[OpenID] linking an openid to an existing account

[Shane B Weeden]

I have a question about best-practices. 

Consider a website with an existing user base. You want to provide the 
users an alternate means of authentication with an OpenID (e.g. replacing 
existing password-based authentication), so you show them a page (after 
they've authenticated) which says "Link an OpenID to your account". 

The user authenticates with an OpenID, and the site associates <something> 
with the user's existing account so that in the future OpenID 
authentication can happen as the primary login and the same <something> 
can be used to figure out which user account to login as.

My question is what is the best thing to use as <something>. There are 
options, most with certain limitations, and I wanted to see if the 
community has a general pattern or recommendation.

For example, the <something> could be (non-exhaustive):

1. The "as-typed-in-by-the-user" user-supplied identifier. This has 
limitations that a user can have multiple user-supplied identifiers that 
normalize to the same id, and they can confuse themselves (e.g. 
shane.myopenid.com = http://shane.myopenid.com). This doesn't work well 
with OP identifiers.

2. The claimed identifier after discovery. This doesn't play well with 
delegation if a user switches OP's but keeps their user-supplied 
identifier.

3. Some other combination?

Your thoughts appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080718/f665a6fb/attachment-0002.htm>