1. The parameter orion.auth.registration.uri (web-ide.conf) seems never used except for the function org.eclipse.orion.client.ui/web/mixloginstatic/_javascript_/common.js:checkUserCreationEnabled() but it is only checked if it is set (if just prevents a redirection).
I think you are right. This was probably broken when the new login page landed some time ago. When user creation is disabled (orion.auth.user.creation=admin) and the registration page is off site (orion.auth.registration.uri=...) then I would expect landing.html to link to the off-site registration page. That doesn't happen -- instead it still offers the integrated registration form, but when you fill it out it just says "Forbidden access". I opened a bug:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=476601
2. The implementation of
org.eclipse.orion.client.ui/web/plugins/authenticationPlugin.js:registerServiceProviders().getUser()
seems messed up. The return value is expected to be a promise but
when it is resolved, a dictionary object gets assigned to the variable
loginData and sometimes the function returns a dictionary
The auth service is designed to be called through the Service Registry, which normalizes every return value into a promise. So the fact that this function sometimes immediately returns a loginData object, and sometimes a promise (which yields a loginData object when .then()'d) should not matter: the client must interact with the return value as a promise regardless. The error handling does look broken though: it apparently returns errors through the "resolve" channel rather than reject, which is weird.
Mark