canonical-isd-hackers team mailing list archive

Thread
Date

Re: [Launchpad-dev] How do we fix the Launchpad's login experience?

To: curtis.hovey@xxxxxxxxxxxxx
From: Stuart Bishop <stuart.bishop@xxxxxxxxxxxxx>
Date: Sat, 25 Sep 2010 15:54:18 +0700
Cc: canonical-isd-hackers@xxxxxxxxxxxxxxxxxxx, Launchpad Community Development Team <launchpad-dev@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <1285280888.3373.381.camel@solstice>
Sender: stuart@xxxxxxxxxxxxxxxx

On Fri, Sep 24, 2010 at 5:28 AM, Curtis Hovey
<curtis.hovey@xxxxxxxxxxxxx> wrote:

> The Launchpad user registration/login/reset has been broken for many
> months. As a subscriber to all launchpad bugs and questions, I can see
> there is a problem, but as a person who works with the Launchpad
> Registry team, I feel powerless to fix this. I think this sense of
> confusion is common for all the users and developers of Launchpad. Can
> the people with some knowledge take some time to elaborate and correct
> our common understanding of what is wrong and what can be done to fix
> it.

I'll try and respond to this thread more thoroughly on Monday, but for now:

 - https://bugs.edge.launchpad.net/canonical-identity-provider/+bug/644824
seems to be the most immediate problem. I'm not sure if people will
continue getting into this state, or if it will go away. I think the
people affected were relying on logging in with SSO accounts that did
not match email addresses in Launchpad, and since we now repair that
situation automatically, it might not be a problem for any new
accounts.
 - Yes, it is complex and difficult to work though the tangled web we
have woven.
 - It could all go away if we become a proper OpenId RP. It could also
go away if we went back to just relying on the email address to log
in. I think the core issue is we are in a half way state.
 - We can just trash the OpenIDIdentifier records in the Launchpad
database, which should clear the links. Since we repair these links on
login, this might be a way to solve weird identifier->lpaccount
linkages without implementing a management interface to your
OpenIdIdentifier records.
 - I think a problem is that you can be logged in twice to the
Canonical SSO - once to login.launchpad.net, and once to
login.ubuntu.com. I suspect one source of confusion is that people
might not be logging out as thoroughly as they need to.
 - I'm not joking about going back to just relying on email address. I
think if the Canonical SSO looked up team membership by email address
rather than openid identfier, then we can tear out the linkage repair
code. I think everything would then work fine, provided we had an
interface for users to edit their OpenIdIdentifier records to keep the
delegation from https://launchpad.net/~foo URLs working. I suspect
this is a lot simpler than turning into a full OpenId RP, although it
is a step backwards.


-- 
Stuart Bishop <stuart@xxxxxxxxxxxxxxxx>
http://www.stuartbishop.net/

References

How do we fix the Launchpad's login experience?
From: Curtis Hovey, 2010-09-23