Greetings, I've been working on the livejournal authentication module, and I've noticed some odd things in the process. Most of this would apply to any remote auth configuration. When a user joins a site using remote authentication, their email address and password are not collected when the account is created. When such a user edits their profile information, though, they are forced to enter an email address, and password fields are presented to them. I'm wondering what the consequences would be if the email address were no longer required for these users. Additionally, it doesn't make sense for them to enter a password since they are authenticated using a remote server. I can see one problem arising from the profile edit page's current design. What happens when a user changes their name from "user@authserver" to be just plain "user" (or vice/versa)? Will that same account no longer be authenticated against the remote server? If I require that any username that they choose have a remote authentication server, would there be problems with this? What happens to normal, locally authenticated users who change their username from "someuser" to "someuser@someotherauthserver"? How would they ever get logged back in if they changed their username to, say, their email address? (I'm sure this has happened before) Some ideas to consider: Many auth servers provide full name, email address, etc., but there's currently no way of attriibuting these values to a local account. What about changing the hook_auth mechanism so that profile data collected at the time of signup can be applied to a new user's account. Consider altering the profile edit page so that if username contains the '@' character (i.e. remotely authenticated), then email address is no longer required and local password fields don't appear. This sounds oversimplified, but I cannot see any reason that these fields would be required/needed for remotely authenticated users. The password field would be especially confusing, since the new password is typically not applied to the authentication server (though I suppose it could be on some servers via hook_user). Any thoughts on this? Your ideas would be greatly appreciated. -Mark