I'm setting up a login system for a site and someone suggested using openID instead.
In my current setup, I log users' login attempts into a db table. When using openID, would I still be able to have that fine-grained control or not?
I'm setting up a login system for a site and someone suggested using openID instead.
In my current setup, I log users' login attempts into a db table. When using openID, would I still be able to have that fine-grained control or not?
Yes, but it's more complex than what you may be used to.
Typically, you will have a login page on your web site where you ask the user to enter his identifier (the user-supplied identifier, which can be the identifier the user claims to own or something like http://yahoo.com, where the user will be taken to the provider's website and the provider will help him select the identifier he will claim to own). By the time the user submits this form, you can log that into the database.
Now, the user will be taken to the OpenID provider's website. He can now do three things:
Finally, you may receive an unsolicited positive assertion or negative assertion, i.e., an assertion that was not initiated by your website. You can reject these or verify the positive assertions, but any case, you can log them.
Sure thing. Any easy way is to use Janrain's Engage with account mapping: http://www.janrain.com/products/engage