Short of a couple of minor display bugs, I've now finished adding OpenID support to Fabric. Adding support for OpenID logins was pretty easy, I did this a few weeks ago. But tying this in with the existing user account system took a bit more thought. I'd be interested to know if there are any 'best practices' for this sort of thing, particularly in terms of the options you present to a user when they login with an OpenID for the first time.
As I see it, when integrating OpenID into a system which already has a conventional user accounts, there are two approaches:
- Keep your OpenID users completely separate to your normal users, so users logged in with OpenID can perform some basic functions on the frontend, but to do anything on the backend they need to create a proper account and login with a conventional username/email and password.
- Link OpenID logins in with user accounts, so when a user logs in with an OpenID for the first time you create a user account for them, using data from simple registration (sreg) if available.
The first option would be easier to implement, but if users have to create a normal account to do anything substantial then they have a new username and password to remember, and you've lost the main benefit of OpenID. So I went for option two.
The next decision was how transparent to make this account creation step. When a user logs in with an OpenID for the first time, if the data you get back from sreg contains all the info you need to create a user account, this whole process could be transparent. But what if you didn't get any data back from sreg, or what if the user wanted to use a different email address on your site? So, when you login to this site for the first time with an OpenID, you're presented with an account creation form with the data from sreg pre-filled in. Just hit submit if it's all there, or you can change it first. You only have to do it once.
The next problem was what to do with email addresses. When a user creates a conventional account in Fabric, their email address is validated (they have to click on an activation link that is emailed to them). If we get an email address from sreg, can we guarantee that they own this? If not, do we validate this before the user can do anything on the site (thus putting back in the barriers to entry OpenID tries to remove)? Or do we just not validate email addresses in accounts created by OpenID? I'm not sure what the answer is to this one. For now if OpenID is enabled on a site, email addresses are not validated; but this is a less than ideal solution.
So that's the basic functionality in place. At some point I'll have to add a way for users to link more than one OpenID to an account (preferably at login, so they don't end up creating duplicate accounts on the system), but this will require some more thought.
Tags:
Add Comment