[OpenID] Relying Party Best Practices
mart at degeneration.co.uk
Thu Mar 8 07:58:51 UTC 2007
Simon Willison wrote:
> That's a really great list. I have one query about it:
> - Many-to-one relationship between Identity URLs and "user accounts"
> - Don't require users to choose locally-unique usernames
> These appear to be conflicting recommendations. For the second one,
> you advocate using the OpenID identifier as the primary identifier for
> a user, but in the first you emphasize that a user account should be
> able to have more than one OpenID associated with it. Even if you ask
> the user to select their "primary" OpenID you still run in to problems
> should they later ditch that one in favour of another. This could
> definitely be clarified.
I think I see where you're coming from here. I don't really think the
two items you've called out here are necessarily in conflict (see John
Panzer's reply) but once you bring "Allow, but do not require, users to
attach a handle or name to their identity" into the equation it's a bit
ambiguous, because that recommendation states that *the* (singular)
OpenID identifer should be displayed alongside the non-unique display name.
Jyte handles this by asking the user to select a primary identifier as
you say. However, you're right that if this is not handled carefully
problems could arise if a different identifier is switched to primary
later. I'm not sure what effect that has on Jyte today, but I think Jyte
is in some ways a model for many of these "Brilliant" requirements.
More information about the general