| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Greg Stark <stark(at)mit(dot)edu> |
| Cc: | PostgreSQL WWW <pgsql-www(at)postgresql(dot)org> |
| Subject: | Re: Google signin |
| Date: | 2017-07-12 14:31:51 |
| Message-ID: | CABUevEyEhwz1_223AHkbU6Rbyp+a+zuFbU-daMDOe3tnha7wmw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-www |
On Wed, Jul 12, 2017 at 4:16 PM, Greg Stark <stark(at)mit(dot)edu> wrote:
> On 12 July 2017 at 13:23, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
> > I've attached a screenshot of what the implementation looks like at this
> > point. Obviously, CSSing and things can always be improved.
>
> The main point of this would be to not have a new password so I find
> it strange that there's still a password field at all. Maybe this is
> just the CSSing you describe if you styled it so there were two
> options, "log in with password" and "log in with Google" and they were
>
Eh yes, we still need the password field in order for people who do not
*want* to use Google to log in to be able to still do so.
> obviously two independent options. The other option with broad
> coverage would be Facebook, but for our community github is also
> tempting (Is OpenID still a thing?).
OpenID is not, OAuth 2 is.
Google, Github and Facebook all speak OAuth 2. I have working
implementations for both Google and Github, so I'm sure it would be easy
enough to make one for Facebook. I will see how much work it is to move
that code over instead of using the Google javascript API that I did now.
TBH, it's probably *easier* because it's not javascript :)
> The big question though is whether to still require a community id at
> all. If we just let anyone log in via Google and create a placeholder
> account on demand if one doesn't exist then you shouldn't have to go
> through the "create an account" step at all. And you shouldn't have to
> remember a new userid at all.
>
The point of the create an account step would be if somebody has a pg
account under something(at)somewhere(dot)com and logs in using
mygoogle(at)somewhere(dot)com they should at least get a notification before we
create the new account. But we should make doing that trivial, as in a
pre-filled-out signup form with the info from google/whatever and just a
"click here to confirm" box.
Normally we'd set the userid to the email address. Unfortunately, that
breaks horribly broken and crappy software. Like mediawiki. For interop
with software like that we do need to have a separate userid that is
limited in allowed characters (such as not including the @ sign).
--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Greg Stark | 2017-07-12 14:35:18 | Re: Google signin |
| Previous Message | Magnus Hagander | 2017-07-12 14:27:57 | Re: Google signin |