From 4c8c4aa1446bbcce6f26fe3d380f1743d182f0c6 Mon Sep 17 00:00:00 2001
From: Nick O'Leary <nick.oleary@gmail.com>
Date: Sun, 24 Aug 2014 14:49:30 -0700
Subject: [PATCH] Created Design: multiuser (markdown)

---
 Design:-multiuser.md | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 Design:-multiuser.md

diff --git a/Design:-multiuser.md b/Design:-multiuser.md
new file mode 100644
index 0000000..cbab487
--- /dev/null
+++ b/Design:-multiuser.md
@@ -0,0 +1,19 @@
+Node-red is currently a userless system. Anyone can point their browser at the runtime and edit the active flows.
+
+When we talk about multiuser/multitenancy, there are a number of things that could mean.
+
+* An editor that can be logged into by multiple users
+* A runtime that runs the flows of multiple users
+
+There are no immediate plans to change the runtime to support multiple, isolated flows. This item is focussed on what changes are needed in the editor and api to support multiple users.
+
+An alternative runtime could be conceived that serves the editor and forwards individual user requests to individual runtime instances.
+
+This must also consider how to seamlessly migrate from being userless to having a default user.
+
+---
+
+Need to investigate choices for authentication mechanism between a client and the runtime. It might not just be the editor; should be possible to secure http nodes using the same mechanism.
+
+Is OAuth 2.0 - Resource Owner Password Credentials Grant (RFC 6749, Section 4.3) - a good starting point?
+