I am trying to build a simple OpenID login panel similar to how Stack Overflow's works. The goal is:
User clicks OpenID/Oauth provider
OpenID/Oauth stuff happens, we end up with the result (already made that)
Then we want to confirm that the user wants to actually create a new account (vs. associating account with another OpenID account).
In StackOverflow, they keep a hidden field
on a form that looks like this:
<form action="/users/openidconfirm" method="post">
<p>This is an OpenID we haven't seen
on Stack Overflow before:</p>
<p class="openid-identifier">https://me.yahoo.com/a/some-hash</p>
<p>Do you want to associate this OpenID with your Stack Overflow account?</p>
<div>
<input type="hidden" name="fkey" value="9792ab2zza1q2a4ac414casdfa137eafba7">
<input type="hidden" name="s" value="c1a3q133-11fa-49r0-a7bz-da19849383218">
<input type="submit" value="Associate OpenID">
<input type="button" value="Cancel" onclick="window.location.href = 'http://stackoverflow.com/users/169992/viatropos?s=c1a3q133-11fa-49r0-a7bz-da19849383218'">
</div>
</form>
Initial question is, what are those hashes fkey and s? Not that I really care what these specific hashes are, but what it seems like is happening is they have processed the openid response and saved it to the DB in a temporary object or something, and from there they generate these keys, because they don't look like Oauth keys to me.
Main situation is: after I have processed OpenID/Oauth responses, I don't yet want to create a new user/account until the user submits the "confirm" form. Should I store the keys and tokens temporarily in a "Confirm" form like this? Or is there a better way? It seems that using a temp database object would be a lot of work to manage properly.
Thanks for the help.
Lance
