[OpenID] Relying Party Best Practices

Simon Willison simon at simonwillison.net
Wed Mar 7 23:42:09 UTC 2007

On 3/7/07, Martin Atkins <mart at degeneration.co.uk> wrote:
> I created this page on the wiki ages ago but never really did much to
> promote it. I just added a few more items of my own, and restructured it
> a little bit:
>      <http://openid.net/wiki/index.php/Relying_Party_Best_Practices>
> My thinking is that we could produce a bunch of best practices organised
> into different "quality levels", which would hopefully cause sites to
> aim towards maximum quality wherever possible, while making it clear
> which things are pretty-much required for any kind of useful
> implementation and which are just "would-be-nice" requirements.

That's a really great list. I have one query about it:

- Many-to-one relationship between Identity URLs and "user accounts"
- Don't require users to choose locally-unique usernames

These appear to be conflicting recommendations. For the second one,
you advocate using the OpenID identifier as the primary identifier for
a user, but in the first you emphasize that a user account should be
able to have more than one OpenID associated with it. Even if you ask
the user to select their "primary" OpenID you still run in to problems
should they later ditch that one in favour of another. This could
definitely be clarified.



More information about the general mailing list