Single Sign On Feature

[Alexander Obuhovich]

I've found this nice website http://hybridauth.sourceforge.net/index.html that provides PHP library, that allows to use single API to get authenticated through most popular websites.

--
Best Regards,

http://www.in-portal.com
http://www.alex-time.com

[Dmitry Andrejev]

Wow, I find it pretty cool and useful.

Alex, how you came across such a cool project?

DA

--

Best regards,

Dmitry A.

[Phil]

very interesting and useful indeed !

Let me dream for a while... could this become part of future community management, for example in community admin panel, 2 new fields:

- use Hybridauth : yes/no

- store in user's db the following data : [selectable list of values: name, email, photo, dob...]

:)

-- 

Phil

Envoyé avec Sparrow

[Alexander Obuhovich]

Just browsing the Internet and clicking some banners as usual :)

[Alexander Obuhovich]

Here are more info on how it's done from programming viewpoint from http://hybridauth.sourceforge.net/userguide/Integrating_HybridAuth_SignIn.html page:

1. If not connected yet, Hybrid_Auth::authenticate() will redirect the user to the HybridAuth endpoint 
2. HybridAuth endpoint will redirect the user to twitter for authentication 
3. IF the user grant access to your site, then Twitter will call back HybridAuth endpoint 
4. HybridAuth endpoint will ask twitter for a temporary authorization in order for your application to access the twitter api and the user private resources (eg. profile, contact lists, photos) 
5. Finally, we redirect the user a one last time to the original page where he come from 

[Phil]

then if I've understood well, if user is already connected (to twitter, facebook...), then he directly see step3, where i'll grant access to in-portal, and immediately after that user will be connected to inportal, and his profile have been created, right?

What about password field in in-portal user's record? Will it stay empty?

Envoyé avec Sparrow

[Alexander Obuhovich]

HybridAuth doesn't do all that user creation and logging-in on our site. It only does login to that provider website and given you (as programmer) the info to act on.

If user will always use "Login using Facebook" button instead of In-Portal login form, then no need for password, but I think we need to generate password and send it to user once it is created automatically based on Facebook login data, so he can login using traditional login form too.

For example if I see "Login using Google" button on login form it's first thing I try, since I'm already logged-in to google anyway and I only need to authorize an app once to make it work.

-------

I've found one things about HybridAuth that makes me unhappy (and I reported it to them already): when you click "Deny" button on facebook login page, then user is returned to HybridAuth EndPoint url and sees PHP Exception instead of nice website message.

[Alexander Obuhovich]

Sorry I looked into wrong place in my application code. Error is returned to my application, but I don't handle it correctly.

[Phil]

good news :)

Even if I think that 90% of needs will be to connect with FB, it's always good to have as much options as possible.

May we can set in admin which info to retrieve, once access is granted? i.e. primary photo, username, email, phone... And fill user's record with this. About password, I suggest we won't set any, and if user wants to login using his own password, then by clicking on password lost, he'll receive a new generated one. and may we could rename the label "create a new password" :)

Envoyé avec Sparrow

[Alexander Obuhovich]

I think if user clicked on "Login using Facebook" once, then he will do this again instead of using regular login form.

[Phil]

yes, but we still need to retrieve user info, otherwise giving member access to people whom we don't know is equal to give full access to non-logged visitors :)

Envoyé avec Sparrow

[Alexander Obuhovich]

Of course we will retrieve info from Facebook at time of first user login and create user in our system. On next Facebook logins we just match Facebook user with one we already created last time. If no user matched then create and so on.

I guess it makes sense to create already approved users in In-Portal based on Facebook user info, since they won't be able to login otherwise. And we already can presume that user e-mail given by Facebook is verified,

[Phil]

it make senses that user with facebook are indeed verified, as well as other types of social networks too.

About next time login, can't we keep a cookie, and avoid user the need to click again on a button? In my idea, the goal is to ease as possible user's experience: first time login via HybridAuth, next time, no need to login, as it happens on facebook itself.

Envoyé avec Sparrow

[Alexander Obuhovich]

We can auto-login user to website (if not already logged-in) when he visits website and is logged-in to Facebook already.

I'm not sure if Google/Twitter/LinkedIn has such JavaScript API too.

[Phil]

I think this auto-login feature is of main interest: the less login needed, the more interaction will occur.

Envoyé avec Sparrow