WordPress identity

[scripting]

I just wrote a blog post about this transition.

https://daveblogproduction.wpcomstaging.com/2023/11/01/transitioning-to-wordpress-identity/

The code wasn't as hard to write as explaining it will be, to current users.

To new users, it'll be easy -- Log on with WordPress.

I want to answer questions here, respond to feedback, and whatever else.

I think the plan works, but not 100% sure.

[scripting]

Okay I think I'm coming around to the idea that when you log on with an account that has an email address that's already being used that we should just log you into that account.

The theory being that your email address was verified in both contexts.

1. WordPress validated your email address.
2. FeedLand also validated the same email address.

So we might as well go ahead and just join the two and save ourselves the trouble of having to do it later.

The only problem is this -- and it may not be a problem, so think this through with me.

1. My WordPress account name is scripting.
2. My FeedLand account is named davewiner.

The screenname is the key in the FeedLand users table.

I guess we'd just stay with the original name and ignore the WordPress name. There's no reason they have to agree.

And we have a place to store the WordPress username, and all the other data we get back from the /me call.

This is the info we get back from WordPress, along with the accessToken which we already save in the user record.

{
    "idUser": 21807,
    "name": "Dave Winer",
    "username": "scripting",
    "email": "dave.winer@gmail.com",
    "idPrimaryBlog": 9969399,
    "urlPrimaryBlog": "http://unberkeley.wordpress.com",
    "whenStarted": "2005-11-21T15:45:53.000Z",
    "ctSites": 30
    }

[scripting]

These were some comments from @cagrimmett yesterday --

I wonder if we can skip the decommissioning of old accounts by matching email addresses.

For example, here is how WordPress login works on self-hosted WP sites:

• User clicks Login with WordPress
• Goes through the WordPress authentication flow
• If an account exists on the site with the same email address as the WordPress login gets back from the authentication flow, those accounts are linked and the user is logged in to their existing account.

And how about only adding the wp- prefix if there is already that username associated with a different email? Having all usernames prefixed with wp- by default solves an immediate problem but might seem strange in a year.

[scripting]

I'm getting ready to change the implementation.

The one difference in my plan and @cagrimmett's is that we don't add wp- in front of the username to form the screenname if the name is already being used. I don't want the wp- stuff to show through in the user experience. I found it very jarring, forget about one year from now, I felt that way right now.

I don't think this is going to be a problem because on feedland.org, everyone is using email identity, and having a way to get in via WordPress could either be a way of creating a new account (if the email addresses are different) or having a faster way to log in to your existing account.

And on the A8C server, WordPress login is, at least for now, going to be the only way to log in. So it'll never happen.

Why make WordPress login the one way:

1. It makes logging in simpler that it was with email. You don't have to do anything other than click a button, compared to the current onboarding experience which involves choosing a name and entering a unique email address and then getting the email and coming back to FeedLand. In comparison WordPress login is two clicks. And you don't have to go anywhere.
2. I really didn't want to do identity. I don't think apps like FeedLand should. So this is philosophically consistent.
3. I am betting that A8C will do better than Twitter did.
4. I am hoping to influence A8C to make storage part of the identity package. The only way I can influence that is by using it in my product.
5. And probably the most obvious reason -- if I want people to feel like this is an A8C product, then this is how we do it. ;-)

To be totally clear, if the username already exists as a FeedLand screenname, we reject the login.

[scripting]

The new version is ready. Just feedland updated, v0.6.12.

I have only been able to test using an existing account, because I haven't been able to change the email address on the account, I'm not able to present a new account. It would be helpful if someone could try that out and report if it works.

I'm going to delete all accounts on feedland.org that have the wp- prefix. We probably should do that on A8C as well.

This is the right way to go. No disruption. Thanks for putting that out there @cagrimmett.

[cagrimmett]

a8c.feedland.org is now running v0.6.12!

[cagrimmett]

@scripting I set up a new WordPress.com account to test setting up a new account with a fresh email address on feedland.org. I did not run into any issues. The new account I set up with Log in with WordPress on feedland.org is cagrimmett2dc0ebe458

I was able to set up the new account, log out, and log back in with no problems. Then I was able to use the standard email login flow with that email address. Everything working smoothly so far.

[cagrimmett]

After updating to v0.6.12 on a8c.feedland.org, I tried Log in with WordPress.com and am getting this error: Can't connect the user because the secret code doesn't match the one we sent.

It eventually goes away and logs me in after refreshing that error screen a few times.

This error does not happen on feedland.org.

[cagrimmett]

More testing: Using Log in with WordPress when there is already a username on a FeedLand instance that matches my WordPress.com username, but does not match my email address results in the message: "Can't create the user "cagrimmett" because there already is a user with that name."

I think that is expected and makes sense 👍

[scripting]

@cagrimmett -- that's all working as it's supposed to. thanks.

Re: Can't connect the user because the secret code doesn't match the one we sent.

That's caused because I didn't log you off before connecting with WordPress, in the first version of feedlandHome that had that command. Later I added code to log you off. I suspect you were running the earlier code when you got that message on A8C.