With OpenID auto-registration, account registration is very fast. Perhaps too fast.
As a new user on a site, when you enter your OpenID in the login field for the first time and press “Log in”, an account is created instantaneously, assuming your OpenID provider supports Simple Registration and you have filled in a preferred username and email address. I suggest adding a confirmation page.
Consider these two situations:
- You are an avid OpenID user and have several OpenID identities. You have previously registered an account on the Drupal site, but you have forgotten which OpenID you used. You would like to try them one at a time, but - bang - each time you try, you create a new account.
- You would like to register using OpenID, but on this particular site you would like to use another username than usual (e.g. if you don't want to reveal your identity to other users on the site). But when you try to sign up, your account is created with your usual username, and users may not be allowed to change their username afterwards on the site (depending on the
change own username
permission).
This patch adds a confirmation page with the username and email fields prefilled with the values provided by the OpenID profile. The user may change these before submitting the form.
By unifying the registration process, so the process is the same no matter whether your OpenID profile contains sufficient and valid information or not, the warning message recently introduced in #216101: OpenID fails to auto-register account: Username invalid, email required is now redundant.
The patch has the nice side effect that it greatly reduces the complexity of the OpenID registration process.
Comment | File | Size | Author |
---|---|---|---|
#17 | openid-confirmation-7.patch | 11.6 KB | c960657 |
#11 | openid-confirmation-5.patch | 12.84 KB | c960657 |
#10 | openid-confirmation-4.patch | 12.86 KB | c960657 |
#9 | openid-confirmation-3.patch | 12.85 KB | c960657 |
#4 | openid-confirmation-2.patch | 12.88 KB | c960657 |
Comments
Comment #1
mcrittenden CreditAttribution: mcrittenden commentedOoooh, removes a nice big chunk in openid_login_validate(). Love that.
Subscribe in hopes of finding a little time to test this soon.
Comment #2
mikl CreditAttribution: mikl commentedAh, this looks very nice. I hope it'll make it for D7 :)
Comment #3
c960657 CreditAttribution: c960657 commentedComment #4
c960657 CreditAttribution: c960657 commentedReroll.
Comment #5
moshe weitzman CreditAttribution: moshe weitzman commentedCool. A UX cleanup that leads to less code. But those use cases are quite obscure IMO. At least MyOpenID supports personas within a given openID. During registration at a new site, it asks which persona you want to send to the client site. If we add a stein Drupal, we have now slowed down this registration with a nearly duplicate step.
This probably still a good idea, just on code cleanliness grounds.
Comment #6
c960657 CreditAttribution: c960657 commentedThis patch contains a string change and thus needs to land before January 15th in order to make it in time for D7.
Comment #7
aspilicious CreditAttribution: aspilicious commentedLets do a quick retest just to be sure it still works. (it probably will)
Comment #9
c960657 CreditAttribution: c960657 commentedReroll (due to #679890: Using "Please" in the interface).
Comment #10
c960657 CreditAttribution: c960657 commentedChasing HEAD.
Comment #11
c960657 CreditAttribution: c960657 commentedReroll.
Comment #12
aspilicious CreditAttribution: aspilicious commented#11: openid-confirmation-5.patch queued for re-testing.
Comment #14
Damien Tournoud CreditAttribution: Damien Tournoud commented#11: openid-confirmation-5.patch queued for re-testing.
Comment #15
Heine CreditAttribution: Heine commentedWon't displaying a claimed_id in case of an OP identifier, confuse the user?
Comment #16
c960657 CreditAttribution: c960657 commentedWe also show the Claimed ID on user/123/openid, so for consistency I think we should show it during registration also. I'm not sure how various providers handle this, but if you enter "yahoo.com", the Claimed ID is shown to the user, when he authenticates at the Yahoo service, so in that case it should be familiar to him/her.
What do other sites/systems supporting OpenID logins do?
Comment #17
c960657 CreditAttribution: c960657 commentedReroll.
The reduction in code complexity is now smaller due to the streamlining that happened recently in #395340: Email verification not enforced with OpenID auto-registration, though it still cuts a good chunk of code (but reduction of code complexity is not the rationale behind this suggested change).
Comment #18
moshe weitzman CreditAttribution: moshe weitzman commentedThanks for reroll. This was a good idea when i reviewed it in #5 and remains good.
Comment #19
Dries CreditAttribution: Dries commentedCommitted to CVS HEAD. Thanks!
Comment #20
Gábor HojtsyUh, while code cleanliness might trump everything, asking a user experience guy/gal or two might have helped before rushing this in. The idea of OpenID support at all is to speed up the registration process. When you use an OpenID, the provider will ask you to confirm to send your stuff to the client anyway, then we'd confirm again just to scare the user off that this is something so important it needs to be confirmed for the same action twice? Yahoo was cited as an example. For me, they ask for confirmation of the site, and prominently display my OpenID that is validated, so don't see a reason to say OK on a similar form on a different site in the same process.
Comment #21
pwolanin CreditAttribution: pwolanin commentedThis is very odd as a required piece of core - I have not used openId with any service that asks for an added confirmation step after I've already confirmed with my openID provider that I wish to proceed.
Moshe says in #5 "we have now slowed down this registration with a nearly duplicate step. " - this seems terrible to me. I suggest we roll this back.
Comment #22
pwolanin CreditAttribution: pwolanin commentedcross post
Comment #23
Gábor HojtsyBefore patch in default Drupal install:
- enter openid
- get redirected to openid provider
- submit form to verify I want to use my openid
- get back to Drupal with a message that I got an email
- go to my email app and wait for mail to arrive
- click in link on email, now logged in
(My identity is already verified twice).
After patch in default Drupal install:
- enter openid
- get redirected to openid provider
- submit form to verify I want to use my openid
- get back to Drupal and see a form with my data
- submit form and see a message that I got an email
- go to my email app and wait for mail to arrive
- click in link on email, now logged in
(My identity is verified three times).
OpenID is supposed to be the simple way to log in / register, isn't it?
Comment #24
Dries CreditAttribution: Dries commentedI rolled back the patch as it clearly needs more discussion, and could use some input from the UX team.
Comment #25
chx CreditAttribution: chx commentedI have not used openId with any service that asks for an added confirmation step after I've already confirmed with my openID provider that I wish to proceed.
No? stackoverflow?
Comment #26
c960657 CreditAttribution: c960657 commentedCode cleanliness was just an added bonus, not the reason why I suggested the change.
Some OpenID providers (e.g. myOpenID) allow you to select between different predefined “personas” each containing a username, email address etc. during authentication, while others (e.g. Google) simply display which information they are about to send to the requesting site. I don't know of any that allows you to change the values on the fly or easily create new personas on the fly, though they may exist.
Using Google I just found a handful of sites that allows account creation using OpenID and created an account on each (I expect to receive loads of
spamnewsletters in the following days). Out of about 15 sites, all except 3 had a confirmation step before creating the account. Of the three, one just registered the account using my SREG information without any confirmation step. Another site prompted me to select a username and enter various other information on the same screen as where I entered my OpenID, i.e. it did not use SREG. A third site created the account immediately without using the SREG information, but let me choose a username afterwords, i.e. selecting a username and password was optional.This is a completely unscientific study, but at least it indicates that having a confirmation step is not completely unusual but perhaps even is the most common approach.
When Drupal is configured to allow users to change their username, removing the confirmation step will not add any user information that cannot be changed later by the user himself, so in that case I think it may be reasonable to remove the confirmation, though I personally prefer that it is there.
Also, considering how rarely most people register new accounts on websites, I think the claims that we scare away users are a bit overstated. But of course we should strive to make the registration process as easy as possible and only keep the obstacles (e.g. email verification) that are necessary.
Comment #27
Gábor HojtsyYes, the point is that the provider already shows you the information and lets you halt the process before it even reaches the Drupal site, so a separate confirmation step on Drupal does not seem to be necessary.
Comment #28
amc CreditAttribution: amc commentedChanging to active, since the latest patch was rolled back and further direction of the issue (as opposed to a patch needing review) is under discussion.
Comment #29
Leeteq CreditAttribution: Leeteq commentedThe _login_ should not _create_ accounts, but return an error if the provided OpenID is not found among the existing users. So it should be possible to try several users and only get errors if unmatched. Only when on the create user account page, should the OpenID module accept new OpenIDs, and of course do the reverse check: not accept if already used.
How does this work in the current D7 beta?
Comment #30
slotid CreditAttribution: slotid commentedopenid-confirmation-1.patch queued for re-testing.
Comment #31
sunComment #32
star-szrI would move this to https://www.drupal.org/project/openid but there is no 8.x version there.
More info:
https://www.drupal.org/node/2116417