Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Using OpenID to prove Stackoverflow membership

Here's the deal:
-Flair pretty much demands a Facebook app
-I'm working on learning the Facebook platform

Therefore, I've written a dinky little Facebook app to embed your Flair into a box on the side of your profile. If you're interested and on Facebook; beware that this is very much a work in progress, prone to change and has a whole bunch of rough edges.

However, I don't have an elegant way to say "this is MY Stackoverflow profile" from this dinky app. My current solution is best demonstrated this image. It is, frankly, idiotic; and there's nothing preventing impersonation.

Having no experience with OpenID, I'm wondering if there's some way (and some example of this way, please) to get a user to provide their Stackoverflow identify to a third party?


Behavior changed to that suggested by Noldorin's answer.
Request for a saner way to do this declined on UserVoice.
like image 580
Kevin Montrose Avatar asked May 19 '09 19:05

Kevin Montrose


2 Answers

There's no way to get a StackOverflow ID from OpenID and to do the opposite would be possible but unnecessarily complicated (compared to your suggested method). Copying and pasting the user ID/profile URL isn't terribly inconvenient, in my mind.

However, I can suggest some sort of solution to the issue of impersonation. This may seem like a slightly silly method, but it's the simplest way of which I can think to insure that only the user themself can display the badge. Again, I don't think it's too inconvenient. (The more traditional method of using an email confirmation isn't possible, given that emails aren't public.)

  1. Have your Facebook app generate a random (alphanumeric?) code. Something in the form A8IO45QW6T should do.
  2. Hold this code on the server side of your Facebook app for a short time period (say, 5 minutes).
  3. Instruct the user to edit their About Me information by adding the given code to the last line, then to return to the Facebook and confirm. Simple inspection of HTML for the profile page of the specified user would verify ownership. The user can then remove the verification code from their About Me text.

Nice idea creating this Facebook app, by the way. I may just give it a try!

like image 116
Noldorin Avatar answered Oct 03 '22 23:10

Noldorin


Another solution that would allow for instant verification is hashing the email address and checking to see if it matches the user's Gravatar. Granted, not every user has provided an email address, but you can always perform this check first and if it fails you can fall back to the About Me section editing (or simply require that the user have an email address). This idea is not mine, so I'll let null explain:

Do you still have the source available? As I've gotten a solution to prevent other users from messing up your results. You just need to hash the email address used by the viewer and check for the gravatar image link on the page as outlined on the gravatar site. If the user id and image hash match, then record the change to the database, otherwise... just show results. I can make that change, but the source seems lost... :(

like image 45
Kyle Cronin Avatar answered Oct 03 '22 21:10

Kyle Cronin