[OpenID] OpenID based on email addresses... Just Works!

Andrew Arnott andrewarnott at gmail.com
Sun Nov 2 01:48:13 UTC 2008 

Why not use the AX extension to supply the extra identifiers?  AX supports
multiple values for a single parameter type URI, so we could have something
like http://axschema.org/identifier/openid and the OP could send down all
the other Identifiers the user controls.
Take the following scenario:

   1. I visit myopenid.com, and configure it to know about my five OpenID
   identifiers.  This turns out to be a piece of cake because I just point
   myopenid.com at my XRDS document and all the identifiers are listed there
   and imported.
   2. I then visit magnolia and log in.  With the auth request, magnolia
   sends my provider an AX fetch request for
   http://axschema.org/identifier/openid.  Myopenid.com provides the
   assertion and my five other identifiers as multiple values in the AX fetch
   response.
   3. Magnolia scans this list and notices that it doesn't have four of
   those five identifiers associated with my account yet.  It confirms that I
   want to add these to my account and adds them.

This allows me to just tell my Provider about my many identifiers, and all
RPs I log into can (optionally with my permission of course at the OP)
automatically download all my other identifiers and configure my account
accordingly.  Obviously there will be times when the user won't want an RP
to know about all the other identifiers (if for example the user wants to
preserve anonymity) but the automation will be in place for when I do.

There will be no need to make the user jump through hoops to prove he
controls these identifiers until he tries to actually log in with one.

On Sat, Nov 1, 2008 at 6:29 PM, Martin Atkins <mart at degeneration.co.uk>wrote:

> Chris Messina wrote:
> >
> > It seems to me like this is just a matter of popularizing the idea of
> > multiple identifier associations per account, just as you do when you
> > associate multiple email addresses with an account (say, on Plaxo,
> > Dopplr and elsewhere).
> >
> > Ma.gnolia currently provides you the ability to associate multiple
> > identifiers with your account, allowing you to use any of them to sign
> > in.
> >
> > Since we're moving to a model of remote authentication, we really do
> > need to make sure that, apart from using XRDS to point to multiple OPs
> > in the case that one goes down, associating more than one identifier
> > per RP is also something that could or will be of value (especially if
> > you initially sign up to a service with a "throw-away" OpenID for
> > testing).
> >
>
> Manually associating multiple identifiers with your account at your RP
> is the workaround, not the fix.
>
> If we want to say with a straight face that we support migrating between
> identifiers, it needs to be *much* more automatic than this. Being able
> to migrate between identifiers needs to be the default.
>
> With the tech we've got right now I think the best we can accomplish is
> using a service like the Google Social Graph API to discover other
> identifiers that a user has and prompt them to associate those with
> their account as well. (We can't do this automatically, because the data
> returned by SGAPI is not necessarily trustworthy.)
>
> The main issue with that approach is overcoming the "stalkery" nature of
> this by explaining to users where this list came from. I think most
> users today would be pretty freaked out if they put in their LiveJournal
> identifier and it prompted them to add their MySpace account.
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081101/296dc8ed/attachment-0002.htm>

More information about the general mailing list