The new openid extension for Spree is now available. The business logic included in this extension provides sensible defaults for various user authentication/creation scenarios. Feel free to fork and modify to taste.
The authorizaiton requests make user of the OpenID Simple Registration Extension 1.0 when possible. So if the OpenID provider supports this specification, then requested user information (by default only email) will be returned as
Authentication refers to the login screen where the user is asked to supply their email and password (or OpenID.) If the user provides an openid url then they will be taken to the standard login screen for that user’s provider. Upon successful authentication, the url will be checked against existing users in the Spree database. The user is authorized if a record is found with a matching url. (See also auto creation for other scenarios.)
If the user successfully authenticates via OpenID but there is no user with a corresponding URL, then Spree will attempt to create a new account automatically. If there is an
sreq parameter for email, we first check to see if there is a user with a corresponding email.
If there is a matching email, the user will be presented with a screen and given the opportunity to associate this openid url with their account. In order to do so, the user must enter their original password in order to prevent malicious attempts to hijack another user’s account.
If no matching email is found then Spree will ask the user to “complete” the account creation process by supplying a valid email.
script/extension install git://github.com/schof/spree-open-id.git