OpenID: How to best associated Multiple OpenID Accounts to one User

openid

I am a newbie in openID. I spend a lot of time thinking what the best-practices are to give the user the choice, to login with various OpenID enabled accounts.

(I have to further clarify that my system is not a system that only requires a simple "onetime authentication" for doing a blog posting, but rather is a full system like a socialnetworking site, where a user will always add more information and edit existing information for "his personal account" …So the system itself requires to have some kind of "account" that will be associated with the work the user does.)

Given the case that I do not create a "dedicated useraccount with password and username for mysite" and only rely on the openID Logins i ran into the following problem:
When User "A" logins in (for the first time) via an "Google Account" then everything he does will be associated with the Google account. When he comes back and does NOT click on the "Google Account Signin" but rather "Yahoo Signin", he will be signed in but will create/get a new Account associated with Yahoo. Everything he did with the Google Account seems to be lost. Simply issuing every user an "openID indepedant and unique username" (without password) on my site doesnt not work: As if I ask for this unique username (without password) when logging in, everybody could guess the username of others and associate an OpenID with them. But if I also have to have a password for this username, than I ended up where we were in the past without openID: Then I have to issue the user some kind of "master account" (with usernam and passwort) that he can, for convenience, associate with any number of openId accounts. But for what reasony do I than have openID in this case? As the user has to remember "my masterpassword and userid" anyway…

=> Does this mean, that openID does not "directly" support the "free choice" of multiple Accounts? If I want the users to be able to login (for every single login) with an arbitrary openID user-account, is the only way of doing it that way:

1.)User logs in via an "known openID account" => thats fine nothing has to be done

2.)User logs in via an "unknown openID account" => "authenticate" the user via the "unknown" openId (for example Yahoo) but when the user is back on my page, state to the user, that this (Yahoo) openID account is unknown (=no further work is associcated with it=its like a new account) and ask, if he maybe logged in the last time via an other account and provide the list of supported openID accounts. The user can then choose one of the providers he used the last time (for example Google). He then in addition to the already made login (with Yahoo), he also has to login to the "older" (Google) account he used the last time. Both accounts are then "associated with each other" and any work on on the older (Google) account can now be accessed also via the newer (Yahoo) openID account/login?

Or is there any other way to support "multiple openID accounts" for ONE USERACCOUNT?

(The reason why I am asking this: OpenID is not so much known to normal endusers yet. If I print a large list with logins from Google, Yahoo to Faceebook there will be a lot of users that use Google for their initial Login, but the next time they come back maybe choose facebook (as they just left the facebook site and its more appealing to click on the facebook icon). This is how "websites worked" for the last "15 years": There was only one single way to login: One Username-Input-Field and One Password-Input Field. If I print now a huge list of account where a user has an account with each of them, the might to login with different Accounts from day to day not understanding the problem this will lead to. So the ideal world would be that a user can login via an arbitrary account of my openID-Provider list and will have all the accounts "associated" with each other…

I hope I was hable to describe what my problem is.

I really appreciate your help and ideas (mybe I am completely misunderstood here something)

Thank you vey much!
Jan

Best Answer

OpenID is an authentication mechanism, not a profile storage mechanism. You should still have a unique identifier for the person on your site, and should maintain a record which stores the OpenID in relation to that unique identifier in the same way you would store a password related to that unique identifier.

Related Solutions

Python – Which openid / oauth library to connect a django project to Google Apps Accounts

I finally got this working, so I'll answer my own question since the previous answers here were helpful but don't tell the whole story.

django-openid-auth is actually quite easy to set up and use. The README file is very clear. If you just want to use standard google accounts (i.e. @gmail.com addresses) then you configure it in settings.py with:

OPENID_SSO_SERVER_URL = 'https://www.google.com/accounts/o8/id'

But if you want to use a "google apps" account, i.e. hosted gmail at your own company's domain, then it's more complicated. I got my details from this question. To use your google apps accounts, configure your settings.py to:

OPENID_SSO_SERVER_URL = 'https://www.google.com/accounts/o8/site-xrds?hd=example.com'
# replace example.com with your hosted google apps domain

In the future this might just work, but today it probably won't. The problem is in python-openid which django-openid-auth relies on. The standard build of python-openid doesn't understand some protocol extensions google is using. (Why does google need to extend the protocol? Dig through http://groups.google.com/group/google-federated-login-api/web/openid-discovery-for-hosted-domains and report back. Good luck.) So you need to instead use adieu's patch to python-openid, which is available here: http://github.com/adieu/python-openid

Install this over your existing python-openid. Now it should work.

Be careful with the OPENID_USE_AS_ADMIN_LOGIN setting since it requires you to have an openid user account which is 'staff' or 'superuser' to use admin which won't happen by default. So you'll need to do a 2-step process of enabling openid, logging in with your openid to create an account in django, then using your old admin account to mark your own openid account as superuser, and then disabling non-openid admin access.

One more thing: your domain admin might need to enable openid login for your domain before this will work. The control is at http://www.google.com/a/cpanel/example.com/SetupIdp

Architecture for merging multiple user accounts together

I am faced with the exact same task at the moment. The design I worked out is rather simple, but it works well.

The core idea is that models for a local site identity and the third-party site identities are kept isolated, but are later linked. So every user that logs into the site has a local identity which maps to any number of third-party site identities.

A local identity record contains a minimum of information - it could even be a single field - just a primary key. (For my application, I don't care about the user's email, name, or birth date - I just want to know they're the person who has been logging into this account all along.)

The third-party identities contain information relevant only to authenticating with a third-party. For OAuth, this typically means a user identifier (like an id, email, or username) and a service identifier (indicating what site or service was authenticated with). In other parts of the application, outside of the database, that service identifier is paired with a method for retrieving the relevant user identifier from that service, and that is how authentication is performed. For OpenID, we employ the same approach, except the method for authenticating is more generalized (because we can almost always perform the exact same protocol - except we use a different identity URL, and that is our service identifier).

Finally, I keep a records of which third-party identities are paired to what local identity. To generate these records, the flow looks like this:

A user logs in for the first time using a third-party identity. A local identity record is created, then a third-party identity record, and then they are paired.
In a control panel, the user is offered the opportunity to link an account by logging in to third-party services. (Pretty straightforward how this works.)
In the scenario where the user unwittingly makes multiple accounts, the solution is pretty simple. While the user is logged in on one of the accounts, he logs into another which he previously used to log into the site (via the control panel feature above). The web service detects this collision (that the local identity of the logged-in user differs from the local identity that is linked to the third-party identity that just logged in) and the user is prompted with an account merge.

Merging accounts is a matter of merging each individual field of the local identity (which will vary from application to application, and should be easy if you have only a couple fields in your local identity records), and then ensuring the linked third-party identities are linked to the resultant local identity.

Best Answer

Related Solutions

Python – Which openid / oauth library to connect a django project to Google Apps Accounts

Architecture for merging multiple user accounts together

Related Topic