On Wed, Jul 12, 2017 at 4:16 PM, Greg Stark <stark@mit.edu> wrote:
On 12 July 2017 at 13:23, Magnus Hagander <magnus@hagander.net> wrote: > I've attached a screenshot of what the implementation looks like at this > point. Obviously, CSSing and things can always be improved.
The main point of this would be to not have a new password so I find it strange that there's still a password field at all. Maybe this is just the CSSing you describe if you styled it so there were two options, "log in with password" and "log in with Google" and they were
Eh yes, we still need the password field in order for people who do not *want* to use Google to log in to be able to still do so.
obviously two independent options. The other option with broad coverage would be Facebook, but for our community github is also tempting (Is OpenID still a thing?).
OpenID is not, OAuth 2 is.
Google, Github and Facebook all speak OAuth 2. I have working implementations for both Google and Github, so I'm sure it would be easy enough to make one for Facebook. I will see how much work it is to move that code over instead of using the Google javascript API that I did now. TBH, it's probably *easier* because it's not javascript :)
The big question though is whether to still require a community id at all. If we just let anyone log in via Google and create a placeholder account on demand if one doesn't exist then you shouldn't have to go through the "create an account" step at all. And you shouldn't have to remember a new userid at all.
The point of the create an account step would be if somebody has a pg account under something@somewhere.com and logs in using mygoogle@somewhere.com they should at least get a notification before we create the new account. But we should make doing that trivial, as in a pre-filled-out signup form with the info from google/whatever and just a "click here to confirm" box.
Normally we'd set the userid to the email address. Unfortunately, that breaks horribly broken and crappy software. Like mediawiki. For interop with software like that we do need to have a separate userid that is limited in allowed characters (such as not including the @ sign).