tags:

views:

476

answers:

2
+8  Q: 

Using OpenID to prove Stackoverflow membership

Here's the deal:
-Flair pretty much demands a Facebook app
-I'm working on learning the Facebook platform

Therefore, I've written a dinky little Facebook app to embed your Flair into a box on the side of your profile. If you're interested and on Facebook; beware that this is very much a work in progress, prone to change and has a whole bunch of rough edges.

However, I don't have an elegant way to say "this is MY Stackoverflow profile" from this dinky app. My current solution is best demonstrated this image. It is, frankly, idiotic; and there's nothing preventing impersonation.

Having no experience with OpenID, I'm wondering if there's some way (and some example of this way, please) to get a user to provide their Stackoverflow identify to a third party?

Behavior changed to that suggested by Noldorin's answer.
Request for a saner way to do this declined on UserVoice.

+10  A: 

There's no way to get a StackOverflow ID from OpenID and to do the opposite would be possible but unnecessarily complicated (compared to your suggested method). Copying and pasting the user ID/profile URL isn't terribly inconvenient, in my mind.

However, I can suggest some sort of solution to the issue of impersonation. This may seem like a slightly silly method, but it's the simplest way of which I can think to insure that only the user themself can display the badge. Again, I don't think it's too inconvenient. (The more traditional method of using an email confirmation isn't possible, given that emails aren't public.)

  1. Have your Facebook app generate a random (alphanumeric?) code. Something in the form A8IO45QW6T should do.
  2. Hold this code on the server side of your Facebook app for a short time period (say, 5 minutes).
  3. Instruct the user to edit their About Me information by adding the given code to the last line, then to return to the Facebook and confirm. Simple inspection of HTML for the profile page of the specified user would verify ownership. The user can then remove the verification code from their About Me text.

Nice idea creating this Facebook app, by the way. I may just give it a try!

Noldorin  2009-05-19 20:19:58
I'll play around with this approach.One subtlety Facebook imposes on this design is that my code (PHP) isn't invoked when a profile is displayed (push model), and no embeded javascript is run until the user interacts with the box (thus the "click to see reputation" box thing).
Kevin Montrose  2009-05-19 20:54:43
@Kevin: That "push mode" does seem rather strange. I'm sure I've seen Facebook apps that get around it somehow. Can't you execute code in the "onload" event?
Noldorin  2009-05-19 21:05:13
Nope.From the Facebook dev wiki:'In profile boxes, inline scripts are deferred until the first "active" event is triggered by a user. An active event is considered either onfocus, onclick, onmousedown, and so forth. Basically anything that requires a mouse click is an "active" event.'Anything you put on a Profile page is pretty restricted, once you move to Canvas pages or Boxes you have alot more flexibility. It just doesn't make sense to post Flair anywhere but the profile, unfortunately.
Kevin Montrose  2009-05-20 18:17:03
@Kevin: Won't a script block in head/body do the trick however?
Noldorin  2009-05-20 20:57:29
Inline and linked scripts (in the body) are deferred, and app code doesn't provide the head tags on profiles. Facebook treats a user's profile page very differently when compared to application pages; if I was working anywhere in the apps.facebook.com domain all my javascript would run immediately. Of course there could be some secret dirty tricks to get around this, but I'm no aware of any.
Kevin Montrose  2009-05-20 22:51:46
@Kevin: Oh, fair enough. At least you're in the same boat as all the other Facebook devs in this respect.
Noldorin  2009-05-20 23:43:42
+2  A: 

Another solution that would allow for instant verification is hashing the email address and checking to see if it matches the user's Gravatar. Granted, not every user has provided an email address, but you can always perform this check first and if it fails you can fall back to the About Me section editing (or simply require that the user have an email address). This idea is not mine, so I'll let null explain:

Do you still have the source available? As I've gotten a solution to prevent other users from messing up your results. You just need to hash the email address used by the viewer and check for the gravatar image link on the page as outlined on the gravatar site. If the user id and image hash match, then record the change to the database, otherwise... just show results. I can make that change, but the source seems lost... :(

Kyle Cronin  2009-05-20 18:43:08
Also, emails are pretty easy to divine. For instance, Jon Skeet's email is probably '[email protected]'; which is reachable with two clicks starting from his user profile. Combine this with Facebook not providing a mechanism to get raw* e-mail addresses for users, and its waaay to easy for a user to impersonate another using this scheme.*You can send e-mails to users using these weird proxified keys, which are app/user pairs and not transformable into the original e-mail.
Kevin Montrose  2009-05-20 19:16:34
True enough. I suppose it depends on your goal - if you want someone to be able to prevent others from impersonating their SO profile on FaceBook, all the user needs to do is use a private and/or unique address. If you want to prevent all impersonation, you'll have to use another system.
Kyle Cronin  2009-05-20 20:16:48
I'm definately looking to prevent impersonation. Plus a user that has spread their gravatar bound e-mail to the four corners of the internet would be pretty hard up if they wanted to now start using some super secret address, unless I'm missing something with how Stackoverflow's usage of gravatars works.
Kevin Montrose  2009-05-20 22:59:37

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases