Canonical SSO provider

The new mobile platform registration flow not working as expected

Bug #814104 reported by Michał Karnicki on 2011-07-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Canonical SSO provider	Fix Released	Medium	Ricardo Kirkner	Canonical SSO provider 11.08.03

Bug Description

Current platform='desktop' (and default) registration flow: (as of Jul 21st, 2011, this works on production
1. call api.register() - account is created
2. call api.authenticate() and get OAuth tokens
3. tell the user to check email and use the token to validate email
4. in the mean time (after step 2.), you can all api.me() (OAuth signed) to verify if email has been validated

New platform='mobile' registration flow:
1. call api.register()
// You can't call api.authenticate() yet, because the account does not exist yet
// If you try api.authenticate() you will get HTTP 401 Unauthorized
2. tell user to check mail and use the token or (preferably on mobile platforms) the link to... continue
( I will now only consider using the link )
3. after clicking the link, SSO in browser shows up, telling "Your account is ready to be created." with a "Continue" button
4. after clicking the Continue button, the account is created (it was no validation, it was account *creation and validation*) and redirects to wherever the api.register() call indicated
5. application gets called back and can safely call api.authenticate() to get OAuth tokens

Note that you cannot call api.me() which is OAuth signed in the platform='mobile' flow, because you don't have the tokens. So if we startup the registration wizard with a known username, we can't tell if the user should attempt to log in (exactly, he/she could have used the link on the desktop contrary to how we asked for it to be used) or should the user be told "you have not yet validated your email" (which currently would be "You have not yet created your account, please check your mail")

Expected behaviour:
1. call api.register() - the account is created now, just like for platform='desktop'
2. call api.authenticate() and get tokens (so that we can tell the user by means of api.me() call, "You have not yet validated, check your mail")
3. tell user to check mail and *validate* it (and validate only - the account has already been created like in platform='desktop' flow)
4. the email contains a link that once clicked opens the browser and either
4a. automatically redirects to the api.register() provided redirect_to_url (this is what me and Zac had in mind)
4b. tells "Your account is ready to be ~validated~" and the Continue button redirects to api.register() provided redirect_to_url

What we gain: flow is same as for desktop, the only difference is that confirming the email is not pasting the token anywhere, but simply clicking the validation link. Also, we can verify on client side (OAuth signed api.me() ), if the email has been validated.

Tags:

Related branches

lp:~ricardokirkner/canonical-identity-provider/814104-mobile-api-fix

Merged into lp:~canonical-isd-hackers/canonical-identity-provider/stable at revision 117

Anthony Lenton (community): Approve on 2011-07-22

Revision history for this message

Michał Karnicki (karni) wrote on 2011-07-21:

Related code:
http://bazaar.launchpad.net/~canonical-isd-hackers/canonical-identity-provider/2.x-stable/view/head:/identityprovider/api10/handlers.py#L210

Revision history for this message

Zachery Bir (urbanape) wrote on 2011-07-21:

Looks like the account creation problems would be ameliorated in the short-term with this patch applied. This code should create accounts for any "software"- or "wizard"-driven SSO registration ("mobile" and "desktop"), leaving the account-less token for a human-guided flow ("web"). Also, until we can guide the user to a custom, local, app-specific URI scheme, we should just rely on the token to be entered into the app performing the registration. Right now, we don't have a reliable flow in mind to account for the (admittedly degenerate) edge-case wherein a user registers for an app on her mobile phone, but reads the confirmation email on another device (desktop computer, or other mobile phone), where the validation link would be meaningless (even providing a return-to URL for the SSO site's confirmation link). Our best bet at this time is to simply craft a better email message, surfacing the bare token, and instructing the user to copy/paste it into the app.

--- handlers.py 2011-07-21 11:13:50.000000000 -0400
+++ new_handlers.py 2011-07-21 11:15:02.000000000 -0400
@@ -57,7 +57,7 @@

EMAIL_VALIDATION_TEMPLATES = {
'web': 'newuser.txt',
- 'mobile': 'newuser.txt',
+ 'mobile': 'api-newuser.txt',
'desktop': 'api-newuser.txt',
}

@@ -207,7 +207,7 @@
             cleaned_data['password'])
         displayname = cleaned_data['displayname']
         email = cleaned_data['email']
- if platform == 'desktop':
+ if platform in ['desktop', 'mobile']:
             account = Account.objects.create_account(
                 displayname, email,
                 encrypted_password, password_encrypted=True,
@@ -229,7 +229,7 @@
             template = EMAIL_VALIDATION_TEMPLATES.get('desktop')
         token.sendNewUserEmail(template=template)

- if platform == 'desktop':
+ if platform in ['desktop', 'mobile']:
account_created.send(sender=self,
openid_identifier=account.openid_identifier)

--- handlers.py	2011-07-21 11:13:50.000000000 -0400
+++ new_handlers.py	2011-07-21 11:15:02.000000000 -0400
@@ -57,7 +57,7 @@
 
 EMAIL_VALIDATION_TEMPLATES = {
     'web': 'newuser.txt',
-    'mobile': 'newuser.txt',
+    'mobile': 'api-newuser.txt',
     'desktop': 'api-newuser.txt',
 }
 
@@ -207,7 +207,7 @@
             cleaned_data['password'])
         displayname = cleaned_data['displayname']
         email = cleaned_data['email']
-        if platform == 'desktop':
+        if platform in ['desktop', 'mobile']:
             account = Account.objects.create_account(
                 displayname, email,
                 encrypted_password, password_encrypted=True,
@@ -229,7 +229,7 @@
             template = EMAIL_VALIDATION_TEMPLATES.get('desktop')
         token.sendNewUserEmail(template=template)
 
-        if platform == 'desktop':
+        if platform in ['desktop', 'mobile']:
             account_created.send(sender=self,
                                  openid_identifier=account.openid_identifier)

Ricardo Kirkner (ricardokirkner) on 2011-07-21

Changed in canonical-identity-provider:
status:	New → In Progress
assignee:	nobody → Ricardo Kirkner (ricardokirkner)

Canonical ISD bug wrangler (isd-bug-wrangler) on 2011-07-22

Changed in canonical-identity-provider:
importance:	Undecided → Medium
tags:	added: kb-defect sp-1

Canonical ISD bug wrangler (isd-bug-wrangler) on 2011-07-22

Changed in canonical-identity-provider:
status:	In Progress → Fix Committed

Revision history for this message

Dave Morley (davmor2) wrote on 2011-07-27:

QA STEPS:
from the doctests run the following api calls

Basic account creation
Basic authorised access
Obtain a token

Then do the following calls
from oauth.oauth import OAuthToken
from lazr.restfulclient.authorize.oauth import OAuthAuthorizer
oauth_token = OAuthToken(<token>, <token_secret>)
oauth_auth = OAuthAuthorizer(<consumer_key>, <consumer_secret>, oauth_token)
api = ServiceRoot(oauth_auth, url)
api.accounts.me()
api.accounts.validate_email(email_token='<token_form_email>')