Unique usernames on OpenID sites
cschum at suse.de
Wed Jan 14 21:41:34 UTC 2009
I'm working on a web site which uses OpenID for authentication. In addition to
the (potentially multiple) OpenID associated with an account we also create
an unique username which can be edited by the user. We have an additional
display name which we use to show users in the UI, but we use this username
for uniquely identifying users when it's important to have a unique way of
identifying users, e.g. when giving another user access rights or in the API.
We don't show the OpenID at all.
While this solution seems to work, I would be interested in comments, if this
there are better ideas or practices how to do that.
I looked at the relying party best practices page at
https://openid.pbwiki.com/Relying-Party-Best-Practices, but it doesn't seem
to have a real answer to that. In fact it's somewhat inconsistent, because it
advises to not show the OpenID without user's approval, but also recommends
to use the OpenID as unique identifier instead of a site-specific unique
username. For some cases this doesn't work together.
Cornelius Schumacher <cschum at suse.de>
More information about the user-experience