- Login should take an email and password combination
- Validate effectively, with suitable password pattern
- Make a request to the Provider for server side validation and persistent token exchange
Authentication should include the following
- CSRF headers in authentication requests to prevent forgery
- http://en.wikipedia.org/wiki/Cross-site_request_forgery
- Auth state persistence through signed cookies
- Global (singleton) session model in the client whose state changes can be listened to
- Client-side + Server-side model validations
- Salt/hashing of passwords for back-end storage
- Communication on this form should happen with https.