18 Jul 15:50
Re: [OpenID] linking an openid to an existing account
From: Dan Ragle <dragle <at> jupitermedia.com>
Subject: Re: [OpenID] linking an openid to an existing account
Newsgroups: gmane.comp.web.openid.general
Date: 2008-07-18 13:50:10 GMT
Subject: Re: [OpenID] linking an openid to an existing account
Newsgroups: gmane.comp.web.openid.general
Date: 2008-07-18 13:50:10 GMT
Hi, I think the key to use is the claimed_id returned by the OP as part of a positive assertion (which you have to verify against your own discovered data as part of the authentication); otherwise you run into the potential future-user-inherits-the-account problem: > 1. The "as-typed-in-by-the-user" user-supplied identifier. This has > limitations that a user can have multiple user-supplied identifiers that > normalize to the same id, and they can confuse themselves (e.g. > shane.myopenid.com = http://shane.myopenid.com). This doesn't work well > with OP identifiers. And it also has the problem that a user may abandon an ID at a particular OP, and that another user might take it over at some point in the future and thus gain access to your already associated account through it. Of course, I'm assuming here that the OP uses some type of fragment identifier on the returned claimed_id to historically differentiate the new vs. old ID (i.e., like Yahoo does now). > > 2. The claimed identifier after discovery. This doesn't play well with > delegation if a user switches OP's but keeps their user-supplied > identifier. As I recall, in the case of delegation, the claimed_id after discovery is just the normalized user supplied ID, or the canonical ID if an XRI was supplied (i.e., the ID that is used to verify the user at the OP is the OP-Local ID, not the claimed identifier). So it should still work if the user delegates and switches OPs later, unless I've misunderstood your point. But in the case of non-delegation, this scenario has the same potential problem as above. > > 3. Some other combination? As I understood it, the returned claimed_id from the OP should be the normalized user supplied ID in the case of delegation, or an historically unique form of the user's chosen (in the case of OP IDs) or supplied ID otherwise. Thus, I believe it's the most accurate link. > > Your thoughts appreciated. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > general mailing list > general <at> openid.net > http://openid.net/mailman/listinfo/general
RSS Feed