I have a question about best-practices.

Consider a website with an existing user base. You want to provide the users an alternate means of authentication with an OpenID (e.g. replacing existing password-based authentication), so you show them a page (after they've authenticated) which says "Link an OpenID to your account".

The user authenticates with an OpenID, and the site associates <something> with the user's existing account so that in the future OpenID authentication can happen as the primary login and the same <something> can be used to figure out which user account to login as.

My question is what is the best thing to use as <something>. There are options, most with certain limitations, and I wanted to see if the community has a general pattern or recommendation.

For example, the <something> could be (non-exhaustive):

1. The "as-typed-in-by-the-user" user-supplied identifier. This has limitations that a user can have multiple user-supplied identifiers that normalize to the same id, and they can confuse themselves (e.g. shane.myopenid.com = http://shane.myopenid.com). This doesn't work well with OP identifiers.

2. The claimed identifier after discovery. This doesn't play well with delegation if a user switches OP's but keeps their user-supplied identifier.

3. Some other combination?

Your thoughts appreciated.

_______________________________________________
general mailing list
general <at> openid.net
http://openid.net/mailman/listinfo/general