Dealing with renames
Karl Koscher
mrsaturn at teencity.org
Sun May 29 04:27:22 PDT 2005
It occured to me that OpenID doesn't deal well with accounts that are
renamed. As far as the consumer is concerned, different usernames/URLs
belong to different users. However, often this isn't the case. For
example, LiveJournal allows users to rename their accounts.
This can cause all sorts of chaos.
For example, we have a few sites that are restricted to a certain set of
LiveJournal users. If they rename, they'll no longer be able to access
those sites. Worse, if someone with access to the site deletes their
account, and has their account purged, other users will be able to
rename to that old account name and be able to access the site. There
are hacks that'll work for LiveJournal (fetch their userinfo and check
their userid), but not in general.
In another case, a user will allow an OpenID-authenticated user to post
unscreened comments on some site. When the OpenID user changes their
username, they won't be able to post comments unscreened until the other
users authorizes them (and deauthorizes the old account).
I'm pretty sure this'll cause problems with cross-site friendings, as well.
So, is there a good solution to this? Should we even worry about it? One
thing I was thinking of is having the identity server return some unique
ID that always maps to that particular user on that identity server. The
unique ID doesn't have to mean anything to anyone except the identity
server.
Thoughts?
- Karl
More information about the yadis
mailing list