[OpenID] linking an openid to an existing account

Dan Ragle dragle at jupitermedia.com
Fri Jul 18 13:50:10 UTC 2008 

Hi,

I think the key to use is the claimed_id returned by the OP as part
of a positive assertion (which you have to verify against your own
discovered data as part of the authentication); otherwise you run
into the potential future-user-inherits-the-account problem:

> 1. The "as-typed-in-by-the-user" user-supplied identifier. This has 
> limitations that a user can have multiple user-supplied identifiers that 
> normalize to the same id, and they can confuse themselves (e.g. 
> shane.myopenid.com = http://shane.myopenid.com). This doesn't work well 
> with OP identifiers.

And it also has the problem that a user may abandon an ID at a
particular OP, and that another user might take it over at some
point in the future and thus gain access to your already associated
account through it. Of course, I'm assuming here that the OP uses
some type of fragment identifier on the returned claimed_id to
historically differentiate the new vs. old ID (i.e., like Yahoo
does now).

> 
> 2. The claimed identifier after discovery. This doesn't play well with 
> delegation if a user switches OP's but keeps their user-supplied 
> identifier.

As I recall, in the case of delegation, the claimed_id after discovery
is just the normalized user supplied ID, or the canonical ID if an XRI
was supplied (i.e., the ID that is used to verify the user at the OP is
the OP-Local ID, not the claimed identifier). So it should still work
if the user delegates and switches OPs later, unless I've misunderstood
your point.

But in the case of non-delegation, this scenario has the same potential 
problem as above.

> 
> 3. Some other combination?

As I understood it, the returned claimed_id from the OP should be
the normalized user supplied ID in the case of delegation, or an
historically unique form of the user's chosen (in the case of
OP IDs) or supplied ID otherwise. Thus, I believe it's the most
accurate link.

> 
> Your thoughts appreciated.
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list