[drupal-devel] remote auth and required email/password fields

Mark mark at nullcraft.org
Wed Mar 16 06:02:53 UTC 2005


I've been working on the livejournal authentication module, and I've 
noticed some odd things in the process.  Most of this would apply to any 
remote auth configuration.  When a user joins a site using remote 
authentication, their email address and password are not collected when 
the account is created.  When such a user edits their profile 
information, though, they are forced to enter an email address, and 
password fields are presented to them.  I'm wondering what the 
consequences would be if the email address were no longer required for 
these users.  Additionally, it doesn't make sense for them to enter a 
password since they are authenticated using a remote server.

I can see one problem arising from the profile edit page's current 
design.  What happens when a user changes their name from 
"user at authserver" to be just plain "user" (or vice/versa)?  Will that 
same account no longer be authenticated against the remote server?  If I 
require that any username that they choose have a remote authentication 
server, would there be problems with this?  What happens to normal, 
locally authenticated users who change their username from "someuser" to 
"someuser at someotherauthserver"?  How would they ever get logged back in 
if they changed their username to, say, their email address? (I'm sure 
this has happened before)

Some ideas to consider:
Many auth servers provide full name, email address, etc., but there's 
currently no way of attriibuting these values to a local account.  What 
about changing the hook_auth mechanism so that profile data collected at 
the time of signup can be applied to a new user's account.

Consider altering the profile edit page so that if username contains the 
'@' character (i.e. remotely authenticated), then email address is no 
longer required and local password fields don't appear.  This sounds 
oversimplified, but I cannot see any reason that these fields would be 
required/needed for remotely authenticated users.  The password field 
would be especially confusing, since the new password is typically not 
applied to the authentication server (though I suppose it could be on 
some servers via hook_user).

Any thoughts on this?  Your ideas would be greatly appreciated.

More information about the drupal-devel mailing list