BlocklyProp
BlocklyProp copied to clipboard
parallaxinc
OAuth Problems
We need to disconnect the forced-exclusive nature of logging in with an email address as 1) a localized account, and 2) an OAuth account.
- If a local account is created in BlocklyProp with an email address that happens to be that of a Google account, then later trying to "Log in using Google" causes a fatal error:
- If the user first tries to "Log in using Google" (successfully) and then later decides to create a local account using the same email address that happens to be from the Google account, he gets an "Email already used" error.
The bug noted in the first bullet needs to be addressed, regardless, but can we solve this by making it support both methods of logging in, with the same email account so as to avoid customer issues? We don't understand why the system seems to check that a local account was already created... can't it just treat them as one and the same?
This is something that I've never seen done.
What I'm willing to do is add a button in the user profile page to convert their account from one authentication source to another.
I'm adding @kgracey and @zfi here to make sure we're all in agreement (or not).
@michel-cf - That's not really going to solve the problem well; the problem is that the user doesn't know what's going on.
- In one case, they are left wondering what "???oauth.wrong-authentication-source???" means- and that's not really a proper user-level error message anyway.
- In the other case they are wondering why it's telling them that their "email already used." This may lead them to selecting the Forgot Password link, which will tell them this message, below, when they enter the email address in question:
Nothing leads them to the solution. Much of the audience is expected to have too little technical experience to understand what these messages may be telling them. They'll be stuck and frustrated with the system.
Just because we haven't seen it be done doesn't mean it's impossible or wrong. We see nothing wrong with treating a local account (identified uniquely by email address) as the same account as was previously logged in to using OAuth (with the same email address), or vice-versa. It's just authenticating locally (via registration, confirmation, and password) vs. authenticating via a trusted source... either way, it's authenticating the user to the same account (by email address in each case).
Our point is, from both a user and a system perspective, it shouldn't matter which of two authentication sources are used (password or OAuth)... both target the same BlocklyProp user account.
@kgracey and @zfi, please confirm that this is our view and our goal.
???oauth.wrong-authentication-source??? or anything with ??? in front and after is a missing translation.
We can put in whatever clear instruction we want.
We have a pretty clear idea of what caused the initial failure. OAuth registration for the site is based on the host name. The error was created when the keys from a test server were migrated to the production servers. That is no longer possible with the new tools that are in place.
It is time to revisit this issue. BlocklyProp currently does not separate the user authentication from the user profile. I believe this design is what limits the user to a single authentication source. Let's discuss this off-line and see what we can do to evolve the design to support current best practices.
