What do you all think about adding a switch to the SSO settings to disable the automatic “trusting” of email addresses. That is, forcing users to activate their discourse account when it is created via SSO.
Right now I think the assumption is that the email verification is done by the provider, and so it can be skipped in discourse. However, we run an ecommerce store and email validation on account creation would negatively impact conversion.
I’m going to spend a little time trying to get into the code base today, but let me know if you think this would be an acceptable addition (or if I shouldn’t bother).
I feel like everything should be handled by third party and not by discourse. It should be the third party sites job to verify the email and have spam protection, not discourse’s.
The problem is that the provider is not a forum, so it may have very different verification priorities. Spam is the priority for a forum, for which email verification is an appropriate solution. But other providers have different priorities (in our case, an ecommerce store).
It is more like a separation of concerns to allow Discourse to do it’s own types of verifications, without coupling itself to the third party provider.
The problem is that we, Discourse, get blamed for a “spam” problem when the root cause is badly designed SSO from the parent site that lets poorly vetted accounts through … This has come up a few times.
I really think that it isn’t “badly designed SSO”. Other applications are not forums and do not necessarily share the same concept of vetted accounts.
Yeah in my implementation there is a site setting that controls whether SSO trusts emails or not. Default would remain the same: all new accounts through SSO would be trusted.
This conversation reminds me of another one - discourse is doing so much better at all of this and is getting better all the time, while other platforms (like wordpress) are not keeping with the times. So it may be worthwhile to make it easier to use discourse as the SSO source… as part of the wp-discourse wordpress plugin, for example.
But this idea of @plkap74 is also very interesting - why not just still keep that layer of validation in discourse so when the user comes over from the other site they can be verified again. Perhaps we could then also still benefit from other discourse features that we lose with SSO, like the invites system, which I sorely miss!
For web merchants (for example Qantas ticketing etc.) the email is just assumed to be good. If they have issues the customer will contact them via a call with an order ref.
They avoid the activation of email so they do not slow down the purchase flow. (same as we do on www.discourse.org/buy)
Assume its the same issue for @plkap74 when people spend 800 bucks on X-Carve
For the purposes of discussion, how does single credit card payment work? Does a user pay for each post and that is their “identity”?
What I am getting at is that there has to be some kind of account with a valid email to do anything beyond “buy this single item and never be seen again”. For example, collecting mileage points on that Quantas ticket you bought.
The case described only works if the customer buys once and walks away forever. Or buys so infrequently that they do not care. Neither of those are scenarios where Discourse would be of any use to that business whatsoever.