The new mobile platform registration flow not working as expected
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical SSO provider |
Fix Released
|
Medium
|
Ricardo Kirkner |
Bug Description
Current platform='desktop' (and default) registration flow: (as of Jul 21st, 2011, this works on production
1. call api.register() - account is created
2. call api.authenticate() and get OAuth tokens
3. tell the user to check email and use the token to validate email
4. in the mean time (after step 2.), you can all api.me() (OAuth signed) to verify if email has been validated
New platform='mobile' registration flow:
1. call api.register()
// You can't call api.authenticate() yet, because the account does not exist yet
// If you try api.authenticate() you will get HTTP 401 Unauthorized
2. tell user to check mail and use the token or (preferably on mobile platforms) the link to... continue
( I will now only consider using the link )
3. after clicking the link, SSO in browser shows up, telling "Your account is ready to be created." with a "Continue" button
4. after clicking the Continue button, the account is created (it was no validation, it was account *creation and validation*) and redirects to wherever the api.register() call indicated
5. application gets called back and can safely call api.authenticate() to get OAuth tokens
Note that you cannot call api.me() which is OAuth signed in the platform='mobile' flow, because you don't have the tokens. So if we startup the registration wizard with a known username, we can't tell if the user should attempt to log in (exactly, he/she could have used the link on the desktop contrary to how we asked for it to be used) or should the user be told "you have not yet validated your email" (which currently would be "You have not yet created your account, please check your mail")
Expected behaviour:
1. call api.register() - the account is created now, just like for platform='desktop'
2. call api.authenticate() and get tokens (so that we can tell the user by means of api.me() call, "You have not yet validated, check your mail")
3. tell user to check mail and *validate* it (and validate only - the account has already been created like in platform='desktop' flow)
4. the email contains a link that once clicked opens the browser and either
4a. automatically redirects to the api.register() provided redirect_to_url (this is what me and Zac had in mind)
4b. tells "Your account is ready to be ~validated~" and the Continue button redirects to api.register() provided redirect_to_url
What we gain: flow is same as for desktop, the only difference is that confirming the email is not pasting the token anywhere, but simply clicking the validation link. Also, we can verify on client side (OAuth signed api.me() ), if the email has been validated.
Related branches
- Anthony Lenton (community): Approve
-
Diff: 195 lines (+46/-27)7 files modifieddebian/changelog (+6/-0)
debian/control (+1/-0)
identityprovider/api10/handlers.py (+4/-10)
identityprovider/models/authtoken.py (+1/-1)
identityprovider/templates/ubuntu/email/mobile-newuser.txt (+15/-0)
identityprovider/tests/test_handlers.py (+18/-15)
identityprovider/tests/test_models_authtoken.py (+1/-1)
Changed in canonical-identity-provider: | |
status: | New → In Progress |
assignee: | nobody → Ricardo Kirkner (ricardokirkner) |
Changed in canonical-identity-provider: | |
importance: | Undecided → Medium |
tags: | added: kb-defect sp-1 |
Changed in canonical-identity-provider: | |
status: | In Progress → Fix Committed |
Changed in canonical-identity-provider: | |
milestone: | none → 11.08.03 |
Changed in canonical-identity-provider: | |
status: | Fix Committed → Fix Released |
Related code: bazaar. launchpad. net/~canonical- isd-hackers/ canonical- identity- provider/ 2.x-stable/ view/head: /identityprovid er/api10/ handlers. py#L210
http://