I'm working on a small Rails application in which I'd like users to be able to prove that accounts they have at other sites, Live Journal, Stack Overflow, Reddit, etc. are in fact theirs.
Can anyone provide any guidance on how best to accomplish something like this?
I've outlined some potential options for account verification.
- Ask users to basically pass their log in credentials to the application via SSL and allow it to verify that it can log in. Then, of course, log out and delete any user session data/credentials. Problems:
- People are not going to psyched about the idea of exposing their credentials to a third party system.
- Handing off log in information may well be against many website's ToS agreements.
- The idea makes me queasy.
- Provide the user with a hash and ask them to insert it into some field of the their public profile. Putting "aTWIUqHRgxEpSVaQzCYc" in the location field of my Stack Overflow account for example and then having the application verify the hash via either API or screen scrape depending on the website.Problems:
- This is tedious to do for more than one or two websites.
- Some sites don't have any sort fields with user supplied information. Reddit for example.
- Again, provide the user with a hash but ask them to send that hash via the website's message system to a specified user account. A server process would routinely check that account's inbox and then link the hash with the account. This seems like the easiest solution.
- 3B. Have the user friend the specified account when applicable.
I've not yet done enough due diligence investigating what options OAuth or Op开发者_C百科enId might provide to speak intelligently about them.
I realize the headache of having to verify accounts this way is going to cause a barrier to entry. Not only that but failing to have a single consistent method for doing it.
I would go with OAuth / OpenID, there is a gem called omniauth and it supports a wide variety of external providers. Ryan Bates has made 3 railscasts about omniauth so you could start there! It's really easy to get it up and running. If you follow the railscasts by Ryan Bates you can allow your users to use more than 1 provider (e.g twitter, openid and facebook).
精彩评论