Topic on User talk:Tgr (WMF)/external login

Personally I think the biggest issue will be determining how and which external login providers we support. We should establish criteria that all external login providers must meet, and then a process for adding new ones (are we going to require a minimum number of users before adding a service?, etc.). And how we display them on the login/create account pages themselves..do we want to make the most popular ones more prominent (Google, Facebook, etc.) or can we be neutral and just alphabetize them or something..

As a start, I think we should only be supporting login providers that use a standardized auth mechanisms (OAuth, OpenID, etc.), no proprietary protocols.

And RIP Persona :(

Yeah, it's a shame Persona did not work out. As for choosing a login provider, IMO no need to overthink it, just pick the biggest one and you get most of the benefit for the least amount of debate and development cost. Google and Facebook are the obvious choices (both have around 1B monthly active users, with all competitors lagging far behind); given that Facebook is arguably more misaligned with Foundation values and definitely more disliked, and that GoogleLogin is better maintained than the Facebook alternatives, I think we should go with Google. (Also it would be more interesting for the Android app.) If some community wants a different provider that's more popular in their geography, that can be discussed later on a ony-by-one basis.

I suspect the biggest technical blocker to enabling a new service will be "someone needs to write a PrimaryAuthenticationProvider for the new service".

I looked for stats and the closest thing I found is this PDF (via here). It has a fair amount of self-promotion and limited to the users of a certain social login/share plugin, but claims Facebook is quite a bit more popular than Google for login (the runners-up being Twitter and LinkedIn). Also, "80% of users dislike traditional registration forms and 73% prefer to log in using their social accounts" although again, they have an interest in promoting social login + unclear how they got the numbers.

Just found out (through the accident of a friend) that this antifeature is still in effect. Unless it can be verified that it cannot be used for OAuth, we definitely need to stay away from Facebook.