tags:

views:

95

answers:

1
+2  Q: 

Best practice for developing site with openId - user table?

I'm quite new to OpenId and I'm having a bit of a problem understanding how to use the OpenId once the authentication is complete.

I'm creating a new site, and I've had no problem in getting the openId authentication working. But I'm not sure how I should store user related data once the user is logged in.

Before openId, I would have my own registration process, a UserTable with a unique UserId (integer), and all other tables involving data related to some user activitiy would just have a UserId column identifying the user.

Should I now use the OpenId id in my tables? Should I create a really simple OpenId->UserId table that every login is mapped to and have data stored as previously? And what happens when a user want to use different OpenId providers?

+2  A: 

I'd suggest that you have user id to OpenID mapping, just because it would make sense to have it one-to-many — it is a good practice to allow people have more than one OpenID identity bound to the account.

Michael Krelin - hacker  2009-08-25 08:41:39
So I guess that when a user is authenticated, I should check my user table and see if the openId exists, if not create a new row...But how do you (in a secure manner) allow people to map multiple OpenId to an existing userId?
Bjorn  2009-08-25 08:50:18
Yes, actually, if the user comes with a yet unknown `OpenID` it would be the best to ask if the user wants to create a new account or bind it to the existing one (in the latter case user has to authenticate with the other OpenID).As for secure way of managing OpenID — it is more or less UI thing. One of the solutions would be asking for confirmation after successfull `OpenID` roundtrip (or unsolicited identity assertion). The other would be to use a special nonce or cookie for the roundtrip. Whatever you can come up with.
Michael Krelin - hacker  2009-08-25 08:54:54

related questions

how to get login credentials by openId?
OpenID Migration
PHP Tutorial for OpenId and OAuth
OpenID login workflow?
OpenID support for Ruby on Rails application
Using OpenID for both .NET/Windows and PHP/Linux/Apache web sites
What is the benefit of using ONLY OpenID authentication on a site?
Problems with migrating Cardspace cards between computers
secure way to authenticate administrator in ASP.NET site using OpenID with DotNetOpenID
How do I enable open id on a Java Webapp?
What would it take to make OpenID mainstream?
What's the best .NET library for OpenID and ASP.NET MVC?
Useful browser plugins for openid authentication?
How do I implement an OpenID server in Rails?
How do I implement OpenID in my web application?
Why is HTML form redirection used in OpenID 2?
How do you set up an OpenID provider (server) in Ubuntu?
OpenID as a Single Sign On option??
Should my website abandon username/password authentication in favor of OpenID?
OpenID authentication in ASP.NET?
Open ID - What happens when you decide you don't like your existing provider?
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
How do I use more than one OpenID?