Understanding the registration flow¶
The full flow for a site that offers login and registration using either OpenID or a regular username/password account can be quite complicated. This page shows how the flow implemented by django-openid works.
Login¶
- With Username and Password:
- (has link to switch to OpenID)
- Incorrect login:
- They get their username wrong:
- “wrong username” message (defaults to same as wrong password)
- They get their password wrong:
- “wrong password” message
- Correct login:
- Have they verified their e-mail address?
- Yes:
- Log them in to that account.
- No:
- Tell them to verify their e-mail address
- Option: send me that e-mail again
- With OpenID:
- (has link to switch to username/password)
- OpenID is invalid or authentication fails:
- Tell them what happened, don’t log them in
- Show login or register UI
- OpenID is valid and corresponds to an existing account:
- Have they verified their e-mail address?
- Yes:
- Log them in to that account.
- No:
- Tell them to verify their e-mail address
- Option: send me that e-mail again
- OpenID is valid but does not correspond to an existing account:
- Tell them, and offer a link to the registration form.
Registration¶
- Register with username/password:
- Username/e-mail/password please
- Repeat until valid
- Send verification e-mail
- Tell them “just one more step: click link in your e-mail”
- Register with OpenID:
- Enter your OpenID:
- OpenID is valid:
- And not associated with existing account:
- Show registration form, pre-filled with any details from OpenID provider
- And associated with existing account:
- Log them in - jump to “have they verified their e-mail address” bit in login with OpenID flow
- OpenID is invalid:
- Tell them what happened, link to login page
E-mail verification link clicked¶
- Is verification code valid?
- Yes:
- Mark that account as verified
- Log them straight in to that account
- No:
- Tell them it’s invalid.
- Provide a link to the homepage.
Recover account flow¶
- Ask them for their:
- E-mail address
- or Username
- or OpenID
- If valid information:
- Send them an e-mail with a magic log-you-in link in it
- If invalid:
- Tell them no account found.
- Show form again.
Recover link clicked¶
- If valid:
- Log them in
- Optionally show a reset-your-password screen
- If invalid:
- Tell them to go away, link to homepage