Transparent user registration after external authentication in Drupal

I'm working on a Drupal 6 module to provide OAuth-based user authentication and registration. I'm already using the OAuth module to authenticate as described on http://oauth.net/core/1.0a/#anchor9. The next step is to create the user account using information provided after authentication using an custom API of the Service Provider.

According to http://drupal.org/node/497612#comment-3047302, I should not use user_external_login_register() but see the OpenID module for how to properly login an external user.

After studying the OpenID module, here is what I plan to do:

• Try to load an existing user for a authname build from the custom API result using user_external_load().
• If a user exists, use user_external_login() to log the user in.
• If not, pretend the registration form has been submitted (like openid_authentication() does) to create a new user account. And redirect to a pre-filled form i开发者_如何学Pythonf any additional information is needed in order for the user to register.

Is this the right way to do it ? Is there another module worth looking at for how to this properly in addition to OpenID ?

You could have a look at the former Drupal module. That module did two entirely different things (hooray for the architecture :)). * It puplished information to a central "who runs Drupal" directory. (and offered a page to show such a directory yourself!) * It allowed login with credentials from other Drupal-sites.

The latter is what you are looking for. Note that the module was discontinued, not because the method for logging in was done wrong, but because the DrupalID mechanism itself is flawed. It has been replaced with openID and oauth.

http://drupalcode.org/viewvc/drupal/drupal/modules/drupal/drupal.module?hideattic=0&view=markup

The hooks and methods you would be looking for (in that order) are:

• drupal_form_alter -- Adds validate-callback to the login forms.
• drupal_form_user_login_alter -- Adds information about alternative login on login form.
• drupal_distributed_validate -- Validation callback: calls drupal_auth to see if the user is valid. If so, calls user_external_login_register
• drupal_auth -- Helper for validation callback: determines if the credentials are valid.

All other functions are either helper functions for these, or provide that directory-feature, or allow remote sites to authenticate against our database. Neither of which you will be using.