Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

OpenID: How to best associated Multiple OpenID Accounts to one User?

Tags:

I am a newbie in openID. I spend a lot of time thinking what the best-practices are to give the user the choice, to login with various OpenID enabled accounts.

(I have to further clarify that my system is not a system that only requires a simple "onetime authentication" for doing a blog posting, but rather is a full system like a socialnetworking site, where a user will always add more information and edit existing information for "his personal account" ...So the system itself requires to have some kind of "account" that will be associated with the work the user does.)

Given the case that I do not create a "dedicated useraccount with password and username for mysite" and only rely on the openID Logins i ran into the following problem: When User "A" logins in (for the first time) via an "Google Account" then everything he does will be associated with the Google account. When he comes back and does NOT click on the "Google Account Signin" but rather "Yahoo Signin", he will be signed in but will create/get a new Account associated with Yahoo. Everything he did with the Google Account seems to be lost. Simply issuing every user an "openID indepedant and unique username" (without password) on my site doesnt not work: As if I ask for this unique username (without password) when logging in, everybody could guess the username of others and associate an OpenID with them. But if I also have to have a password for this username, than I ended up where we were in the past without openID: Then I have to issue the user some kind of "master account" (with usernam and passwort) that he can, for convenience, associate with any number of openId accounts. But for what reasony do I than have openID in this case? As the user has to remember "my masterpassword and userid" anyway...

=> Does this mean, that openID does not "directly" support the "free choice" of multiple Accounts? If I want the users to be able to login (for every single login) with an arbitrary openID user-account, is the only way of doing it that way:

1.)User logs in via an "known openID account" => thats fine nothing has to be done

2.)User logs in via an "unknown openID account" => "authenticate" the user via the "unknown" openId (for example Yahoo) but when the user is back on my page, state to the user, that this (Yahoo) openID account is unknown (=no further work is associcated with it=its like a new account) and ask, if he maybe logged in the last time via an other account and provide the list of supported openID accounts. The user can then choose one of the providers he used the last time (for example Google). He then in addition to the already made login (with Yahoo), he also has to login to the "older" (Google) account he used the last time. Both accounts are then "associated with each other" and any work on on the older (Google) account can now be accessed also via the newer (Yahoo) openID account/login?

Or is there any other way to support "multiple openID accounts" for ONE USERACCOUNT?

(The reason why I am asking this: OpenID is not so much known to normal endusers yet. If I print a large list with logins from Google, Yahoo to Faceebook there will be a lot of users that use Google for their initial Login, but the next time they come back maybe choose facebook (as they just left the facebook site and its more appealing to click on the facebook icon). This is how "websites worked" for the last "15 years": There was only one single way to login: One Username-Input-Field and One Password-Input Field. If I print now a huge list of account where a user has an account with each of them, the might to login with different Accounts from day to day not understanding the problem this will lead to. So the ideal world would be that a user can login via an arbitrary account of my openID-Provider list and will have all the accounts "associated" with each other...

I hope I was hable to describe what my problem is.

I really appreciate your help and ideas (mybe I am completely misunderstood here something)

Thank you vey much! Jan

like image 388
jan Avatar asked Nov 12 '09 17:11

jan


People also ask

What is relying party in OpenID Connect?

An OIDC Relying Party is an OAuth 2.0 Client application that requires user authentication and claims from an OpenID Connect Provider. Security Access Manager supports Relying Party (RP) as part of the support of the OAuth 2.0 and OpenID Connect (OIDC) specifications.

What is the difference between OpenID and OpenID Connect?

OpenID is an open standard and decentralized authentication protocol controlled by the OpenID Foundation. OAuth is an open standard for access delegation. OpenID Connect (OIDC) Combines the features of OpenID and OAuth i.e. does both Authentication and Authorization.

How does OpenID SSO work?

OpenID Connect Single Sign-On (SSO) OpenID Connect (OIDC) is a protocol to verify user identities and get user profile information. OIDC enables devices to verify identities based on authentication done by an authentication server.


2 Answers

Yes, the user will have to login with both.

  1. User logs in for the first time with Google Account, uses the app and logs out. App creates an internal user login (in grombeestje's table user) and associates it with the Google Account. (in grombeestje's table openid)
  2. Later, user has logged in Yahoo and logs in again with Yahoo Account. Now user is offered a step to identify with other services as well
    • a. Users opts in and selects Google account.
    • b. User logs in with Google account.
    • c. Application appends the Google id with the Current login.

Also, anytime when user wishes he can choose to add logins to his profile and identify his/her other openIDs like Blogger, Facebook etc. If he has created different logins (in grombeestje's table user) with these accounts then he can either drop one of the local logins (in grombeestje's table user) with the app or merge them into one.

like image 84
SarjanWebDev Avatar answered Sep 30 '22 17:09

SarjanWebDev


OpenID is an authentication mechanism, not a profile storage mechanism. You should still have a unique identifier for the person on your site, and should maintain a record which stores the OpenID in relation to that unique identifier in the same way you would store a password related to that unique identifier.

like image 22
Jeremy S Avatar answered Sep 30 '22 18:09

Jeremy S