Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Question on OAuth & Authlogic #2

Open
ephekt opened this issue Sep 29, 2010 · 6 comments
Open

Question on OAuth & Authlogic #2

ephekt opened this issue Sep 29, 2010 · 6 comments

Comments

@ephekt
Copy link

ephekt commented Sep 29, 2010

Hi,

Great sample app. It's worked pretty well so far. I noticed one thing though, when I moved from one host (heroku) to another (local machine) and pulled down my DB (all tokens & data in the db) and tried to login, it created a new user (e-mail existed twice now in the users table, different tokens it looked like though). Are the OAuth, via GMail, per-domain? Is OpenID per-domain might be a better question? I'm trying to understand this... It's a bummer that migration lost all my users (fortunately there were only 20-ish).

@shripadk
Copy link
Owner

Yes OpenID/OAuth is per domain. As you said, it will end up with 2 accounts for the same email id because the OpenID/OAuth provider sees a new domain.. there is, AFAIK, no way to make the provider accept a different domain other than the one the request originated. This is something even i have tried hard to tackle. Any solution you have in mind to prevent this? You cannot make the email field unique in the migrations too as that would result in you never being able to login from any other domain other than the one you created the user from.

@ephekt
Copy link
Author

ephekt commented Sep 29, 2010

Since the OpenID can pass back an e-mail address, and we trust the sender of the OAuth token in the first place, can't we make the email address a primary key (such that if no e-mail is provided we ask for one and then store the Open identifier along to that e-mail address). Here's my thought process:

  1. I want a way to globally refer to a user -- E-mail has proven this is the best attribute.
  2. I don't want a user to have to login w/ a password, but OpenID should service as a password. StackOverflow operates a bit like this... http://stackoverflow.com/users/login?returnurl=/

If you try to login using a different OpenID it will tell you an Account does not exist (does not auto register) and then forces the user into thinking about what OpenID site they originally signed up with. Maybe this is just a better flow, but does not solve the cross domain issue.

@bmaltzan
Copy link

bmaltzan commented Oct 5, 2010

Sounds risky to me. Google and Yahoo are open id providers. Google let's you create an account with a yahoo email. Or, if you allow the user to enter a provider url, they might be able to hijack a webite, and steal a login by creating their own provider with someone else's email: http://www.intertwingly.net/blog/2007/01/03/OpenID-for-non-SuperUsers

I like the way sf.net is doing multiple openids on one account.

And thanks for your work on this, I'm making progress on my app because of it!

@shripadk
Copy link
Owner

shripadk commented Oct 6, 2010

@bmaltzan Welcome and Thank you for the link :)

@ephekt
Copy link
Author

ephekt commented Oct 6, 2010

My idea is to not tie an arbitrary open id to an e-mail address, but instead ask the user to login using the original open id and then tie the new openid to the old, openid verified, account. Similar to how StackOverflow operates.

@bmaltzan
Copy link

bmaltzan commented Oct 6, 2010

@ephekt I see, sounds good. Rpx_now has a good solution for the last open_id provider, it stores it in a cookie: https://rpxnow.com/docs#sign-in_interface

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants