[OpenID] linking an openid to an existing account
Dan Ragle
dragle at jupitermedia.com
Mon Jul 21 13:41:12 UTC 2008
In that case, I believe the claimed id after discovery
(which, in the case of 1.1, should be the normalized
user supplied ID) is your best choice (that's the one
I use). Perhaps not optimal, but if you need 1.1
compatibility that's the best of the options.
This blurb from the specs (section 14.2.1) seems to at
least indirectly concur:
"openid.claimed_id" is not defined by OpenID
Authentication 1.1. Relying Parties MAY send the
value when making requests, but MUST NOT depend on
the value being present in authentication responses.
When the OP-Local Identifier ("openid.identity") is
different from the Claimed Identifier, the Relying
Party MUST keep track of what Claimed Identifier was
used to discover the OP-Local Identifier, for
example by keeping it in session state. Although the
Claimed Identifier will not be present in the
response, it MUST be used as the identifier for the
user.
Hope that's helpful!
Dan
> Agree for OpenID 2.0.
>
> What about OpenID 1.1 backwards-compatibility, which doesn't have the
> claimed_id concept?
>
>
>
>
>
>
> Dan Ragle <dragle at jupitermedia.com>
> Sent by: general-bounces at openid.net
> 19/07/2008 12:01 AM
>
> To
> general at openid.net
> cc
>
> Subject
> Re: [OpenID] linking an openid to an existing account
>
>
>
>
>
>
> P.S. - per section 11.5 of the OpenID specs:
>
> "The Claimed Identifier in a successful
> authentication response SHOULD be used
> by the Relying Party as a key for local
> storage of information about the user.
> The Claimed Identifier MAY be used as a
> user-visible Identifier. When displaying
> URL Identifiers, the fragment MAY be
> omitted."
>
> Cheers!
>
> Dan
>
>> I have a question about best-practices.
>>
>> Consider a website with an existing user base. You want to provide the
>> users an alternate means of authentication with an OpenID (e.g.
> replacing
>> existing password-based authentication), so you show them a page (after
>> they've authenticated) which says "Link an OpenID to your account".
>>
>> The user authenticates with an OpenID, and the site associates
> <something>
>> with the user's existing account so that in the future OpenID
>> authentication can happen as the primary login and the same <something>
>> can be used to figure out which user account to login as.
>>
>> My question is what is the best thing to use as <something>. There are
>> options, most with certain limitations, and I wanted to see if the
>> community has a general pattern or recommendation.
>>
>> For example, the <something> could be (non-exhaustive):
>>
>> 1. The "as-typed-in-by-the-user" user-supplied identifier. This has
>> limitations that a user can have multiple user-supplied identifiers that
>
>> normalize to the same id, and they can confuse themselves (e.g.
>> shane.myopenid.com = http://shane.myopenid.com). This doesn't work well
>> with OP identifiers.
>>
>> 2. The claimed identifier after discovery. This doesn't play well with
>> delegation if a user switches OP's but keeps their user-supplied
>> identifier.
>>
>> 3. Some other combination?
>>
>> Your thoughts appreciated.
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
More information about the general
mailing list