Dealing with renames

[Kurt Raschke]

On May 29, 2005, at 7:27 AM, Karl Koscher wrote:

> It occured to me that OpenID doesn't deal well with accounts that are 
> renamed. As far as the consumer is concerned, different usernames/URLs 
> belong to different users. However, often this isn't the case. For 
> example, LiveJournal allows users to rename their accounts.

As I see it, this problem can be solved fairly easily on the 
consumer-side.  First off, I would say that there are two basic types 
of OpenID consumers--those that use OpenID for authentication to some 
type of persistent account or session (like LiveJournal, for example), 
and those that don't have any kind of persistency (like an 
OpenID-enabled guestbook or weblog comment form).  Given that there can 
be a one-to-many mapping between people and OpenID personas (or login 
URLs), I would argue that OpenID consumers should support a many-to-one 
mapping between OpenID login URLs and internal accounts.

In other words, I could log in to an OpenID-enabled site using one URL, 
then at a later date indicate to the site that some other URL should 
also access the account generated when I first logged in with the first 
URL.  I could then de-authorize the first URL, or leave it enabled.

For non-persistent applications, though, I think that the issue of 
dealing with renames is a moot point.  If you post a comment in a 
weblog and give your URL, and then that URL changes three months later, 
it's a dead link, regardless of whether or not OpenID is involved.  I'd 
say that that should be handled with HTTP redirects, not changes to the 
authentication layer.

-Kurt