[typo] OpenID authenticated comments

Brian Ellin brianellin at gmail.com
Sun Jan 8 00:59:19 EST 2006

Typo developers,

I'm starting a Typo powered blog, and being an OpenID developer I'd like to
launch it with OpenID authenticated comments.  This evening I hacked
together primitive OpenID authentication within the existing comment
framework.  It works by authenticating the URL the commenter types in the
"Your blog" field.

After doing this I actually googled "typo openid" to find:

There appears to be sufficient interest in having OpenID enabled comments
distributed with typo, and I have a few questions for you developers about
how it should all work.

1) UI and flow
Before adding a comment, the user needs to be authenticated.  This could be
done in one or two steps.  In the two step case, the user enters their
OpenID url, is authenticated, and then may proceed to the add comment form.
In the one step case, the OpenID field and the comment content are in the
same form.  On submission, the comment is stored somewhere (session?), and
then the authentication is done on the URL.  This requires a redirect to the
commenter's OpenID server, and upon return and valid authentication the
comment is added to the site.

Which of these methods best fits into Typo?  I personally like the two-step
case, in which I can essentially be logged into the site and post other
comments without typing my OpenID again.  In the one step case, there needs
to be a strategy for when the user is unable to authenticate.  If the user
cannot auth, the comment data is still stored in the session and will have
to be GC'd.

2) Redirect & AJAX
Comments in typo are AJAX'd by default.  The OpenID protocol requires a
browser redirect to send the commenter to auth w/ her server, and this does
not fit well into the AJAX style of posting.
On an AJAX redirect, a message shows up saying something like "You are being
redirected", where the "redirected" word is actually a link the user has to
click to go to the redirect.  Obviously that makes for a weird user
experience, and it'd be best if the user was just automatically redirected.

Positive user experience would require non-AJAX comment posting for OpenID
authenticated comments.

3) How does all this fit in with the existing comment system?
Are the other fields necessary anymore?  Email is important, but in the
future OpenID world it will be less important.  Name and blog URL are not
explicitly necessary.  Personally I'd like to see just an OpenID URL field
and the comment box (which is probably how i'll set it up on my site).

4) Configuration options
Should OpenID authentication be toggleable for comments?  Etc...

I'm really excited about adding OpenID authentication to Typo, and look
forward to your thoughts on it all.

Have a good weekend,
Brian Ellin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://rubyforge.org/pipermail/typo-list/attachments/20060107/7e6f0a34/attachment.htm

More information about the Typo-list mailing list