Dealing with renames

Karl Koscher mrsaturn at
Sun May 29 04:27:22 PDT 2005

It occured to me that OpenID doesn't deal well with accounts that are 
renamed. As far as the consumer is concerned, different usernames/URLs 
belong to different users. However, often this isn't the case. For 
example, LiveJournal allows users to rename their accounts.

This can cause all sorts of chaos.

For example, we have a few sites that are restricted to a certain set of 
LiveJournal users. If they rename, they'll no longer be able to access 
those sites. Worse, if someone with access to the site deletes their 
account, and has their account purged, other users will be able to 
rename to that old account name and be able to access the site. There 
are hacks that'll work for LiveJournal (fetch their userinfo and check 
their userid), but not in general.

In another case, a user will allow an OpenID-authenticated user to post 
unscreened comments on some site. When the OpenID user changes their 
username, they won't be able to post comments unscreened until the other 
users authorizes them (and deauthorizes the old account).

I'm pretty sure this'll cause problems with cross-site friendings, as well.

So, is there a good solution to this? Should we even worry about it? One 
thing I was thinking of is having the identity server return some unique 
ID that always maps to that particular user on that identity server. The 
unique ID doesn't have to mean anything to anyone except the identity 


- Karl

More information about the yadis mailing list