Sign In With Twitter is Weird

I selected Sign In With Twitter here on the elgg site. It took me to the twitter access page. I selected sign in. Next I got a page that said I must enter an email address and other data, if I want to us the Log-in fields of the site. I did not enter any email address or anything else and selected "Forget It" on the bottom of the right hand page.  I just set up a new account. But it never asked me what my twitter id was. It just somehow knew. Now I have 2 elgg accounts -1) this one and 2) another new one tied to my twitter account. To me, this all seemed very odd. There was no way to back out once I selected signup.

So, I set up this plugin in one of my sites. It did the same thing. For the field "Allow new users to signup with twitter..." I chose "NO".  But I still was able to do the same thing. I signed up a 2nd account doing the same thing as above.

To me somehow this feels a bit unsecure. Anyone can set up a twitter account and then link it to an elgg account without even enterting an email address in the elgg member profile.

I think maybe I'm not understanding how this signup is suppose to work for new users, and I really don't understand by selecting "allow new users to signup up..." to NO, but still new users can sign up, even without entering an email address -- so I guess I'm just confused about this.

Does anyone know if this is broken or if this is way it's suppose to work?

Select "Sign In With Twitter" without setting twitter in your user account - what happens?  How, when I did this, did it know my twitter account? Was it because I was in the twitter account prior to trying this test and somehow the id was saved in cache? How come there were no checking, especially being able to set up the account without an email address?

It seems odd to me. Any advice?

  • Followup -- Well interesting, I just saw this. When I signed in with my Twitter account and selected tools, ...

    "Link your The Elgg Community account with Twitter.

    You cannot unlink you account with Twitter because you haven't provided an email address or password. Provide them now. "

    Thinking out loud ... so if someone signs up with their twitter account, everything works the same as if they signed up re the registration form, but they don't have to verify their registration re email. Hmmm.

    I guess that's ok - the thing that seems a bit screwy is that folks could easily mistakenly set up two accounts.

    1) The regular way using the registration form and

    2) Selecting "Sign In with Twitter"

    It's confusing.

    It think it would be useful if folks were not allowed to signup a new account re-twitter and only tie their twitter account to their elgg account using the tools section -- but there doesn't seem to be a way to do that.

    Thoughts? Advice?

  • it never asked me what my twitter id was. It just somehow knew.

    Elgg uses oauth to establish a link between Twitter and this site. That's why it redirects you to Twitter, then back to Elgg. When you authorize Elgg on Twitter's site, you're telling Twitter to send some of your data over (including your Twitter username) and that you have succesfully authenticated for Twitter, so Elgg should log you in.

    I got a page that said I must enter an email address and other data, if I want to us the Log-in fields of the site.

    "Link your The Elgg Community account with Twitter.
    You cannot unlink you account with Twitter because you haven't provided an email address or password. Provide them now. "

    The interstitial page ("Please create a username and password") is so you can login if Twitter goes down, or if you delete your Twitter account. You can't unlink Twitter from your account if you don't provide this information because you would have no way to login if you did that.

    Now I have 2 elgg accounts -1) this one and 2) another new one tied to my twitter account. To me, this all seemed very odd.

    That's because you registered in two different ways. It's like registering with a second email address. The system has no idea that you are the owner of both email addresses. There might be logic to use and existing account if a user enters an existing email address on the interstitial page. If not, it would make a good addition.

    There was no way to back out once I selected signup.

    Twitter asks you if you want to authorize Elgg. If you say no, it cancels the registration process.

    To me somehow this feels a bit unsecure. Anyone can set up a twitter account and then link it to an elgg account without even enterting an email address in the elgg member profile.

    so if someone signs up with their twitter account, everything works the same as if they signed up re the registration form, but they don't have to verify their registration re email. Hmmm.

    Email is used to verify accounts. When you sign in with Twitter, Twitter is used to verify the account. It's no more or less secure.

    So, I set up this plugin in one of my sites. It did the same thing. For the field "Allow new users to signup with twitter..." I chose "NO".  But I still was able to do the same thing. I signed up a 2nd account doing the same thing as above.

    It think it would be useful if folks were not allowed to signup a new account re-twitter and only tie their twitter account to their elgg account using the tools section -- but there doesn't seem to be a way to do that.

    It's a bug if you were able to create a new account with Twitter registration disabled. Please open a Trac ticket so we can investigate.

  • @Brett Thank you for your time and expertise. I understand more now. Yet it's still confusing. I'm positive my users will be as confused as I. I realize it is like setting up a 2nd account, like with a 2nd email, the difference is that no one would ever set up the 2nd account with a 2nd email unless they did it on purpose. Signing up with a Twitter account, to me, becomes more of a mistaken second account than one that is done on purpose.

    I think it would be good for a user to be forced to enter an email address before reaching Twitter and then ask if they want to link the twitter account to their current elgg account or they want to set up a 2nd account. Or, if not entering an email address, at least ask if they want to link it to a current account, and if they say yes, then offer a small explanation how to do that re setup.  At least then the twitter tie is their choice not forced upon them with a new account.

    I haven't tried yet, but I wonder now what will happen if I try to link my current account to twitter. I assume it will still work? And I'll then have two accounts tied to twitter?

    I'll double and triple check the Twitter registration disable on several of our installations. Maybe something was stuck in cache during my testing. I'll be sure it doesn't work before opening a track ticket.

    Anyone else have any experience with this. Does the Twitter registration disable work for you?

  • Every implementation of 3rd party logins I've seen has a similar flow. I think forcing users to provide an email address defeats the purpose of signing in with Twitter. The idea is you're already logged in with Twitter, click the sign in button, click authorize, and now you're signed into the Elgg site. I think your confusion comes from an assumed dependency on email for user accounts. Maybe changing the text from "Sign in with Twitter" to "Register or Log In with Twitter" would make this clearer.

  • I think the terminology is ok. Just a mistunderstanding on my part. Today when I selected "Sign in with Twitter" I had to enter either an email address or my twitter id and the password, and then sign in. That's ok. I didn't have to do that yesterday. I guess I must have already been signed in twitter and the system knew me so it didn't ask those questions. Thanks for your help. I think I now have a better feel for it. Thanks again.

  • Something new. I entered my regular account. Selected Setttings/Configure your tools, selected authorize and then entered my twitter account and password, finally selected autorized app. I was returned to an elgg page that said, "Sorry. We could not find the page that your requested."

    Now, whenever I select Settings/Configure tools and then authorize, the twitter userid/password screen is gone and all I can select is the button Authorize app. When I press it, I'm returned to the "Sorry, We could not find..." elgg error page. Also when I select "Cancel, and return to app" I am returned to the same "Sorry, We could not find..." error page.

    One more thing - I selected the No, thanks button, and got a message that said that I denied the Elgg community access.. and then selected Return to Elgg button, got the same "Sorry, We could not find..." error page. But, when I selected Go to Elgg home page, it worked ok.

    It seems to me that by getting the "Sorry, We could not find..." error page in such consistent manner, something doesn't appear to be set up correctly. Or did all this occur because I already have the twitter account linked to my other elgg/twitter acount, or is there there bugs causing all this?

    When I go back and think about my original message and my original confusion, I remember something similar happening but I just fluffed it off then cause I didn't know what I was doing. And then I started questioning how this worked - cause I didn't understand. But now that I think about it, maybe all my confusion was caused by this same error. Remember -- the first thing I questioned above what why this never asked for my twitter account and password. -- that's what started my confusion. Well, now that I think about it, I think maybe it did ask for my twitter account, but only once, and then I got stuck in this error loop as I have today.

    All I know is that none of this today makes any sense, although it now does make some sense why I was having the problem a few days ago and I was so confused.

    Why wasn't my Twitter account properly linked to elgg? And why when it wasn't am I now stuck in a loop that I can't get out of? And why do I continue to get the "Sorry, we could not find..." error page.?

    Something ain't right?

    Note: This is with the elgg site here, not my elgg sites.

  • Ron,

    I've been following your discussion with interest. I've been wrestling with the same issue, but with Google login rather than Twitter. For our product, we detected that the confusion occurs because users click the "login with xxx" which not only logs them in, but creates an account - even if they already have an account. Users were unaware that they were creating a new account. They kept asking where their old content was... 

    We solved the problem by creating two different paths - one for "login with xxx" and another for "register with xxx". This seems to have helped our users. On the login form, they can login either way - but if they try to login with twitter (or google) and do not have an account it never registers them. Instead, we prompt them to create one using the register form or to link their account using the configure tools page. On the register form they can register either way. And, using the configure tools, they can link their account after the fact. 

    Its still complicated but separating login from registration seems to help.

  • Jimmy, Haven't done anything with Google login so I can' comment to that, but sounds like it's got similar problems. I really don't know the answer, it all just seems that it's too easy for users to make mistakes and/or be confused. I sure know it's confused me. I like the idea of making it easier for users to log in re twitter or facebook, and I have used other services that does that, but this implementation seems to bring the opposite reaction. We've disabled the plugin for now. That's the least path of resistance. Jimmy, thanks for your input. Good knowing I'm not alone.

Feedback and Planning

Feedback and Planning

Discussions about the past, present, and future of Elgg and this community site.