If I want to provide OpenID as the only registration method available AND want to do something meaningful with the nick name, how can I handle 2 users with the same Jon Smith nickname?
Actually, when I looked at StackOverflow's URL schema I was surprised that the internal user ID was being used in the URL. For example:
https://stackoverflow.com/users/5908/z225rate
Now I realize it's probably to avoid this problem.
But this also opens a tricky scenario. What if users wants to impersonate someone else? They just need to create a fake OpenID account, copy the nick and there you go. Sure you can tell who's who looking at the OpenID url, but it's quite likely going to cause confusion among non-experienced users.
I was thinking about checking the nick during registration and forcing the user to pick up another one in case it was already in use. But then you have to keep the new nick and use it instead of the one set up in OpenID. Not nice.
Any ideas? "Don't use OpenID" is not a (valid) idea : ) I mean, it might well be that I end up not using it, but want to know how far would I have to go to make it work "properly".
Thanks!
The OpenID Connect flow looks the same as OAuth. The only differences are, in the initial request, a specific scope of openid is used, and in the final exchange the Client receives both an Access Token and an ID Token. As with the OAuth flow, the OpenID Connect Access Token is a value the Client doesn't understand.
OpenID Connect Single Sign-On (SSO) OpenID Connect (OIDC) is a protocol to verify user identities and get user profile information. OIDC enables devices to verify identities based on authentication done by an authentication server.
OpenID Connect (OIDC) scopes are used by an application during authentication to authorize access to a user's details, like name and picture. Each scope returns a set of user attributes, which are called claims. The scopes an application should request depend on which user attributes the application needs.
An OIDC Relying Party is an OAuth 2.0 Client application that requires user authentication and claims from an OpenID Connect Provider. Security Access Manager supports Relying Party (RP) as part of the support of the OAuth 2.0 and OpenID Connect (OIDC) specifications.
You can use the nick from Open ID and default the nick choice in your system to that, but do not allow duplicates in your system, so they will be forced to choose a different nick for your system.
You could still store their Open ID nick and use it, so if you want them to be able to display their preferred nick from OpenID at all costs, for any dupe users, you could force display as "OpenID Nick (your unique nick)".
So you might have Mike (mike1), Mike (mike2), etc. for any user that prefers a nick that a lot of users want. I would think that this would discourage any users from picking a non-unique nick, since they won't want it displayed that way.
There isn't such a thing as a fake OpenID, basically OpenID is mapping a URL space to a user, with a bit of hand off rules on how to pass data around.
Since there isn't a standard on how to form a URL for OpenID it would be a bit ugly to just slap up their full OpenID URL next to their name. Which you've already noted.
Your own internal data should always be considered more valid then the OpenID fields passed by the User. Have the user select another name if a name is already claimed by another OpenID.
According to me, the best way is to create a separate folder for each service provider such as example.com/google/username, while doing this you don't have any conflict between different providers, the headache of usernames should be done by service provider only, and if you try to do so it will be g8 mess and the other ways as http://stakeoverflow.com is doing...
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With