Authentication FAQ
Whats going on here?
iDigBio is trying out an authentication scheme we call "Social Authentication", this means that instead of requiring a username and password to log in, you can use one of the accounts you probably already have to sign in.
How does all this work?
When you click the sign in link, we redirect your browser to a special URL for each provider. This URL asks the provider to sign you into your account if you're not signed in already. Your provider then looks to see if you've previously indicated that you trust iDigBio, and if you haven't the provider asks you if you want to trust us. Once you've agreed to the trust relationship, the provider sends you back to our website with a unique identifier that we can use to associate your provider account with your iDigBio account
Is this safe?
Yes. iDigBio never sees your provider username and password, and all communication with the provider is done via standards compliant communication channels. The communities developing these standards have put a lot of effort into them to make sure that they are both secure, and pass only the minimum amount of information necessary to complete the transaction. The providers are also supposed to provide you the ability to cancel a trust relationship at any time, so you could in theory disassociate your provider account with iDigBio without even visiting our site.
I was asked to provide you access to X, what do you need that for?
Many of the provider interfaces we're using were designed to allow developers to create applications that interact with your provider account for you. iDigBio requests the minimum permissions possible when connecting to your account, but sometimes this can still seem like a lot of access. Rest assured, iDigBio values its relationships with the community and the only thing we use this access for is authentication. The standards we're using for communication also require the user to be currently logged in for any account access, so if you're not currently logged in to iDigBio its impossible for us to do anything.
Different providers give us different levels of default access, so if you're still uncomfortable with the level of access we'd get from a specific provider, you can use a different provider, or simply use a username and password to sign in instead. The whole idea behind Social Authentication is to allow you flexibility with the way you identify yourself to us so that you can do whatever is most comfortable for you.
If I use my Google account for authentication, can I use a different email address as my preferred contact method?
Yes. iDigBio has attempted to make the account creation process as intuitive as possible and automatically populates the "email" field required at registration with the Gmail address of the trusted Google Account. At any time, you can edit your preferred contact method by visiting https://www.idigbio.org/auth/register.php while logged into iDigBio.org.
Also, iDigBio will never overwrite the "email" field of a previously created account that is merely adding a Social Identitier.
How many identifiers can I have?
You can have any number of Social Identifiers associated with your iDigBio account, including multiple accounts per provider.
How are you doing all this?
The provider authentication logic is provided by a php library called HybridAuth (http://hybridauth.sourceforge.net/). At its core, HybridAuth is a wrapper around the OpenID (http://openid.net/) and OAuth (http://oauth.net/) protocols.
Other notable technologies that we're employing are Twitter's Bootstrap (http://twitter.github.com/bootstrap/) CSS framework and the Less (http://lesscss.org/) CSS pre-processor.