The new mobile platform registration flow not working as expected

Bug #814104 reported by Michał Karnicki
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical SSO provider
Fix Released
Medium
Ricardo Kirkner

Bug Description

Current platform='desktop' (and default) registration flow: (as of Jul 21st, 2011, this works on production
1. call api.register() - account is created
2. call api.authenticate() and get OAuth tokens
3. tell the user to check email and use the token to validate email
4. in the mean time (after step 2.), you can all api.me() (OAuth signed) to verify if email has been validated

New platform='mobile' registration flow:
1. call api.register()
// You can't call api.authenticate() yet, because the account does not exist yet
// If you try api.authenticate() you will get HTTP 401 Unauthorized
2. tell user to check mail and use the token or (preferably on mobile platforms) the link to... continue
( I will now only consider using the link )
3. after clicking the link, SSO in browser shows up, telling "Your account is ready to be created." with a "Continue" button
4. after clicking the Continue button, the account is created (it was no validation, it was account *creation and validation*) and redirects to wherever the api.register() call indicated
5. application gets called back and can safely call api.authenticate() to get OAuth tokens

Note that you cannot call api.me() which is OAuth signed in the platform='mobile' flow, because you don't have the tokens. So if we startup the registration wizard with a known username, we can't tell if the user should attempt to log in (exactly, he/she could have used the link on the desktop contrary to how we asked for it to be used) or should the user be told "you have not yet validated your email" (which currently would be "You have not yet created your account, please check your mail")

Expected behaviour:
1. call api.register() - the account is created now, just like for platform='desktop'
2. call api.authenticate() and get tokens (so that we can tell the user by means of api.me() call, "You have not yet validated, check your mail")
3. tell user to check mail and *validate* it (and validate only - the account has already been created like in platform='desktop' flow)
4. the email contains a link that once clicked opens the browser and either
4a. automatically redirects to the api.register() provided redirect_to_url (this is what me and Zac had in mind)
4b. tells "Your account is ready to be ~validated~" and the Continue button redirects to api.register() provided redirect_to_url

What we gain: flow is same as for desktop, the only difference is that confirming the email is not pasting the token anywhere, but simply clicking the validation link. Also, we can verify on client side (OAuth signed api.me() ), if the email has been validated.

Tags: sp-1 kb-defect

Related branches

Revision history for this message
Michał Karnicki (karni) wrote :
Revision history for this message
Zachery Bir (urbanape) wrote :

Looks like the account creation problems would be ameliorated in the short-term with this patch applied. This code should create accounts for any "software"- or "wizard"-driven SSO registration ("mobile" and "desktop"), leaving the account-less token for a human-guided flow ("web"). Also, until we can guide the user to a custom, local, app-specific URI scheme, we should just rely on the token to be entered into the app performing the registration. Right now, we don't have a reliable flow in mind to account for the (admittedly degenerate) edge-case wherein a user registers for an app on her mobile phone, but reads the confirmation email on another device (desktop computer, or other mobile phone), where the validation link would be meaningless (even providing a return-to URL for the SSO site's confirmation link). Our best bet at this time is to simply craft a better email message, surfacing the bare token, and instructing the user to copy/paste it into the app.

--- handlers.py 2011-07-21 11:13:50.000000000 -0400
+++ new_handlers.py 2011-07-21 11:15:02.000000000 -0400
@@ -57,7 +57,7 @@

 EMAIL_VALIDATION_TEMPLATES = {
     'web': 'newuser.txt',
- 'mobile': 'newuser.txt',
+ 'mobile': 'api-newuser.txt',
     'desktop': 'api-newuser.txt',
 }

@@ -207,7 +207,7 @@
             cleaned_data['password'])
         displayname = cleaned_data['displayname']
         email = cleaned_data['email']
- if platform == 'desktop':
+ if platform in ['desktop', 'mobile']:
             account = Account.objects.create_account(
                 displayname, email,
                 encrypted_password, password_encrypted=True,
@@ -229,7 +229,7 @@
             template = EMAIL_VALIDATION_TEMPLATES.get('desktop')
         token.sendNewUserEmail(template=template)

- if platform == 'desktop':
+ if platform in ['desktop', 'mobile']:
             account_created.send(sender=self,
                                  openid_identifier=account.openid_identifier)

Changed in canonical-identity-provider:
status: New → In Progress
assignee: nobody → Ricardo Kirkner (ricardokirkner)
Changed in canonical-identity-provider:
importance: Undecided → Medium
tags: added: kb-defect sp-1
Changed in canonical-identity-provider:
status: In Progress → Fix Committed
Revision history for this message
Dave Morley (davmor2) wrote :

QA STEPS:
from the doctests run the following api calls

Basic account creation
Basic authorised access
Obtain a token

Then do the following calls
from oauth.oauth import OAuthToken
from lazr.restfulclient.authorize.oauth import OAuthAuthorizer
oauth_token = OAuthToken(<token>, <token_secret>)
oauth_auth = OAuthAuthorizer(<consumer_key>, <consumer_secret>, oauth_token)
api = ServiceRoot(oauth_auth, url)
api.accounts.me()
api.accounts.validate_email(email_token='<token_form_email>')

Login to account via the internet done!

Changed in canonical-identity-provider:
milestone: none → 11.08.03
Changed in canonical-identity-provider:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.