Retrieving email: OpenId vs. classical authentication

Question

I need to implement authentication for the project I am working on. But I can't make the choice: to use OpenId or not. The main question for me is how to retrieve user's email (it is critical for sending notifications) if user has logged in by OpenId. Of course, most OpenId providers return this information but I can't trust them (as anybody can set up an OpenId provider).

The ways I currently see are: 1. Support only OpenId providers that always return user email and to whom I can trust (it would be awkward to activate email in OpenId authentication scenario). 2. Forget about OpenId and use classical authentication.

What do you think?

Answer 1

Actually, the best idea would be to implement OpenID, but verify the email addresses anyway (or ask the user to provide them if the OP doesn't).

It's not awkward to require an user to verify their email if they're using OpenID -- the data returned by OP isn't guaranteed to be true.

And whatever you do, don't limit OpenID providers -- it'll only cause confusion. You could simply not verify the address if it comes from a known provider.