Using openID has brought up some questions that I'm hoping the SO community can help me answer.
OpenID and the (now obsolete) Username
From what I've read, one of the main goals of openID is to eliminate the need for someone to create yet another username and password for some site they may only use once. While I think this is a really awesome idea, it does cause one point of confusion.:
Usernames are used not only as an authentication device (login credentials), but as a means of identifying a user as the create content on a website (comments, thread posts, etc.).
My Concerns
- What do I use to identify someone on the site as they move through it? Do I still request they choose a username when signing up for my site?
- I've noticed on sites like SO, a "Display Name" is used instead of a username. This is a field that can be changed by the user.
- How do you avoid confusion when a user decides to change their display name?
Restricting Who Can Login to Your Site Even If They have a valid OpenID
Imagine the following scenario:
- You have a website that you only want you and three friends to be able to access.
- In a traditional user authentication setup, you would create the accounts for your three friends manually and then email them their login credentials. In this case, however, you want them to use openID.
My Questions
- How do you restrict openID authentication to a very specific subset of poeple?
- How do you set up accounts for people who have yet to authenticate to your site using OpenID?
Thanks again, SO community for your time and help with this. You guys are awesome.