[OpenID] allowing users to switch to opendid-only: pointless?

Fri May 29 03:35:30 UTC 2009

>account. You don't want your user saying "I logged in with OpenID why do I
>need a username?".

On the flip side, "Why is everyone on the site going to know me by 
thus ugly URL?" - Pibb, for example, knows me as Shade.

>First question you need to answer is how is your system going to indentify a
>user. Is it a username or is it an email address?

What was the difference, again?

If not for disallowed characters in usernames, I could probably take 
'http://openid.net/' as mine - if noone else had taken it before me! 
But does this mean I am even *associated* with openid.net in any way?

Probably not. We have OpenID, though, to help with knowing that.

Usernames can also resemble E-mail addresses (if noone has taken 
'santrajan at gmail.com' before, I can probably do so at sites that 
don't ban the at symbol or period), but again, does this prove any 
association with the address?

>1) If username then the OpenID or Facebook ID is your username. I would
>recommend not to allow associations of other ID's to the same account.
>(Things will get complicated).

Life is complicated. Modelling complex relationships is why good 
database engineers deserve such high wages ;)

The case in question isn't complicated, though. We just need a unique 
numeric ID in the database (autoincrementing will do fine), and then 
link this to both OpenID's and local usernames.

>2) If you are using email addresses then your account is associated with an
>email address. Every email address is a unique account.

This can be achieved through application-layer logic, there's no need 
to make the E-mail string itself a primary key. So, users could log 
in with their OpenID *or* their E-mail address, just like they might 
log in with an OpenID *or* their username local to the site. 
Attackers would not be able to discern associated OpenID's by trying 
to log in with an E-mail address, nor vice versa.

>In this case you can
>associate OpenID with your account only if the OpenID provider provides an
>email address with authentication.

No, sorry, the old ways of doing this still work. I'm logged in, I 
say "I'd like to associate an OpenID with my account.", and they send 
me away treating it as a login (while still retaining our current 
session), and if I return successfully I've just proven that my 
account is associated with that OpenID.

Same method works for E-mail, I receive the message and click a link 
(or copy some value back into their site during my still-active 
session) to confirm that I have requested association with an address 
that is "mine". Note that the OpenID provider won't know my E-mail 
address, even if I had deleted my local username and was only logged 
in through OpenID - the RP knows my address, but the OP doesn't need 
to.

>Trying to do more than what 1) or 2) suggests will lead to complication or
>confusion for users.

I think restricting users to one or the other is what would lead to 
confusion. If you pick 1 then users who instinctively try 2 are 
confused and need to readjust; if you pick 2 then users who 
instinctively try 1 are confused and need to readjust. If you remain 
flexible, letting user actions work *no matter what they try*, users 
will not be confused.

If anyone is going to get confused, it will be the programmers who 
actually have to worry about a technical implementation of this.

-Shade