Unique usernames on OpenID sites

[Cornelius Schumacher]

I'm working on a web site which uses OpenID for authentication. In addition to 
the (potentially multiple) OpenID associated with an account we also create 
an unique username which can be edited by the user. We have an additional 
display name which we use to show users in the UI, but we use this username 
for uniquely identifying users when it's important to have a unique way of 
identifying users, e.g. when giving another user access rights or in the API. 
We don't show the OpenID at all.

While this solution seems to work, I would be interested in comments, if this 
is the best possible way to implement it in terms of user experience, or if 
there are better ideas or practices how to do that.

I looked at the relying party best practices page at 
https://openid.pbwiki.com/Relying-Party-Best-Practices, but it doesn't seem 
to have a real answer to that. In fact it's somewhat inconsistent, because it 
advises to not show the OpenID without user's approval, but also recommends 
to use the OpenID as unique identifier instead of a site-specific unique 
username. For some cases this doesn't work together.

-- 
Cornelius Schumacher <cschum at suse.de>