openid signin claims login already exists
joey hess
using my openid (http://joey.kitenet.net/) it said "This login (joey)
already exists, please choose a different persona or modify the
current one"
Now, there's already a joey user on gitorious, but that's not me, and
that user is not connected to my openid in any way.
Yes, my openid persona suggests that its user id is "joey". That's
only a suggestion. The correct thing to use for the username in your
database is the openid itself, not a suggestion from its persona.
I'm not going to try to create a separate persona with a different
name and juggle multiple personas in openid to work around this.
That'd just be silly.
Johan Sørensen
On Tue, Jul 8, 2008 at 8:50 AM, joey hess <jo...@kitenet.net> wrote:
>
> You're using openid in a very strange way. When I tried to log in
> using my openid (http://joey.kitenet.net/) it said "This login (joey)
> already exists, please choose a different persona or modify the
> current one"
>
> Now, there's already a joey user on gitorious, but that's not me, and
> that user is not connected to my openid in any way.
Yes had another one emailing me about that, it is a bit silly now in
retrospective.
>
> Yes, my openid persona suggests that its user id is "joey". That's
> only a suggestion. The correct thing to use for the username in your
> database is the openid itself, not a suggestion from its persona.
>
> I'm not going to try to create a separate persona with a different
> name and juggle multiple personas in openid to work around this.
> That'd just be silly.
Silly indeed, I'll change the setup so it just uses the openid login
as a username instead. What's OpenID best practices here, asking the
user if their $openidlogin is ok to use and give them a chance to
choose something else, or just using the openid login as a username
right away?
Cheers,
JS
Jacob Atzen
I'm not sure if it's best practice, but we keep OpenIDs seperate from usernames, so everyone has both a username (for displaying on the site) and an OpenID for login purposes. Personally I prefer to think of and see "Johan" instead of "login.example.com/johan.sorenson" when identifying other people on a site.
Med venlig hilsen
- Jacob Atzen
Waylan Limberg
> Hi,
>
> I'm not sure if it's best practice, but we keep OpenIDs seperate from
> usernames, so everyone has both a username (for displaying on the site) and
> an OpenID for login purposes. Personally I prefer to think of and see
> "Johan" instead of "login.example.com/johan.sorenson" when identifying other
> people on a site.
Yeah, in fact my understanding is that a single user (with a username)
should be able to have multiple OpenIDs associated with them. So the
OpenIDs need to be keep separate and are only used to authenticate and
identify who the user is. Once you have the authenticated username,
then the OpenID is irrelevant for the rest of the users session.
Of course, if a new user creates an account with an OpenID from the
start, you will also need to ask them for a username unique to your
system.
--
----
Waylan Limberg
way...@gmail.com
Patrick Aljord
I'm the guy who I'm the guy who implemented OpenID for Gitorious.
There are basically 3 way to deal with that:
first: Force the user to register first and then add his openid in
settings. I didn't like this one cause it takes away one of the
advantage of using OpenID which is: no need to register.
second: use the OpenID URI as username, that's the easy solution but
it is ugly and look impersonal. Imagine http://patcito.myopenid.com
committed "bla bla" to gitorious. Looks ugly to me.
third: Ask the user to create a new persona in case of conflict.
Conflits don't happen often. Creating a new persona takes a few
seconds in most good openid providers. Creating a new persona is still
faster than making the user register first (no email confirmation
etc), This is the best way to fix it IMO as it is the openid
provider's job to handle user's credential, not Gitorious.
There's a forth solution, set user login to his openid uri and allow
him to change his login the first time he sign in. Though creating a
persona is simpler for us :)
Vincent
Hey all,
I'm the guy who I'm the guy who implemented OpenID for Gitorious.
There are basically 3 way to deal with that:
first: Force the user to register first and then add his openid in
settings. I didn't like this one cause it takes away one of the
advantage of using OpenID which is: no need to register.
second: use the OpenID URI as username, that's the easy solution but
it is ugly and look impersonal. Imagine http://patcito.myopenid.com
committed "bla bla" to gitorious. Looks ugly to me.
Why not use the OpenID as an ID and use SREG to display a username? (And if SREG isn't supported, just use the OpenID and allow the user to change his username, i.e. the displayed name)
third: Ask the user to create a new persona in case of conflict.
Conflits don't happen often. Creating a new persona takes a few
seconds in most good openid providers. Creating a new persona is still
faster than making the user register first (no email confirmation
etc), This is the best way to fix it IMO as it is the openid
provider's job to handle user's credential, not Gitorious.
There's a forth solution, set user login to his openid uri and allow
him to change his login the first time he sign in. Though creating a
persona is simpler for us :)
--
Vincent
Nolan Darilek
Take the values from sreg and convert them to the same parameters used by User.create, redirecting there after openid confirmation. If no account exists with the persona login, the account is created as per the details of the persona. If an account already exists with that login, the user is redirected back to the new user form with all other values filled in and the openid associated, just need to change the login. At that point it's just like a form validation.
Seems like the best of both worlds. Automatic account creation if no account exists, the ability to change values that conflict, no need to create a throw-away persona for something as simple as a login conflict. Also, requiring someone to create a new persona makes it incredibly difficult in cases where someone's first few username choices may already be taken. Checking whether a specific username is valid becomes a matter of creating entirely new personas, which is a mess.
Patrick Aljord
> Seems like the best of both worlds. Automatic account creation if no account
> exists, the ability to change values that conflict, no need to create a
> throw-away persona for something as simple as a login conflict.
Yeah, indeed it sounds like the best one to me too. Johan?