[Snowy] OpenID, user names, and registration (oh my!)



Hey folks,

I'm currently working on merging Leon's OpenID login branch [0], and
we've run into a couple of issues that seem to warrant discussion:

* Do we need unique user names?
* Do we care about having completely human-readable URLs?
* How can we make new user registration via OpenID as simple as possible?


== Long Explanation of New OpenID Registration/Login Process ==

First, let me briefly explain the new registration/login process in
Leon's branch:

1) User visits (for example) mysnowy.com
2) User clicks "Log in" link
3) User is presented with a page that lets you either:
    a) "Log in with your OpenID" by providing a URL
    b) "Use one of the following services" by clicking on a big
branded button (only Google is supported at this time)
    c) "Log in the old way", by providing a user name and password
4) Assuming user chooses (a) or (b) in step (3), user is redirected to
OpenID provider's authorization page and prompted to authorize
mysnowy.com
5) After authorizing mysnowy.com, user is returned to mysnowy.com
    a) If the user already has an account, they are now logged in
    b) If the user does not yet have an account, they are prompted for
a display name and an email address, and then they are logged in

In practice, cookies and pre-authorization on repeat visits make steps
3 and 4 disappear for existing users.

Note that in step (5)(b), the user is never prompted for a proper user
name.  Currently, user names like "openiduser1" are generated.  But
remember that we do require a display name.  So the *only* place where
a user will see the generated user name is in the URL.  Whereas before
they might have http://mysnowy.com/sandy/notes , now they might have
http://mysnowy.com/openiduser54321/notes .


== Do We Need Unique User Names? ==

If we already have display names, which are the names shown everywhere
in the UI, then are unique user names necessary?  We could just refer
to unique users by their internal user ID, and use that in URLs.  What
do we lose if we do that?

* Our URLs become less human-readable, which could be irritating when
searching web or URL bar history
* We have no human-readable unique name for our users.  Two users
could pick the display name of "John Thomas", and then one day you
might get a sharing request from "John Thomas" and not know who is
meant.  "John Thomas (jthom)" might be more useful?  This isn't a
problem for Facebook, but they collect a lot of information that makes
it possible to verify a stranger's identity.
* If we ever have a feature (in Tomboy or Snowy, whatever) where
typing in a unique user name is necessary, numbers are much more of a
pain
* Reading JSON responses becomes more tedious for developers

I don't know if it's less work to have unique user names now, or to
allow them as a future option.

Below, I'll discuss ideas for making the process of picking a unique
user name less of a registration hurdle.


== Possible Solutions For Rapid Registration ==

(heh, I originally type "Rabid" there)

When the user comes back from authorizing their OpenID, we do need
some information from them:

* Email address
* Some human-readable name for them, unique or otherwise

We could potentially ask for other (optional) information, but the two
items above are all that we absolutely need (although the question of
whether or not we really require an email address is perhaps worthy of
a separate discussion).

But I propose we ask for three things, because I think a unique
human-readable user name is important:

* Email address (can be mined from some OpenID providers)
* Display name (for example, "John Smith", can be mined from some
OpenID providers)
* Unique user name (initially generated from from one of the above values)

If the email address and display name can be mined from the OpenID,
all that's left before a user is done registering is a unique user
name.  This could be initially generated from everything before "@" in
the email address, or from the display name, or something.  Interested
users could modify it, others could just ignore it and use the
generated value.

Then in theory, with a good OpenID provider, registration could
require no user input at all.  But users who care could take the time
to customize these bits.


== That's It ==

What do people think about this?  I'd like to at least have a rough
decision in mind before merging in Leon's branch.  We can iterate on
this in the future, of course, but I don't want to do too much churn
on user registration and unique user identifiers if I can avoid it.

Sandy

[0] http://github.com/leonbrussels/snowy/commits/master


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]