[OpenID] Live Icons for visual recognition of IDP logos

Brian Kissel bkissel at janrain.com
Fri Apr 3 04:36:01 UTC 2009

JanRain's RPX<http://rpxnow.com/> account mapping API helps link multiple OpenID accounts so you don't have to change your database schema to support multiple OpenID accounts.




Brian Kissel

Cell: 503.866.4424

Fax: 503.296.5502

-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Deron Meranda
Sent: Thursday, April 02, 2009 1:40 PM
To: Allen Tom
Cc: general
Subject: Re: [OpenID] Live Icons for visual recognition of IDP logos

On Thu, Apr 2, 2009 at 2:36 PM, Allen Tom <atom at yahoo-inc.com> wrote:

> RPs should allow users to bind multiple identifiers to a user's account, and

> allow users to add and remove them.

I absolutely agree.  But is there any recommended way to do that,

in terms of a consistent user interaction?  In fact I haven't seen very

many RPs in the wild attempt the multiple id support yet, though it

seems to be something that we should strongly try to encourage.

The way that my own RP does that is that when you're already logged

in (say using identity A) and you try to login again (with id B) without

having logged out first, it will

1. Put up a page that says you were already logged in before, and

2. Ask if you would you like to add the identity you just logged in

    to the same user account; or instead login as a new user (thus

    logging the first one out).

In between 1 and 2 the user is sort of in a limbo session state.

I know their OpenID identity, but I haven't mapped them to a

local user account yet.

Obviously to do this I must maintain a mapping of OpenID identities

to local user accounts; and this is a many to one mapping.  This means

that the OpenID identity is NOT my user account identity; but instead that

the OpenID identity REFERENCES my user account identity.  A

subtle but important distinction.

Furthermore once a user is logged in, they can go to their user

"preferences" screen; where a list of all their OpenID identities is

shown.  From there they can delete any of them.

Obviously, if you don't have an account recovery system in place

(such as via verified email), then you need to prevent the user from

deleting ALL of their identities lest they be locked out.  Also, since the

only way to add an identity is to actually use it first (login with it), I don't

have to worry about them only having identities left which have never

been "tested", and thus chance them locking themselves out.


Deron Meranda


general mailing list

general at openid.net


__________ Information from ESET NOD32 Antivirus, version of virus signature database 3984 (20090402) __________

The message was checked by ESET NOD32 Antivirus.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090403/9cfc5804/attachment-0002.htm>

More information about the general mailing list