Best practices for verifying the email address?
13 views
Skip to first unread message
Dobes Vandermeer
Jul 29, 2009, 12:10:37 AM7/29/09
to RPX Developers
Just wondering what the best practice is around ensuring that after
all is said and done I have a validated email address for the user
signing in or signing up. Current in our system email addresses are
used to identify the user when granting shared access to resources so
it is important that we validate that the email address matches.
Currently the users signs up and receives a verification email that
allows them to activate their account.
With RPX they might sign in through OpenID or Google ID and sometimes
these services verify the email address for us (like Google) and
sometimes they don't (like OpenID).
An idea that occurs to me is to put the RPX UI on both the sign up and
log in pages and if they try to sign in with an OpenID we don't
recognize, send them to the sign-up page where we ask them to fill in
our "usual" sign-up information like name, email, and "how did you
find us", except instead of asking for a new password we'd display
their OpenID. Each time we would also send a verification email to
activate their OpenID, unless we were confident that the OpenID
provided gave a pre-verified email (like with Google) in which case we
could directly sign them in.
What approaches have others taken to this problems?
Any tips appreciated ... thanks!
all is said and done I have a validated email address for the user
signing in or signing up. Current in our system email addresses are
used to identify the user when granting shared access to resources so
it is important that we validate that the email address matches.
Currently the users signs up and receives a verification email that
allows them to activate their account.
With RPX they might sign in through OpenID or Google ID and sometimes
these services verify the email address for us (like Google) and
sometimes they don't (like OpenID).
An idea that occurs to me is to put the RPX UI on both the sign up and
log in pages and if they try to sign in with an OpenID we don't
recognize, send them to the sign-up page where we ask them to fill in
our "usual" sign-up information like name, email, and "how did you
find us", except instead of asking for a new password we'd display
their OpenID. Each time we would also send a verification email to
activate their OpenID, unless we were confident that the OpenID
provided gave a pre-verified email (like with Google) in which case we
could directly sign them in.
What approaches have others taken to this problems?
Any tips appreciated ... thanks!
Brian Ellin
Jul 29, 2009, 2:11:21 PM7/29/09
to rpx-dev...@googlegroups.com
Dobes,
Sounds like a good strategy. You should be aware of the verifiedEmail
field in the auth_info API response. This field isn't always present,
but if it is there, you can trust that the email address provided in
that field has been verified to belong to the user who is signing in.
Google, Yahoo both provide verified email addresses. Other providers
let the user send whatever email they want without actually confirming
it, acting mainly as a form-filler. Unverified emails are available
from many providers and are placed in the "email" field of the
auth_info response.
So, for both sign-in and register, let them authenticate using RPX and
then if a verifiedEmail address is found you can use that without
sending them the confirmation email. If a non verified email is
found, take care to send them a confirmation email to verify that they
do indeed own that address.
Cheers,
Brian Ellin
Sounds like a good strategy. You should be aware of the verifiedEmail
field in the auth_info API response. This field isn't always present,
but if it is there, you can trust that the email address provided in
that field has been verified to belong to the user who is signing in.
Google, Yahoo both provide verified email addresses. Other providers
let the user send whatever email they want without actually confirming
it, acting mainly as a form-filler. Unverified emails are available
from many providers and are placed in the "email" field of the
auth_info response.
So, for both sign-in and register, let them authenticate using RPX and
then if a verifiedEmail address is found you can use that without
sending them the confirmation email. If a non verified email is
found, take care to send them a confirmation email to verify that they
do indeed own that address.
Cheers,
Brian Ellin
Reply all
Reply to author
Forward
0 new messages