Guidance on flow for Openid registration form
I want to use OpenId for my site login, but for registration my site needs additional information (username and email address among other things) that does not always come back from the OpenId provider. As I see it, I have two main options:
(1) Up front, ask for OpenId url, redirect and validate through OpenId provider and then return to my site and enter additional information. This allows me to pre-populate second form should the information be ret开发者_如何转开发urned from the OpenId provider which is a plus, but negatives include where to store the identifier returned by provider** and having a multi-stage registration process which can be off-putting.
(2) A single form which displays all information that I need including OpenId provider Url. On submit, save the information in the db, redirect to OpenId, validate and on return from provider, update db record to include identifier. This is simpler but means that I never use any extra information returned by the OpenId provider as the form is filled out prior to authentication.
I am really just after some ideas/thoughts as to the best approach? I am using DotNetOpenAuth with ASP.NET MVC 3 if this makes any difference.
** this is secret to cannot be sent to client so must be saved on server. Cannot put in registration database table because I do not have any of the other not null fields at this stage. Not permitted to use session, so where do I put it?
Get the best of both worlds!
Check out this sample, which demonstrates having just one form that takes both OpenID and email address (and you can imagine an arbitrary number of other fields). After typing in the identifier (first), your site immediately begins the OpenID discovery process in the background while the user is typing more of his details. For a new user, this will likely not result in a full login with details, so the user clicks a button to proceed with authentication, which when complete will fill in the details that the OP provides automatically. The user can then change them if desired and finally click the "Create account now" button.
I'm going through this myself, and I've chosen to go with option (1) -- do the OpenId dance, get whatever fields are available from the provider, and then ask the user to fill in the blanks.
Yes, it's multiple steps, but I think that overall it's less work for the user; they don't need to type in information that their OpenId provider may be able to supply.
精彩评论