| A3M - Account Authentication & Authorization Module |
[eluser]ShannenName[/eluser]
PK no reply on google codes yet? Are you working on it or have you forgotten?
[eluser]Peng Kong[/eluser]
sorry, reply to what exactly? you twitter issue was solve by turning on curl. your facebook issue i'm really not sure but i don't think it has anything to do with a3m's code.
[eluser]lsemel[/eluser]
I set this up on my localhost today and mostly got it working. It looks very good. Here are some comments and problems I ran into: 1. Would be a good idea to include instructions on how to set up the Twitter or Facebook app in comments in the config file. For example, it took me a while to figure out what the Twitter callback url should be. For facebook, if there are any options you need to fill on the app setup screen it would be great to have them described here. 2. It would be good if this could call event methods in another class when certain things happen - sign in, sign in via twitter, sign in via facebook, sign out, link to twitter, link to facebook, etc. For instance, whenever someone logs in or links to Twitter, I want to download all their Twitter user info and store it in the profile. I know I can modify the controller classes to do this but it'd be cleaner if I could keep this code in a separate file. 3. I couldn't get Google, AOL or Yahoo to work - it says "____ authentication failed" after the other site redirects back. Is there something special you need to do to set these up? Or do they just not work on 'localhost', only on a real domain? 4. When you link Facebook, MySpace, or OpenID, it takes you to a screen that makes you look like you've been logged out -- the "Sign in" links appear at the top instead of the account links. 5. The "Remove" button does ot appear on the linked accounts screen when you have only one linked account 6. If someone logs in with the form, and then they later log on via Facebook, and the Facebook-provided email == the email they registered originally, is there a way to make it auto-link the accounts?
[eluser]lsemel[/eluser]
A few more 7. Is there an option to require unique emails? 8. If you sign up via one of the other servers, currently you can't set up a password on the site -- the change password link doesn't appear. Is there a configuration to enable this?
[eluser]Peng Kong[/eluser]
Thanks for the pointers Isemel! 1) Yep user guide is lacking atm. i have to work on that. 2) ok let me see how i can change that 3) authentication failed is due to openid lib not being able to call the openid endpoint. you should check error logs and see if there's anything. 4) This is surely a bug! i will fix this. 5) Yes it's not suppose to appear. because if you remove your LAST linked account there is not way to signed in anymore! at anyone time you must have at least 1 account linked to your a3m account. BUT i think i forgot to allow users to remove ALL ... IF ... they are using a native a3m account. i'll change that. 6) facebook provided email will never == the email they registered originally. they facebook email is anyway [email protected] or something... basically fb masks the email. Also it is designed such that emails can be shared by different accounts and is not a primary key. If you read back a few pages of this thread i explain why it was design this way. 7) Nope. but now that you're asking i might consider giving such an option. However there are MANY problems to doing that. so again it might not happen. E.g. i registered with YOUR email... now u can't register with your own email. That means we must FORCE email verification. meaning reducing the ease to signin/signup. among many other reasons too, but i wont go into it. At the end of the day we need to take a few steps back and ask yourselves what the purpose of emails / unique emails serve. I weighted everything and decided non-unique emails are the way to go. 8) For this you have to understand the purpose of OpenID. I won't go into details again. in short YOU as a USER shouldnt be typing / managing passwords on 100 websites cuz u use 100 websites... u shouldn't be reusing your password 100 times over too. that's where OpenID comes into the picture. Decentralization of authentication. If u sign in via say twitter... u don't need to, and if fact you shouldn't, manage a password on 'a3m'. meaning a3m will take that you are YOU (basically that's authentication) cuz Twitter says so (OpenID). that reliefs you the user of the need to create / reuse a password! = better userability and increased security.
[eluser]lsemel[/eluser]
Peng, thanks for the quick reply! Thanks for adding the events, that would be really useful. I was about to add that myself, actually, because I need to hook into them on my project. Unique emails: Having a 1-1 correspondence between emails and accounts, rather than 1-many, is useful in many situations. Here are some use cases: 1) If you ever want to let people enter "Email address or username" to sign in as some sites do. 2) If you are doing something like sucking in people's address book to add those people as friends, it helps if each email corresponds to either zero or one accounts, and not more (otherwise which account do you add as the friend?). Facebook and Twitter probably require unique emails for this reason, and neither forces email verification. 3) On LinkedIn, they require unique emails because they sometimes ask for email addresses to verify you know the person when adding them as a connection. As far as someone registering with your email, I think that's something users will complain about if it happens, and then the site owner can deal with it on a case by case basis. I don't think it's likely to happen very often. Even though OpenID saves you from having multiple passwords, it might be a good idea to offer users a "Create A Password on This Site" link instead of "Change Password". Let's say someone first signs in via Facebook, but then later decides they don't want us to have access to their Facebook account anymore but still wants to use the site.
[eluser]lsemel[/eluser]
Regarding #3 in my previous message, authentication failing. Here's what's in the error logs when I try to log into yahoo: [[Sun Apr 11 01:44:07 2010] [error] [client 127.0.0.1] Successfully fetched 'http://www.yahoo.com/': GET response code 200, referer: http://local.dev.a3m.com/account/sign_in [Sun Apr 11 01:44:07 2010] [error] [client 127.0.0.1] Successfully fetched 'http://open.login.yahooapis.com/openid20/www.yahoo.com/xrds': GET response code 200, referer: http://local.dev.a3m.com/account/sign_in [Sun Apr 11 01:44:10 2010] [error] [client 127.0.0.1] Successfully fetched 'https://open.login.yahooapis.com/openid/op/auth': POST response code 200, referer: http://local.dev.a3m.com/account/sign_in bc math warning: non-zero scale in exponent bc math warning: non-zero scale in base bc math warning: non-zero scale in exponent [Sun Apr 11 01:44:16 2010] [error] [client 127.0.0.1] Successfully fetched 'https://me.yahoo.com/a/___bleeping_out_the_code_________': GET response code 200 [Sun Apr 11 01:44:16 2010] [error] [client 127.0.0.1] Successfully fetched 'https://open.login.yahooapis.com/openid20/user_profile/xrds': GET response code 200 [Sun Apr 11 01:44:16 2010] [error] [client 127.0.0.1] Successfully fetched 'https://open.login.yahooapis.com/openid/op/auth': POST response code 200
[eluser]Peng Kong[/eluser]
[quote author="lsemel" date="1270982275"]Peng, thanks for the quick reply! Thanks for adding the events, that would be really useful. I was about to add that myself, actually, because I need to hook into them on my project. Unique emails: Having a 1-1 correspondence between emails and accounts, rather than 1-many, is useful in many situations. Here are some use cases: 1) If you ever want to let people enter "Email address or username" to sign in as some sites do. 2) If you are doing something like sucking in people's address book to add those people as friends, it helps if each email corresponds to either zero or one accounts, and not more (otherwise which account do you add as the friend?). Facebook and Twitter probably require unique emails for this reason, and neither forces email verification. 3) On LinkedIn, they require unique emails because they sometimes ask for email addresses to verify you know the person when adding them as a connection. As far as someone registering with your email, I think that's something users will complain about if it happens, and then the site owner can deal with it on a case by case basis. I don't think it's likely to happen very often. Even though OpenID saves you from having multiple passwords, it might be a good idea to offer users a "Create A Password on This Site" link instead of "Change Password". Let's say someone first signs in via Facebook, but then later decides they don't want us to have access to their Facebook account anymore but still wants to use the site.[/quote] yep i agree with most of your points. (tho i think fb does requires email verified before you can start using it.) I look into unique emails. However feel free to run ahead with this as a base and re-purpose it 
[eluser]lsemel[/eluser]
How hard would it be to also add LinkedIn as a sign-in option? It offers an OAuth API: http://developer.linkedin.com/docs/DOC-1008
|
| Welcome Guest, Not a member yet? Register Sign In |
MENU
EXTRA MENU
ABOUT US
CodeIgniter is a powerful PHP framework with a very small footprint, built for developers who need a simple and elegant toolkit to create full-featured web applications.
