Guidance on flow for Openid registration form

2
votes

I want to use OpenId for my site login, but for registration my site needs additional information (username and email address among other things) that does not always come back from the OpenId provider. As I see it, I have two main options:

(1) Up front, ask for OpenId url, redirect and validate through OpenId provider and then return to my site and enter additional information. This allows me to pre-populate second form should the information be returned from the OpenId provider which is a plus, but negatives include where to store the identifier returned by provider** and having a multi-stage registration process which can be off-putting.

(2) A single form which displays all information that I need including OpenId provider Url. On submit, save the information in the db, redirect to OpenId, validate and on return from provider, update db record to include identifier. This is simpler but means that I never use any extra information returned by the OpenId provider as the form is filled out prior to authentication.

I am really just after some ideas/thoughts as to the best approach? I am using DotNetOpenAuth with ASP.NET MVC 3 if this makes any difference.

** this is secret to cannot be sent to client so must be saved on server. Cannot put in registration database table because I do not have any of the other not null fields at this stage. Not permitted to use session, so where do I put it?

2
asp.net-mvcopeniddotnetopenauth
What do you mean by "Not permitted to use session" -- why not? You can always create your own sessions that store data in the DB... - Cameron
You mean you cant use sessions or you cant use cookies? aka cookieless sessions - JOBG
I mean that neither in process or out of process (i.e. database) session is permitted by my company. Cookies are however permitted so an encrypted cookie might be an option. - Paul Hiles
I'm not sure I understand the bit about the identifier being a secret. All the data you get from the provider is bouncing off the user's browser anyway, right? - Ragesh
+1 Ragesh. The OpenID Claimed Identifier you have for the user is not a secret to the user. That's totally outside your control. - Andrew Arnott

2 Answers

1
votes

Get the best of both worlds!

Check out this sample, which demonstrates having just one form that takes both OpenID and email address (and you can imagine an arbitrary number of other fields). After typing in the identifier (first), your site immediately begins the OpenID discovery process in the background while the user is typing more of his details. For a new user, this will likely not result in a full login with details, so the user clicks a button to proceed with authentication, which when complete will fill in the details that the OP provides automatically. The user can then change them if desired and finally click the "Create account now" button.

0
votes

I'm going through this myself, and I've chosen to go with option (1) -- do the OpenId dance, get whatever fields are available from the provider, and then ask the user to fill in the blanks.

Yes, it's multiple steps, but I think that overall it's less work for the user; they don't need to type in information that their OpenId provider may be able to supply.