tags:

views:

95

answers:

1

I'm quite new to OpenId and I'm having a bit of a problem understanding how to use the OpenId once the authentication is complete.

I'm creating a new site, and I've had no problem in getting the openId authentication working. But I'm not sure how I should store user related data once the user is logged in.

Before openId, I would have my own registration process, a UserTable with a unique UserId (integer), and all other tables involving data related to some user activitiy would just have a UserId column identifying the user.

Should I now use the OpenId id in my tables? Should I create a really simple OpenId->UserId table that every login is mapped to and have data stored as previously? And what happens when a user want to use different OpenId providers?

+2  A: 

I'd suggest that you have user id to OpenID mapping, just because it would make sense to have it one-to-many — it is a good practice to allow people have more than one OpenID identity bound to the account.

Michael Krelin - hacker
So I guess that when a user is authenticated, I should check my user table and see if the openId exists, if not create a new row...But how do you (in a secure manner) allow people to map multiple OpenId to an existing userId?
Bjorn
Yes, actually, if the user comes with a yet unknown `OpenID` it would be the best to ask if the user wants to create a new account or bind it to the existing one (in the latter case user has to authenticate with the other OpenID).As for secure way of managing OpenID — it is more or less UI thing. One of the solutions would be asking for confirmation after successfull `OpenID` roundtrip (or unsolicited identity assertion). The other would be to use a special nonce or cookie for the roundtrip. Whatever you can come up with.
Michael Krelin - hacker