forem somewhat federated in regards to account management.

ie there's forem.dev and dev.to and allowing a user to, for example, sign up for forem.dev with their dev.to account and so on. thus, instead of going to one of the configured oauth2 providers, forem.dev would query dev.to for my user info.

Collapse
 
ben profile image
Ben Halpern

Yup, I've definitely had this thought. Each Forem itself already kind of has that functionality. We never developed it generally (only used it for a few key cross-posting use-cases), but built it so it could be expanded that way.

In thinking through the near future, I eventually started thinking that the first order of business would be creating a central Forem auth system as a start because I think the total federation model can be really confusing for folks outside the tech bubble..... But as an option we build in after (or maybe in parallel) it could be a really really cool way for folks to manage their presence. The two concepts could also have some interplay. e.g. the forem.com auth system wouldn't allow two forems to speak to one another or know that this user is authed in both places because that knowledge is private, but in some cases it could make perfect sense to auth some communities together explicitely.

Collapse
 
ajhalili2006 profile image
Andrei Jiroh

What if I want to merge two Forem accounts into one (e.g. forem.dev and dev.to)? How do I combine my user data across Forem instances without a data loss?

Collapse
 
huddlespith profile image
Amy

My two pence is that I already have (deliberately) different bios for my Forem and Dev accounts. I've also chosen different UI so that I can easily recognise which of the two I am on. I like the idea of having my somewhat separate accounts, but they are both using my GitHub login

Collapse
 
ben profile image
Ben Halpern

Yup, I think it's important that people can genuinely be different people in different scenarios— We just need to do it as friendly as possible because the complexity of management could grow pretty quickly.

Collapse
 
nektro profile image
Meghan

yeah if this was to be implemented, it would be key to not make it mandatory.

Collapse
 
rhymes profile image
rhymes

Hi Alberto!

In this discussion started by James Turner in my post about API v1 we ended up also taking about authentication.

As we're not a multi tenant architecture my initial thoughts were to lean towards a decentralized architecture, both for trust reasons (Forem's code can be changed, so there's no, at least the present moment, way to trust a Forem installation that's not managed by Forem the company), for security and for privacy. StackExchange comes up often in comparison.

As you can imagine this is very much an open discussion that includes possible requirements that we haven't foreseen (like the need for a centralized alternative as Ben mentioned), possible technical limitations and privacy concerns on user management.

Some of these surfaced in the discussion in that post, like "should a user profile be portable between Forems, and what if a person wants to be someone else on another Forem?" or "should the Forems know about any of the other profiles that this human impersonates if they decide to "link"?".

Should there be a foremauth.com/1234 which universally represents rhymes across forems? Does rhymes actually care to have a central profile panel? Should the person just make new accounts if they don't want to be linked to the others in that particular Forem?

Collapse
 
lisasy profile image
Lisa Sy

Hey there, I'm a lead product designer at Forem, and I'm going to be looking into this user experience to make sure that it is sensible while fulfilling the technical constraints we're setting out :)

I want to a share few ideas for user stories to gut check my design explorations on around how people belong to multiple Forem communities. Can you let me know if this is an exhaustive enough list?

  1. Someone signs up a Forem community for the first time.

    • They were invited to a private community.
    • They were invited to join a public community.
    • They discovered a public community to join.
  2. Someone with an existing Forem account joins a new community.

    • They onboard to new community.
    • They switch between communities.
  3. Someone signs out of one community.

    • Do they sign out of only that one community? (de-centralized)
    • Do they sign out of all communities? (centralized)