tags:

views:

54

answers:

2
+4  Q: 

Rethinking the User Login Process: User/Display Name and OpenID

Using openID has brought up some questions that I'm hoping the SO community can help me answer.

OpenID and the (now obsolete) Username

From what I've read, one of the main goals of openID is to eliminate the need for someone to create yet another username and password for some site they may only use once. While I think this is a really awesome idea, it does cause one point of confusion.:

Usernames are used not only as an authentication device (login credentials), but as a means of identifying a user as the create content on a website (comments, thread posts, etc.).

My Concerns

  1. What do I use to identify someone on the site as they move through it? Do I still request they choose a username when signing up for my site?
  2. I've noticed on sites like SO, a "Display Name" is used instead of a username. This is a field that can be changed by the user.
    • How do you avoid confusion when a user decides to change their display name?

Restricting Who Can Login to Your Site Even If They have a valid OpenID

Imagine the following scenario:

  • You have a website that you only want you and three friends to be able to access.
  • In a traditional user authentication setup, you would create the accounts for your three friends manually and then email them their login credentials. In this case, however, you want them to use openID.

My Questions

  1. How do you restrict openID authentication to a very specific subset of poeple?
  2. How do you set up accounts for people who have yet to authenticate to your site using OpenID?

Thanks again, SO community for your time and help with this. You guys are awesome.

+1  A: 

Ebay has one method for avoiding confusion/fraud with name changes (or did a few years back). For 30 days or something like that, there is a badge next to your name that says you just changed your name. If you wanted to, you could even provide full name history.

As far as limiting access, they still have accounts on your site that are created by your site's code. OpenID just provides the authentication mechanism. You could still require, say, that all new users are validated by an admin before they can access important parts of your site.

Another way to describe it is to think of authentication and authorization as two different concepts. OpenID only covers authentication. Your site would manage the authorization for an authenticated account.

Scott Stafford  2010-07-15 02:57:48
Hmm. The badge idea is interesting. So what it almost seems to boil down to is this: Display name has become less important over time as the web has evolved to accept the idea of openID. Usernames (Display names) are more about "What do we call you?" Vs "Who exactly are you?" Do you agree? Disagree? Does that even make sense?
Levi Hackwith  2010-07-15 03:13:32
@Levi: Correct. Authentication basically means proving your identity - the "who are you" part. As Scott said, this is what openID does. After a user is authenticated is the authorization step - "now that I know who you are, what do you have access to?" So your app is still responsible for tying the openID to an "account" on your site, and thereby obtaining the user's display name, access level, and any other attributes.
BenV  2010-07-15 03:23:55
+2  A: 

How do you restrict openID authentication to a very specific subset of poeple?

Can't you just make an account for them, and disable registrations, so that only they can sign in? When using OpenID, you still have user accounts, so you can do similar restrictions to what you could do normally. You can treat the OpenID similar to a username and only allow certain OpenIDs to register/login.

How do you set up accounts for people who have yet to authenticate to your site using OpenID?

I'd probably ask for a display name during the registration process. Some OpenID providers pass a display name back after authentication, which you could probably use if it's not taken on your site yet.

Daniel15  2010-07-15 02:58:13
Okay, that makes sense. So, my three friends would have to tell me what openID they want to use on my site and I would pre-load that for them.
Levi Hackwith  2010-07-15 03:09:40

related questions

How do you determine how far to normalize a database?
Tips for database design in a web application
How do you deal with polymorphism in a database?
Database Patterns
Is it okay to have a lot of database views?
Extra tables or non-specific foreign keys?
Implementing a '20 Questions'-like Wizard in a Database
Database Design for Revisions?
Which database table Schema is more efficient?
How do you build a ratings implementation?
How should I model a field that can contain both numeric and string values in SQL Server 2005?
What if analysis on multi dimensional cubes (OLAP)
Data model for a extensible web form
Database Schema Diagram Design Tool
Good strategy for leaving an audit trail/change history for DB applications?
How do you recommend implementing tags or tagging
One database or many?
Suitable E-R notation for introductory DB design course? Good/free diagram tools?
What is the best strategy for retainment of large data sets?
Query a union table with fields as columns.
When is a file just a file?
Database triggers
What are the advantages of using a single database for EACH client?
Database, Table and Column Naming Conventions?
Auto Generate Database Diagram MySQL