I have a working web application which already has a login and registration system. I'm looking for some advice on how to do it.
Until now, users have a username, an email, a password and some optional fields. The registrartion is the usual process with email confirmation.
Now I'd like to allow users to use OpenId. So I have added an openid field to the table. There are two different login forms, and users which are already registered can add their openid info and use either login form.
The problem is with new users who come on the site for the first time and try to login with OpenId. I create a new user for them, and I don't need a password, but still I need at least a username, which is used on the site (I'm not sure if the email is needed).
So my problems are:
1) How do I manage validation? Some fields are required for some users, (e.g. a password) but not for some others. I mean, I can do this, but it immediately gets messy.
2) Should I ask for a username and email on the first OpenId login? On the one hand I'd say yes, but I fear this vanishes the advantages of using OpenId, that is, not having to provide details.
3) I could get the details via SReg or AttributeExchange, but most providers have a bad support for those. For instance my Gmail OpenId account does not tell the email (!). Is there some place to learn more about the current support for these extensions?