I would like to implement user authentication using OpenID.
Is there anything unique in user data that OpenID provides that I could use as a key to remember and identify the users? I was thinking of using the email but the user could change it.
+4
A:
The user's OpenID identity is what you should use for this purpose.
This is either the URL entered as an identity, or returned as claimed_id when available. In either case, actually store the identity only after a successful authentication.
Refer to section 7.2 and 7.3 of the OpenID 2.0 Specification for more information.
However, as pointed out by Stephen in the comments, you will need to generate an unique ID yourself if you want to associate multiple identities with a single user.
Yang Zhao
2009-11-18 01:01:03
If you need a unique identifier so users can change the OpenID they are associated with, you'll just need to generate your own unique IDs (if you're storing this in a database, you can probably just use an auto-generated integer).
Stephen Jennings
2009-11-18 01:09:34
You should ALWAYS use *exactly* what you get in the `openid.claimed_id` parameter from the provider as the unique identifier for this user account -- even if you aggregate it with other identifiers you know of into a single user account. Don't ever just use the identifier the user typed into the text box, as that opens you up to lots of security holes. And of course, verify the assertion including discovery on the new claimed_id. Better still, *use a library* that's already written. It sounds like you haven't read the spec. Don't write OpenID w/o reading the spec! Or just use a library.
Andrew Arnott
2009-11-18 04:40:33