[OpenID] Live Icons for visual recognition of IDP logos
bkissel at janrain.com
Fri Apr 3 04:36:01 UTC 2009
JanRain's RPX<http://rpxnow.com/> account mapping API helps link multiple OpenID accounts so you don't have to change your database schema to support multiple OpenID accounts.
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Deron Meranda
Sent: Thursday, April 02, 2009 1:40 PM
To: Allen Tom
Subject: Re: [OpenID] Live Icons for visual recognition of IDP logos
On Thu, Apr 2, 2009 at 2:36 PM, Allen Tom <atom at yahoo-inc.com> wrote:
> RPs should allow users to bind multiple identifiers to a user's account, and
> allow users to add and remove them.
I absolutely agree. But is there any recommended way to do that,
in terms of a consistent user interaction? In fact I haven't seen very
many RPs in the wild attempt the multiple id support yet, though it
seems to be something that we should strongly try to encourage.
The way that my own RP does that is that when you're already logged
in (say using identity A) and you try to login again (with id B) without
having logged out first, it will
1. Put up a page that says you were already logged in before, and
2. Ask if you would you like to add the identity you just logged in
to the same user account; or instead login as a new user (thus
logging the first one out).
In between 1 and 2 the user is sort of in a limbo session state.
I know their OpenID identity, but I haven't mapped them to a
local user account yet.
Obviously to do this I must maintain a mapping of OpenID identities
to local user accounts; and this is a many to one mapping. This means
that the OpenID identity is NOT my user account identity; but instead that
the OpenID identity REFERENCES my user account identity. A
subtle but important distinction.
Furthermore once a user is logged in, they can go to their user
"preferences" screen; where a list of all their OpenID identities is
shown. From there they can delete any of them.
Obviously, if you don't have an account recovery system in place
(such as via verified email), then you need to prevent the user from
deleting ALL of their identities lest they be locked out. Also, since the
only way to add an identity is to actually use it first (login with it), I don't
have to worry about them only having identities left which have never
been "tested", and thus chance them locking themselves out.
general mailing list
general at openid.net
__________ Information from ESET NOD32 Antivirus, version of virus signature database 3984 (20090402) __________
The message was checked by ESET NOD32 Antivirus.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the general