[openstreetmap/openstreetmap-website] Proposal: Seamless Sign-On for OpenStreetMap users from 3rd party apps (Issue #4128)

Branko Kokanovic notifications at github.com
Mon Jul 31 10:14:57 UTC 2023 

### Problem

Hi all,

Context: [Map builder](https://wiki.openstreetmap.org/wiki/Map_builder) (OSM map editor) team at Microsoft is trying to improve user experience during signup process. We’d like to propose couple of modifications to OSM code base for more streamlined single sign-in with 3rd party identity providers (Google, Facebook, Microsoft, Wikipedia, GitHub). The specific scenario of interest are the 3rd party applications acting on behalf of users, typically by submitting modifications to the map (map editor applications), one of which is our Map builder. Due to complex process involving multiple forms to fill and navigating up to 3 applications, it is anticipated that the number of users drops significantly before completing their first-time contribution.

We are ready to invest engineering resources in developing and implementing the proposal. Our hope is that this would benefit both signups coming from inside OSM website as well as from any other third-party signup process!

### Description

We are focusing here on:
- Reducing the information required from user to fill in when the information is available from IdP (Identity Provider),
- Removing the email verification step when it is not necessary,
- Reducing the number of steps required to complete the process.

We propose to do this gradually, together with inputs from you, in one or more PRs, and here is short breakdown of proposed changes:

- [ ] Pre-populate email field when using "Login with Microsoft" and "Login with GitHub"
- [ ] Improvements to Login and Sign-Up Screens
- [ ] Introduce "Themed layouts" for Sign-up and Login views.

We would like to hear your ideas, suggestions, and concerns in the comments before we dive in into implementation!

Here are all these changes in more tech details

---

## 1. Pre-populate email field

Currently, only "Login with Facebook" and "Login with Google" pre-populate email field in Sign-up form.
The `omniauth` plugin currently used for "Login With Microsoft" is `omniauth-windowslive` and it does not properly parse the information received from the identity provider. It leaves the email field empty, even though email is available. It appears that replacing `omniauth-windowslive` with alternative plugins providing similar functionality would properly parse the tokens.

- Use alternative plugin for "login With Microsoft" (modify `config/initializers/omniauth.rb`, update `Gemfile`).
- Verify migration path for the users with existing tokens obtained from `omniauth-windowslive`.
- If necessary, submit PRs for appropriate `omniauth` plugin strategies.
- Create a new plugin if updating strategy is necessary and existing plugins are no longer maintained.
- Investigate if GitHub and OpenMedia providers provide verified email addresses.
- Update condition in `UsersController.auth_success`
- Investigate if OSM can fetch some of the user's profile properties from IdP in run time instead of keeping their copies in its database, to avoid keeping stale information.

This effort will not introduce OSM database schema modifications (maybe some new boolean field, but we will consult with you and be upfront on this if that is a case).

## 2. Improvements to Login and Sign-Up Screens

The proposal would include a number of improvements for Login and Sign-Up screens.

- Combine "Sign-up" view with "Login" as a separate tab.
- Sign-up view displays links to Contributor terms and terms of use, instead of displaying scrollable text box for Contributor terms.
- Remove "Repeat email" field in Sign-up view.
- Re-organize Sign-up view to reduce vertical space required.
- Ensure the screens can be displayed in browser popups.

We do not anticipate any database schema modifications for this part.

You can see current behavior, proposed behavior and also proposed signup/login on OSM website in screenshot section (watch out, images are pretty large).

### Notable differences from existing flow
- Improved design of OSM sign-in and sign-up pages.
- When using 3rd party Identity Provider:
  - The email verification steps would be skipped if the IdP provides an email address,
  - User does not enter the password.
- The text of “Contributor Terms” is not included in the popup screens. Instead, only link is presented, similar to link to “Terms of use”, with a note that setting up the account implicitly assumes that user agreed to the terms.

### Example workflow

As an example, consider a user working with an OSM editing web application. At some point they want to submit a modification to the maps. User does not yet have an OSM account but may have an account with one of identity providers supporting OpenID.
- Web application redirects to combined OSM Login/Signup page. OSM Login/Signup page may display different themes based on an optional hint provided by client application. Mock screens display Google and Microsoft themed OSM login page. Since user does not have OSM account, they click on “Sign Up” button.
- “Sign Up” form displays additional fields required for user to sign up to OSM using username/password:
  - “Confirm password” and “Display Name” text fields and links to “OSM terms of use” and “OSM contributor terms” documents, required for OSM accounts using username/password.
  - “Sign up with…” buttons for all supported identity providers.
If signing with 3rd party IdP, the user does not need to fill in any fields in the form. They simply click one of “Sign up with…” buttons. OSM redirects to the appropriate IdP (Identity Provider) login page.
- IdP presents their login page, user logs in with IdP.
- IdP presents authorization request for access rights requested by OSM (typically email and public profile). User confirms the authorization. User is returned to OSM.
- OSM presents “Welcome” page where user can modify their display name if desired. Display name is pre-populated from the information obtained from user’s profile provided by IdP.
- OSM presents “Authorization Required” page to allow the application to modify the map. User clicks “Authorize.”
- Finally, the trust is established, and the contribution can be made.

## 3. Introduce "Themed layouts" for Sign-up and Login views.

The idea is that a 3rd party application would be able to trigger a themed layout, perhaps by providing a URI parameter. Themed layout would display one of the "Sign-in with" on more prominent place.

OSM would display non-themed layouts of the views. You can see how themed layout would look like in screenshots above.



### Screenshots

Current behavior:

![Current flow](https://github.com/openstreetmap/openstreetmap-website/assets/188751/216f125c-fda6-4a45-a94e-71467d5fce8b)

Proposed behavior:

![Proposal](https://github.com/openstreetmap/openstreetmap-website/assets/188751/1fbf6e5e-f859-418b-bebc-204b99bc9bca)


Proposed signup/login on OSM website:

![OSM SSO Proposal](https://github.com/openstreetmap/openstreetmap-website/assets/188751/d1c19e70-9cdd-4fc8-9dca-3691082fbe19)


-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/4128
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/issues/4128 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20230731/6782143f/attachment-0001.htm>

More information about the rails-dev mailing list