[OpenID] Live Icons for visual recognition of IDP logos

[Deron Meranda]

On Thu, Apr 2, 2009 at 2:36 PM, Allen Tom <atom at yahoo-inc.com> wrote:
> RPs should allow users to bind multiple identifiers to a user's account, and
> allow users to add and remove them.

I absolutely agree.  But is there any recommended way to do that,
in terms of a consistent user interaction?  In fact I haven't seen very
many RPs in the wild attempt the multiple id support yet, though it
seems to be something that we should strongly try to encourage.


The way that my own RP does that is that when you're already logged
in (say using identity A) and you try to login again (with id B) without
having logged out first, it will

1. Put up a page that says you were already logged in before, and
2. Ask if you would you like to add the identity you just logged in
    to the same user account; or instead login as a new user (thus
    logging the first one out).

In between 1 and 2 the user is sort of in a limbo session state.
I know their OpenID identity, but I haven't mapped them to a
local user account yet.

Obviously to do this I must maintain a mapping of OpenID identities
to local user accounts; and this is a many to one mapping.  This means
that the OpenID identity is NOT my user account identity; but instead that
the OpenID identity REFERENCES my user account identity.  A
subtle but important distinction.

Furthermore once a user is logged in, they can go to their user
"preferences" screen; where a list of all their OpenID identities is
shown.  From there they can delete any of them.

Obviously, if you don't have an account recovery system in place
(such as via verified email), then you need to prevent the user from
deleting ALL of their identities lest they be locked out.  Also, since the
only way to add an identity is to actually use it first (login with it), I don't
have to worry about them only having identities left which have never
been "tested", and thus chance them locking themselves out.

-- 
Deron Meranda