-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question on OAuth & Authlogic #2
Comments
Yes OpenID/OAuth is per domain. As you said, it will end up with 2 accounts for the same email id because the OpenID/OAuth provider sees a new domain.. there is, AFAIK, no way to make the provider accept a different domain other than the one the request originated. This is something even i have tried hard to tackle. Any solution you have in mind to prevent this? You cannot make the email field unique in the migrations too as that would result in you never being able to login from any other domain other than the one you created the user from. |
Since the OpenID can pass back an e-mail address, and we trust the sender of the OAuth token in the first place, can't we make the email address a primary key (such that if no e-mail is provided we ask for one and then store the Open identifier along to that e-mail address). Here's my thought process:
If you try to login using a different OpenID it will tell you an Account does not exist (does not auto register) and then forces the user into thinking about what OpenID site they originally signed up with. Maybe this is just a better flow, but does not solve the cross domain issue. |
Sounds risky to me. Google and Yahoo are open id providers. Google let's you create an account with a yahoo email. Or, if you allow the user to enter a provider url, they might be able to hijack a webite, and steal a login by creating their own provider with someone else's email: http://www.intertwingly.net/blog/2007/01/03/OpenID-for-non-SuperUsers I like the way sf.net is doing multiple openids on one account. And thanks for your work on this, I'm making progress on my app because of it! |
@bmaltzan Welcome and Thank you for the link :) |
My idea is to not tie an arbitrary open id to an e-mail address, but instead ask the user to login using the original open id and then tie the new openid to the old, openid verified, account. Similar to how StackOverflow operates. |
@ephekt I see, sounds good. Rpx_now has a good solution for the last open_id provider, it stores it in a cookie: https://rpxnow.com/docs#sign-in_interface |
Hi,
Great sample app. It's worked pretty well so far. I noticed one thing though, when I moved from one host (heroku) to another (local machine) and pulled down my DB (all tokens & data in the db) and tried to login, it created a new user (e-mail existed twice now in the users table, different tokens it looked like though). Are the OAuth, via GMail, per-domain? Is OpenID per-domain might be a better question? I'm trying to understand this... It's a bummer that migration lost all my users (fortunately there were only 20-ish).
The text was updated successfully, but these errors were encountered: