I’m using Discourse with SSO. The guidelines say:
I’m tempted to open the gates of hell and not send
require_activation=true although I’m not validating addresses. There are good reasons why I cannot force email address validation in my SSO provider, and I’d really like my users to have a fully set-up Discourse account with a single click.
What terrible consequences will this have?
- Users can sign up with a developer email address and become admins.
Solution: All developer addresses are taken already.
- I make spam sign-ups easier.
Solution: Registration on the parent site is only open for a limited amout of time and to a limited set of people.
- If I ever disable SSO, password recovery mails go to the wrong address.
Solution: I will never disable SSO. Instead, the Discourse instance will be when it is no longer needed.
- Users can sign up with addresses they do not own and spam the owner of the address.
Workaround: Not a new problem, they can already do that on the parent site. It has never been a problem.
- Users can sign up with incorrect addresses accidentally and miss important emails.
Workaround: Missing emails from the parent site is probably the bigger problem for these users
I know that I’m leaving the safe, established path if I go ahead. Still, does anyone see a significant problem with this?