tags:

views:

334

answers:

4

Hello Experts,

I am a newbie in openID. I spend a lot of time thinking what the best-practices are to give the user the choice, to login with various OpenID enabled accounts.

(I have to further clarify that my system is not a system that only requires a simple "onetime authentication" for doing a blog posting, but rather is a full system like a socialnetworking site, where a user will always add more information and edit existing information for "his personal account" ...So the system itself requires to have some kind of "account" that will be associated with the work the user does.)

Given the case that I do not create a "dedicated useraccount with password and username for mysite" and only rely on the openID Logins i ran into the following problem: When User "A" logins in (for the first time) via an "Google Account" then everything he does will be associated with the Google account. When he comes back and does NOT click on the "Google Account Signin" but rather "Yahoo Signin", he will be signed in but will create/get a new Account associated with Yahoo. Everything he did with the Google Account seems to be lost. Simply issuing every user an "openID indepedant and unique username" (without password) on my site doesnt not work: As if I ask for this unique username (without password) when logging in, everybody could guess the username of others and associate an OpenID with them. But if I also have to have a password for this username, than I ended up where we were in the past without openID: Then I have to issue the user some kind of "master account" (with usernam and passwort) that he can, for convenience, associate with any number of openId accounts. But for what reasony do I than have openID in this case? As the user has to remember "my masterpassword and userid" anyway...

=> Does this mean, that openID does not "directly" support the "free choice" of multiple Accounts? If I want the users to be able to login (for every single login) with an arbitrary openID user-account, is the only way of doing it that way:

1.)User logs in via an "known openID account" => thats fine nothing has to be done

2.)User logs in via an "unknown openID account" => "authenticate" the user via the "unknown" openId (for example Yahoo) but when the user is back on my page, state to the user, that this (Yahoo) openID account is unknown (=no further work is associcated with it=its like a new account) and ask, if he maybe logged in the last time via an other account and provide the list of supported openID accounts. The user can then choose one of the providers he used the last time (for example Google). He then in addition to the already made login (with Yahoo), he also has to login to the "older" (Google) account he used the last time. Both accounts are then "associated with each other" and any work on on the older (Google) account can now be accessed also via the newer (Yahoo) openID account/login?

Or is there any other way to support "multiple openID accounts" for ONE USERACCOUNT?

(The reason why I am asking this: OpenID is not so much known to normal endusers yet. If I print a large list with logins from Google, Yahoo to Faceebook there will be a lot of users that use Google for their initial Login, but the next time they come back maybe choose facebook (as they just left the facebook site and its more appealing to click on the facebook icon). This is how "websites worked" for the last "15 years": There was only one single way to login: One Username-Input-Field and One Password-Input Field. If I print now a huge list of account where a user has an account with each of them, the might to login with different Accounts from day to day not understanding the problem this will lead to. So the ideal world would be that a user can login via an arbitrary account of my openID-Provider list and will have all the accounts "associated" with each other...

I hope I was hable to describe what my problem is.

I really appreciate your help and ideas (mybe I am completely misunderstood here something)

Thank you vey much! Jan

A: 

It seems like you'd have to get the user to log in with both to connect them together.

Epsilon Prime
+2  A: 

OpenID is an authentication mechanism, not a profile storage mechanism. You should still have a unique identifier for the person on your site, and should maintain a record which stores the OpenID in relation to that unique identifier in the same way you would store a password related to that unique identifier.

Jeremy Seghi
hello Jeremy, thanks for your answer. But how would I in practice associate the unique identifier with multiple accounts? The only way doing this would be either associating also a password for the unique identifier (=>to have some kind of full fledged masteraccount) or to do it the way I described above. But if I issue some kind of "masteraccount" then openId is just some kind of "funny gadget", as the user has to nevertheless remember my unique identifer and the password. Otherwise there is no possibility to associate "securely" several openID accounts with each other.
jan
Your authentication model should be just that: an _authentication model_. It shouldn't dictate how you manage users, only how you authenticate them. You need a Unique Identifier (UID) that allows you to determine exactly which user is connected to the system. Even SO uses a UID they generate (65228 for example), and they store a connection between an OpenID and their UID. The problem you're running into is because you're using OpenID as the UID. The only way to know the user using Facebook today is the same one who used Google yesterday is to make them log in with Google first.
Jeremy Seghi
+2  A: 

have a table in your database with the user accounts, which includes a user id and have a link table, that links an OpenID to an user id.

like

table users

ID NAME

1 PIET

2 KEES

and

table openid

OPENID USERID

http://..... 1

http://..... 1

http://..... 2

http://..... 2

andremo
hello grombeestje, thank you for your answer. It wold be kind if you could elaborate how exactly you would be doing the association of the user-table with the open-idtable for a specific user: The way I described in my question or do you propose any better soltion?
jan
+1  A: 

Yes, the user will have to login with both. 1. user logs in for the first time with Google Account, uses the app and logs out. App creates an internal user login (in grombeestje's table user) and associates it with the Google Account. (in grombeestje's table openid) 2. Later, user has logged in Yahoo and logs in again with Yahoo Account. Now user is offered a step to identify with other services as well a. users opts in and selects Google account. b. user logs in with Google account. c. application appends the Google id with the Current login.

Also, anytime when user wishes he can choose to add logins to his profile and identify his/her other openIDs like Blogger, Facebook etc. If he has created different logins (in grombeestje's table user) with these accounts then he can either drop one of the local logins (in grombeestje's table user) with the app or merge them into one.

SarjanWebDev