I’m tempted to open the gates of hell and not send require_activation=true although I’m not validating addresses. There are good reasons why I cannot force email address validation in my SSO provider, and I’d really like my users to have a fully set-up Discourse account with a single click.
What terrible consequences will this have?
Users can sign up with a developer email address and become admins. Solution: All developer addresses are taken already.
I make spam sign-ups easier. Solution: Registration on the parent site is only open for a limited amout of time and to a limited set of people.
If I ever disable SSO, password recovery mails go to the wrong address. Solution: I will never disable SSO. Instead, the Discourse instance will be when it is no longer needed.
Users can sign up with addresses they do not own and spam the owner of the address. Workaround: Not a new problem, they can already do that on the parent site. It has never been a problem.
Users can sign up with incorrect addresses accidentally and miss important emails. Workaround: Missing emails from the parent site is probably the bigger problem for these users
I know that I’m leaving the safe, established path if I go ahead. Still, does anyone see a significant problem with this?
Will reduce outgoing mail server’s reputation to fall and possibly become blacklisted.
Sending mail to invalid email addresses or to addresses where mail is marked as spam or large amount of mail goes unopened will cause mail server reputation to fall.
Mail server IPs or entire IP ranges may be blacklisted for a short or extended period.
Mail to valid users may be filtered and flagged as spam or not delivered.
Discourse is setup as default to: send digests and reply emails if the user is not on the site.
Users may optionally set “mailing list mode” causing lots of emails to be sent to the users mailing address.