Understanding the registration flow

The full flow for a site that offers login and registration using either OpenID or a regular username/password account can be quite complicated. This page shows how the flow implemented by django-openid works.

Login

  • With Username and Password:
    • (has link to switch to OpenID)

    • Incorrect login:
      • They get their username wrong:
        • “wrong username” message (defaults to same as wrong password)
      • They get their password wrong:
        • “wrong password” message
    • Correct login:
      • Have they verified their e-mail address?
        • Yes:
          • Log them in to that account.
        • No:
          • Tell them to verify their e-mail address
          • Option: send me that e-mail again
  • With OpenID:
    • (has link to switch to username/password)

    • OpenID is invalid or authentication fails:
      • Tell them what happened, don’t log them in
      • Show login or register UI
    • OpenID is valid and corresponds to an existing account:
      • Have they verified their e-mail address?
        • Yes:
          • Log them in to that account.
        • No:
          • Tell them to verify their e-mail address
          • Option: send me that e-mail again
    • OpenID is valid but does not correspond to an existing account:
      • Tell them, and offer a link to the registration form.

Registration

  • Register with username/password:
    • Username/e-mail/password please
    • Repeat until valid
    • Send verification e-mail
    • Tell them “just one more step: click link in your e-mail”
  • Register with OpenID:
    • Enter your OpenID:
      • OpenID is valid:
        • And not associated with existing account:
          • Show registration form, pre-filled with any details from OpenID provider
        • And associated with existing account:
          • Log them in - jump to “have they verified their e-mail address” bit in login with OpenID flow
      • OpenID is invalid:
        • Tell them what happened, link to login page

Recover account flow

  • Ask them for their:
    • E-mail address
    • or Username
    • or OpenID
  • If valid information:
    • Send them an e-mail with a magic log-you-in link in it
  • If invalid:
    • Tell them no account found.
    • Show form again.