cancel
Showing results for 
Search instead for 
Did you mean: 

Composer Authentication Approach

SOLVED

Composer Authentication Approach

Hi Alan, 

I was looking to get your thoughts on the recommended approach for Composer Auth.json  and Magento 2.
For Magento Enterprise I imagine we would use the clients Enterprise Account so that's pretty straight forward. 

 

Community Edition Approach
However for Magento Community edition would the Agency / Developer use a generic key which belongs to them or ask the client to create an account at Magento and use a key which belongs to them.

 

Module purchases registered to accounts
The reason I ask is that I understand that future module purchases made through connect will be stored in the users account and registered to the authentication key. 

 

For paid modules that are purchased through connect if the agency / developer is using a generic key this would cause problems if the client ever wishes to move to another development partner.  

 

I would appreciate your thoughts on this. 

 

Cheers

 

Ian

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Composer Authentication Approach

Yes, the keys are used to access purchases (including free things you want to use - so your "toolbox" does not get flooded with lots of free extensions you are not interested in). The "toolbox" (I just made that name up - "personal composer repository" is more accurate) for example comes up in the web UI "Component Manager" for checking for patches etc.

 

The longer term idea is to really have a set of credentials representing a "project" where a project here I mean "needs to purchase its own license". For example, a solution provider cannot buy one license to an extension and use it for 10 different customers - they need 10 purchases. (I don't remember if some extensions have restrictions on how many domain names they can be used for - if so, those extensions might require a merchant to make multiple purchases - I don't recall the details here, but this is the only reason I used the word "projec" instead of "merchant".)

 

It won't be there day one, but the other pattern we are thinking through is we know partners will want to purchase extensions on behalf of a merchant to get a project up and going, then transfer ownership to the merchant. The merchant wants the ability to change solution partners later as well. So we are going to have more sophisticated key management to allow the transfer of "ownership rights" from purchaser (solution partner) to someone else (merchant) - but there are some security aspects to work through. Don't want a ring of people "sharing" an extension without paying! Still thinking this one through.

 

In short term, my advice is to get the merchant to do the purchase and share their access right keys with the partner. It keeps the ownership where it should end up.

View solution in original post

2 REPLIES 2

Re: Composer Authentication Approach

Yes, the keys are used to access purchases (including free things you want to use - so your "toolbox" does not get flooded with lots of free extensions you are not interested in). The "toolbox" (I just made that name up - "personal composer repository" is more accurate) for example comes up in the web UI "Component Manager" for checking for patches etc.

 

The longer term idea is to really have a set of credentials representing a "project" where a project here I mean "needs to purchase its own license". For example, a solution provider cannot buy one license to an extension and use it for 10 different customers - they need 10 purchases. (I don't remember if some extensions have restrictions on how many domain names they can be used for - if so, those extensions might require a merchant to make multiple purchases - I don't recall the details here, but this is the only reason I used the word "projec" instead of "merchant".)

 

It won't be there day one, but the other pattern we are thinking through is we know partners will want to purchase extensions on behalf of a merchant to get a project up and going, then transfer ownership to the merchant. The merchant wants the ability to change solution partners later as well. So we are going to have more sophisticated key management to allow the transfer of "ownership rights" from purchaser (solution partner) to someone else (merchant) - but there are some security aspects to work through. Don't want a ring of people "sharing" an extension without paying! Still thinking this one through.

 

In short term, my advice is to get the merchant to do the purchase and share their access right keys with the partner. It keeps the ownership where it should end up.

Re: Composer Authentication Approach

Hi Alan, 

 

Thanks for clearing this up for me, looking forward to a key management solution. 

 

Ian