New login stuff, if your username changed and you need your email updating let me know

Basically... options, this gives us options.

Options are definitely good to have, I think Auth0 seems like a pretty good plan B.

I figure that I can make each site owner register their own auth0 account, and this spreads the load, whilst leaving the site owners fully in control of their user lists, and it means it's free.

Does that mean that site owners will have to sign up for an Auth0 account, then let you know the email address they used to that you can set it up? Is it easy enough to configure this on a per-site basis?

On a different note, I looked at the pricing page and it says that if the project is open-source and not for profit, you can get all the features for free. Is that not what Microcosm is now?

They only ship a single JS file, that is capable of doing both a traditional web app and a single page JS app. The latter is the first part of the issue.

Then it is possible to configure an auth0 app to use lots of different authentication providers... as an idea from the JS:

var STRATEGIES = exports.STRATEGIES = {
  "amazon": "Amazon",
  "aol": "Aol",
  "baidu": "百度",
  "box": "Box",
  "dwolla": "Dwolla",
  "ebay": "ebay",
  "exact": "Exact",
  "facebook": "Facebook",
  "fitbit": "Fitbit",
  "github": "GitHub",
  "google-openid": "Google OpenId",
  "google-oauth2": "Google",
  "instagram": "Instagram",
  "linkedin": "LinkedIn",
  "miicard": "miiCard",
  "paypal": "PayPal",
  "planningcenter": "Planning Center",
  "renren": "人人",
  "salesforce": "Salesforce",
  "salesforce-community": "Salesforce Community",
  "salesforce-sandbox": "Salesforce (sandbox)",
  "shopify": "Shopify",
  "soundcloud": "Soundcloud",
  "thecity": "The City",
  "thecity-sandbox": "The City (sandbox)",
  "thirtysevensignals": "37 Signals",
  "twitter": "Twitter",
  "vkontakte": "vKontakte",
  "windowslive": "Microsoft Account",
  "wordpress": "Wordpress",
  "yahoo": "Yahoo!",
  "yammer": "Yammer",
  "yandex": "Yandex",
  "weibo": "新浪微博"
};

When you combine both "all the JS for a single page web app (in something like React)" with "all the JS to talk to all these social providers" whilst then having "all the JS to render the UI"... one ends up with a huge JavaScript file.

Does that mean that site owners will have to sign up for an Auth0 account, then let you know the email address they used to that you can set it up? Is it easy enough to configure this on a per-site basis?

It's fairly easy to configure and I'll make instructions.

Essentially each site needs to:

1. Create an auth0 account
   
2. Create a traditional web app client
   
3. Configure a Google OAuth connection
   
4. Configure a Microsoft Account connection
   
5. Provide Microcosm with the auth0 domain, client id, and client secret
   
   

Then auth0 will work for that site on Microcosm.

On a different note, I looked at the pricing page and it says that if the project is open-source and not for profit, you can get all the features for free. Is that not what Microcosm is now?

It is free if every site on the project has one of these badges on it:
https://auth0.github.io/auth0-oss-badges/

I thought that was pushing it... plus, is Islington CC open source and free? Is the Rapha Cycling Club?

Microcosm as a project may be, but the sites are not the project... so I am unconvinced it applies.

so i have to log in again after quarter to nine this evening?

so i have to log in again after quarter to nine this evening?

LOL

In other news, FF48.0.2 on Win 10 desktop works, but I haven't yet worked out how to get my locked down Opera 12.18 to work. It would help if there was a list of cookies I have to permit. It's pretty irritating to have to accept third party cookies, and it's very irritating to have to check my email every time I log in, since all cookies are deleted when I close my browser. I'm mystified by the need for this fabulously over complicated log in process when Basic Authentication would be more than sufficient :)

I'm mystified by the need for this fabulously over complicated log in process

I just find it completely unintuitive for how I interact with forums (or indeed any secure site).

I don't leave them logged in permanently or save passwords: no matter how trivial the content, I will explicitly log out when I've done with my session.

My google account is used with a completely different email address to the one used here, and I don't want to associate it with other sites anyway, at least as far as I can avoid it. I don't have a microsoft account. And it's deeply tedious to check email to get a one-time code.

(Seems to work on Chrome 52.0.2743.116 m and Win 10 Pro - it's just not nice.)

Then use the email code.

Advantages of that:

• You can use any email you want as long as you can receive an email
  
• I won't have a password that can be hacked or compromised
  
  

Why won't I store passwords?

1. I don't have a security team
   
2. I don't do penetration testing
   
3. I've watched over the years as every forum software was compromised and their databases leaked
   
4. I actually respect the people that use the site
   
5. I think it's incredibly irresponsible for sites to attempt to write their own password based systems
   
   

In effect I've externalised the issue onto companies that can get this right, or yourself.

If you have a Google account (more than half of the people on this site do) then it's a single click (after the first sign-in) and you're probably logged into your email, you may have two-factor auth enabled, your authentication is being protected by one of the best security teams in the world and actively defended.

If you have a Microsoft account (and a lot of people use Windows, and a lot of people have Hotmail, Skype, etc), then again you get a world class security team.

If you want to use your own email, then you're trusting your email provider and not me. That's pretty good, you already do trust them (I assume), and if it's yourself as you run your own then I've basically said that you're in control of your security.

I wouldn't mind but this forum has been going for almost a decade, and in that time I've only had low hundreds of email changes, whereas in the first few years there were hundreds of "forgotten my login" or "can I change my username", etc.

This system:

• OAuth2 or
  
• OpenID Connect or
  
• passwordless code to email
  
  

Is basically immune to DDoS, social engineering on me, brute forces against this site, replay attacks, timing attacks.

There is nothing more secure... and it isn't even that inconvenient.

So yeah... this is what you're getting.

Meh.

Fair enough, you're the boss, you know your shit with this kind of stuff and I don't. But the one-time code thing is tedious - no, not hugely so, but a bit; not hugely inconvenient, but a bit. I tried it twice as a test, and I was annoyed with it, and I was annoyed with having to wait for the code, and I was annoyed with having two code emails just sitting there.

First world problemettes, I know, but I'll end up using the site less, or just reading, not logged in. I don't contribute much anyway, so it'll be my loss not the forum's, but hey ho.

(That all sounds whingy, and entitled, and unappreciative. That's not how I feel, I do appreciate and acknowledge all you've done in establishing and running the forum, so apologies for my whinges.)

I was annoyed with having to wait for the code, and I was annoyed with having two code emails just sitting there.

I have updated the code to be valid for 15 minutes rather than 5.

I've checked the email audit logs, both emails sent to you were received by the respective servers on your side within a few seconds each. It is only the inability for whatever your email client is to show this that should have delayed it.

Oh, I had the codes within a few seconds - 'having to wait' was about 3 or 4 seconds each time. I'm just being a princess.

(That said, I'm sure I saw a link to research the other day, citing recent increases to page load times on ecommerce sites that are substantially increasing the number of abandoned transactions. Given the stats around that purport to show a 2 sec delay can increase abandonments by 80-odd%, I fear I'm not the only princess who wants it Right Now and will whinge about any perceived delay.)

Anyway, I reckon you've already allotted far more time than I deserve, just in writing those comprehensive replies - thank you. I don't particularly like the new interaction around login, but that's largely because I fear change - I'll have to either deal with it, or change my use of the forum. And as I've said, I do know that would be my loss rather than anyone else's.

@Velocio signed in with auth0 on chrome, OSX 10.11.6
no problems

No issues at all with Chromium Version 51.0.2704.79 Ubuntu 16.04 (64-bit)

Works with Firefox 5.1 on iOS 9.3.5.

citing recent increases to page load times on ecommerce sites that are substantially increasing the number of abandoned transactions

Relates to page load times, not interactions such as authenticated logins. Page load and render speed impacting engagement has been known since the nineties.

LFGSS is way faster than almost every site, and this auth change does not impact that at all. I've used Thousand Eyes to prove that (aside from threads like Bike Porn with lots of 3rd party hosted images) nothing on the site takes more than 1-2 seconds to load.

How you authenticate is a chunky part of the user experience.

If the steps to authenticate are perceived as weird then it will feel weird and users / customers / whatever will act on that weirdness.

The post above is a nice description of the benefits of third partying authentication to people who mostly have their security game nailed.

A super concise version could be built in to the UI. Existing users also need to be informed / educated in advance to minimise change effects.

Tl;dr I get it, it's neat, existing users will need a spot of hand holding before / when you transition.

A super concise version could be built in to the UI. Existing users also need to be informed / educated in advance to minimise change effects.

Yes, it could... but it can't.

There is a separation between the server (database, API) and the client (web site) that I built into the system early on.

The separation is there to allow other people to build their own client, but yet the clients will never get access to any password or even the long-term tokens and interactions with authentication partners.

If it were the case that no-one ever made a 3rd party client, I could make this look and feel a lot better. But actually an Android client is in the works and so the separation must be preserved.

I do need to communicate the changes, and I will, and I haven't done that badly in the past... but first I need to test and prove the changes on a smaller audience. Resolve issues, make adjustments and tweaks.

Managed to log off on my computer and turns out my lfgss email is set to one that isnt accessible anymore

I have updated your email. Sign out and sign in again.

OK, So this stuff basically works, but the test audience has been too small for me to know whether there are any issues.

I've started work on a de-duplicate login thing... so if there are errors in your email address like you originally signed-in with david+lfgss@gmail.com and you now sign-in with david@gmail.com (having forgotten you used a + bit) that instead of creating a second account we'll sign you into the original account.

Once that is done (middle of next-week) I'm going to disable Persona and enable auth0 for ALL logins for a duration of 1 week or more.

I need to expand the test audience significantly so that I can be sure that this really does work well for all people. Hence, everyone on LFGSS will need to auth using auth0.

At that point I'll also monitor how many people use the Google login, the Microsoft login, or choose to get send a code to their email.

Over 1/3 of all members have an @gmail.com or @googlemail.com email and I've already seen in the small sample I have that people with Google Accounts prefer to sign-in using that.

But I'm less convinced of the Microsoft login, which I think works for any email so long as you have a Microsoft (Windows) account. So I'll see whether people want that.

Alternatives if we don't have "Sign in with your Microsoft Account" would be to sign-in with:

• PayPal (as we take donations this way, it could be useful)
  
• Dropbox (a lot of people use this, but that's weird I feel)
  
• Yahoo (2k users out of 45k, so this is less useful)
  
• Facebook (privacy concern here)
  
  

So far:

• Code to email = 15 people
  
• Google auth = 15 people
  
• Microsoft auth = 2 people
  
  

I could even consider just leaving it as "Google or Email". We'll see.

Oh, and a solid 1/3 of people use a Windows laptop or desktop to access the site, hence my inclusion of the Microsoft login at the moment.

After testing the code verification at work I used my Hotmail account at home. Much easier!

Hello VB
Works a treat in both Safari (iOS 10.11.6) and Firefox on a Mac, and also on mobile Safari. (iOS 9.3.5)

I think retaining the paypal log in is a good idea.

Just worked it out. As is not unusual, earlier difficulties were down to me being stupid.

Using NoScript?

I was initially puzzled as NS doesn't display the usual indicator that something is blocked, but you do actually need to allow auth0.

Exactly. It wasn't apparent that NS was blocking it.