Using OpenID for site administration
So I've read over several questions here about the pros and cons of using only OpenID for your website/app. Every question I read seemed to be in the context of OpenID for your users/visitors. What I am considering is using it for the administrative portion of the web app as well.
Is this nuts?
It seems counter productive to go with OpenID only for the consumer facing portion of our web app (to both decrease dev time and reduce sign up friction) but then spend the time to build authentication/authorization system for the administrative portion of our app.
The administratio开发者_StackOverflow社区n with OpenID would be implemented with a white list in the DB so not just anybody could stumble into the admin area and start making changes.
I've also toyed with the idea of breaking the administration (FWIW it's implemented as an ASP.NET MVC area) totally out of the app and into a secondary locked down VPN connection but that seems extreme.
I've done the same thing with OpenID. In my scenario a user has to be manually granted administrative privileges. But as far as infrastructure goes, everything else is identical to the way a typical user's login works.
As long as you can trust the OpenID providers that your administrator(s) are using, then I think it's reasonable enough to do this.
精彩评论