This is the kind of thing that can be really expensive to develop and maintain unless we strictly limit the specification. It’s also not clear how many stations would benefit. This forum thread allows others to chime in and allows us to elaborate the details.
We already use Google and Facebook as Oauth providers for guest login to chat and for search. But we limit it there. Each additional provider involves extra work because they are all different and they change from time to time. A campus single sign-on requires custom software for that particular client.
How would Spinitron integrate Oauth with the existing software? The Oauth login itself isn’t so hard. But users need a way to establish, cancel and renew their authorization of the external Oauth providers. Thinking about this I realized it could get pretty complex if we don’t limit the scope somehow.
First, Spinitron should keep using email addresses for user identity. Changing this would be complicated.
Second, Spinitron should offer user authorization of an external Oauth provider only in the password set and reset email transactions. Password reset is initiated with the “Forgot your password?” link on the login form. User invitation is initiated by a station manager with the “Add users” button on the manage users page.
In both cases Spinitron sends an email to the user including a link with a temporary one-time authentication token. The link loads a page with a form to set a password. I think we could add to that page an option to link a Google or Facebook account.
Consequences and details:
- A user cannot authenticate with Oauth within the self-service user account creation forms.
- A user invited to Spinitron by a station manager using the “Add users” feature receives a welcome email with a “set password” link.
- A user who uses the reset password feature receives an email with a “reset password” link.
- Both of these link to roughly the same thing, a page that allows you to set a (new) password or authorize an external Oauth provider.
- A user can have only one means of authentication established at a time: password, or Google, or Facebook. Thus setting a password cancels Oauth; linking Google cancels password and Facebook; linking Facebook cancels password and Google.
- An existing Spinitron user who wants to switch to Oauth uses password reset.
- A user can de-authorize an Oauth provider using password reset.
I’m not committing to implementing this. I’m just elaborating the request into specification of one idea for an implementation for the sake of discussion.