Add MyMLH OAuth Integration

[jonmarkgo]

Is this a BUG REPORT or FEATURE REQUEST?

FEATURE REQUEST

I'd love to see a MyMLH integration for this (https://my.mlh.io/) - MyMLH is the OAuth 2 solution that MLH uses for the Hardware Lab and many hackathon registration systems. It makes it easier for hackers to sign up for more events without re-entering their data every time around.

[casassg]

Desired completion checklist:

• [ ] Easy way to enable integration by setting some environment variables with the Auth codes
• [ ] It should be optional to enable it
• [ ] It should skip email verification process as we can rely on MLH having a good email
• [ ] Should fill fields in user object: Email, full_name (first + last name concatenated).
• [ ] Should pre-fill fields in the Application object: Major, School, shirt size, dietary restrictions, gender.
• [ ] Should ask for a password once authentification for sign up has succeeded (to allow password login as well)
• [ ] Should allow to sign in with MyMLH if the account is linked (if account has not been created with MyMLH then we should probably avoid associating it for security issues)

Documentation for fields to be mapped

https://my.mlh.io/docs#scopes_reference

[qaisjp]

It should skip email verification process as we can rely on MLH having a good email

@jonmarkgo is it possible for someone to use MyMLH as an OAuth provider without activating their MyMLH account?

Should ask for a password once authentification for sign up has succeeded (to allow password login as well)

not sure this is really needed but it should be possible to go into your account settings later and set a password

Should allow to sign in with MyMLH if the account is linked (if account has not been created with MyMLH then we should probably avoid associating it for security issues)

I think it should flag it up and say "please enter your password to link accounts" so that there aren't duplicates

[casassg]

@qaisjp do you mean if someone is capable of using MyMLH without having their email verified?

I like the set password later approach as well. My only concern is making the UI more complicated than needed. We could add a button in the Dashboard (after finished application) to set the password. I rather avoid having to stuff more links in the navbar, to be honest. The other option would be to have a drop down menu instead of the logout button and have it as an option there Set password.

I like the password to link approach as well. We need to think how to make this properly without filtering information that we have. I would suggest doing something like: Seems that the email this@that.com has already registered. Do you mean to link this accounts?

The other option would be to have MyMLH only as a signup option. Make password mandatory and only use it to fill the application at the beginning. This would reduce considerably the amount of dependency between the systems. Log in would still be done through password and email as usual, reducing the chances of having security leaks due to bad coordination between them.

[qaisjp]

do you mean if someone is capable of using MyMLH without having their email verified?

yeah

My only concern is making the UI more complicated [...] The other option would be to have a drop down menu instead of the logout button and have it as an option there Set password.

I agree about keeping the UI simple. I like the drop-down menu idea

The other option would be to have MyMLH only as a signup option. Make password mandatory and only use it to fill the application at the beginning. This would reduce considerably the amount of dependency between the systems. Log in would still be done through password and email as usual, reducing the chances of having security leaks due to bad coordination between them.

I think whatever is chosen we should be consistent with third party providers. Would we want GitHub to only be for registration?

[jonmarkgo]

It should skip email verification process as we can rely on MLH having a good email

@jonmarkgo is it possible for someone to use MyMLH as an OAuth provider without activating their MyMLH account?

Yes, it is possible to OAuth with MyMLH before you have confirmed your e-mail.

[casassg]

Is there any chance to get that info from the API? (to see if a user's email is verified or not)

Even though it would not be too problematic, we could also make email verification on our end.

[jonmarkgo]

I'll ask, @theycallmeswift could give more context - my guess is in the short term you'd be better off confirming on your end