Scenario: A user logs into a site (like StackOverflow) with an OpenID. A year later they return to the site but their OpenID provider has gone out of business and won't let them log in.
How best should they recover from this situation? And are there any OpenID-enabled sites you know of that have already implemented a solution for this?
There is an excellent article here about relying party best practices and they have a good suggestion but I'm still looking for an example of this in action:
Provide Lost Identifier functionality to switch to a new identifier without access to the old one
Provide a mechanism to switch an account to use a new identifier without access to the old identifier(s) associated with the account. This can take a similar form to the traditional "Forgot your password?" email verification dance, assuming that you have the user's email address on file.
Rationale: Users will sometimes lose the ability to use their identifiers, such as when their provider ceases to offer service to them. This functionality allows users to recover from this situation without losing their data.
I have some vague idea of how I can accomplish this with a token of sorts that's sent to the user's email address. But again, if someone else has already figured out a good solution with details I may not have thought of yet, then that'd be better.