BMKane

My feedback

  1. 74 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    8 comments  ·  Ideas  ·  Flag idea as inappropriate…  ·  Admin →

    There’s nothing in the OpenID protocol that would really allow this, especially from the data side of things. Unlike, say, credit cards, where you can transfer your balance between different providers, data transfer between different OPs requires a bit more leg work.

    What kind of data are you talking about?

    BMKane supported this idea  · 
    BMKane commented  · 

    I'm not sure I have the answer for how this would be implemented, but I have to add my support to the idea.

    The idea is to have a single ID that you use for everything, but the problem is which provider do you go with? Suppose I started by using my Google account, and signed up for multiple services using that OpenID, then later decided to switch to myOpenID because it allows client certificate authentication. Suddenly, I'm back to having two different accounts for logging into services.

    It seems to me that this is a barrier to entry for using OpenID. Whichever provider you use at first you're sort of locked into, because you'll have a bunch of accounts under that ID. I imagine a lot of people will be turned away because of this uncertainty (which provider should I choose, if I'm going to be stuck with it?), or will use it for a while, decide they want to switch providers, and get frustrated by the fact they now have multiple accounts again.

    I think, to solve this, there needs to be some way to indicate that two OpenIDs refer to the same person, and can be used interchangably. This seems difficult, given how decentralised OpenID is. Maybe allow providers to communicate a list of alternate IDs to the relying party? The relying party then checks to see if they have an account for any of the IDs. If it finds more than one, it asks the user which they want to log in as. If it finds none, it creates a new account using the primary ID.

    The provider, obviously, would need to allow their users to specify alternate IDs, and it'd be hard to force that on them, so it wouldn't be implemented universally, but it's a start. Even better, if providers could communicate those /with each other/. So, I add a myOpenID to my Google OpenID as an alternate identity, and Google immediately contacts myOpenID, authenticates, adds itself to my myOpenID as an alternate provider, and then asks for a list of alternate identities. It then repeats the process, recursively adding all of my other OpenIDs.

    This still doesn't solve the problem of merging data. But I don't think that can be solved without putting implementation requirements on services and providers, which seems contrary to the OpenID philosophy. But at least it eliminates the main problems of having multiple accounts, or wanting to change your identity provider. And, by making providers aware of all your other identities, they could CHOOSE to merge your data, or at least present the option to do so. (Say, display your other identity and ask if you want to copy any data in from it.)

Feedback and Knowledge Base