<br><font size=2 face="sans-serif">It is useful, and is the same conclusion
I arrived at.</font>
<br>
<br><font size=2 face="sans-serif">Thanks,<br>
Shane.</font>
<br>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>Dan Ragle <dragle@jupitermedia.com></b>
</font>
<br><font size=1 face="sans-serif">Sent by: general-bounces@openid.net</font>
<p><font size=1 face="sans-serif">21/07/2008 11:41 PM</font>
<td width=59%>
<table width=100%>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td><font size=1 face="sans-serif">general@openid.net</font>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td><font size=1 face="sans-serif">Re: [OpenID] linking an openid to an
existing account</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><tt><font size=2>In that case, I believe the claimed id after discovery<br>
(which, in the case of 1.1, should be the normalized<br>
user supplied ID) is your best choice (that's the one<br>
I use). Perhaps not optimal, but if you need 1.1<br>
compatibility that's the best of the options.<br>
<br>
This blurb from the specs (section 14.2.1) seems to at<br>
least indirectly concur:<br>
<br>
"openid.claimed_id" is not defined by OpenID<br>
Authentication 1.1. Relying Parties MAY send the<br>
value when making requests, but MUST NOT depend on<br>
the value being present in authentication responses.<br>
When the OP-Local Identifier ("openid.identity")
is<br>
different from the Claimed Identifier, the Relying<br>
Party MUST keep track of what Claimed Identifier was<br>
used to discover the OP-Local Identifier, for<br>
example by keeping it in session state. Although the<br>
Claimed Identifier will not be present in the<br>
response, it MUST be used as the identifier for the<br>
user.<br>
<br>
Hope that's helpful!<br>
<br>
Dan<br>
<br>
> Agree for OpenID 2.0.<br>
> <br>
> What about OpenID 1.1 backwards-compatibility, which doesn't have
the <br>
> claimed_id concept?<br>
> <br>
> <br>
> <br>
> <br>
> <br>
> <br>
> Dan Ragle <dragle@jupitermedia.com> <br>
> Sent by: general-bounces@openid.net<br>
> 19/07/2008 12:01 AM<br>
> <br>
> To<br>
> general@openid.net<br>
> cc<br>
> <br>
> Subject<br>
> Re: [OpenID] linking an openid to an existing account<br>
> <br>
> <br>
> <br>
> <br>
> <br>
> <br>
> P.S. - per section 11.5 of the OpenID specs:<br>
> <br>
> "The Claimed Identifier in a successful<br>
> authentication response SHOULD be used<br>
> by the Relying Party as a key for local<br>
> storage of information about the user.<br>
> The Claimed Identifier MAY be used as a<br>
> user-visible Identifier. When displaying<br>
> URL Identifiers, the fragment MAY be<br>
> omitted."<br>
> <br>
> Cheers!<br>
> <br>
> Dan<br>
> <br>
>> I have a question about best-practices. <br>
>><br>
>> Consider a website with an existing user base. You want to provide
the <br>
>> users an alternate means of authentication with an OpenID (e.g.
<br>
> replacing <br>
>> existing password-based authentication), so you show them a page
(after <br>
>> they've authenticated) which says "Link an OpenID to your
account". <br>
>><br>
>> The user authenticates with an OpenID, and the site associates
<br>
> <something> <br>
>> with the user's existing account so that in the future OpenID
<br>
>> authentication can happen as the primary login and the same <something>
<br>
>> can be used to figure out which user account to login as.<br>
>><br>
>> My question is what is the best thing to use as <something>.
There are <br>
>> options, most with certain limitations, and I wanted to see if
the <br>
>> community has a general pattern or recommendation.<br>
>><br>
>> For example, the <something> could be (non-exhaustive):<br>
>><br>
>> 1. The "as-typed-in-by-the-user" user-supplied identifier.
This has <br>
>> limitations that a user can have multiple user-supplied identifiers
that <br>
> <br>
>> normalize to the same id, and they can confuse themselves (e.g.
<br>
>> shane.myopenid.com = http://shane.myopenid.com). This doesn't
work well <br>
>> with OP identifiers.<br>
>><br>
>> 2. The claimed identifier after discovery. This doesn't play well
with <br>
>> delegation if a user switches OP's but keeps their user-supplied
<br>
>> identifier.<br>
>><br>
>> 3. Some other combination?<br>
>><br>
>> Your thoughts appreciated.<br>
>><br>
>><br>
>><br>
>> ------------------------------------------------------------------------<br>
>><br>
>> _______________________________________________<br>
>> general mailing list<br>
>> general@openid.net<br>
>> http://openid.net/mailman/listinfo/general<br>
> _______________________________________________<br>
> general mailing list<br>
> general@openid.net<br>
> http://openid.net/mailman/listinfo/general<br>
> <br>
> <br>
_______________________________________________<br>
general mailing list<br>
general@openid.net<br>
http://openid.net/mailman/listinfo/general<br>
</font></tt>
<br>