Users management strategies with LightOpenID

Question

I've discovered recently LightOpenID wich i'm going to use as a login system for all my next websites.

As i'm fetching some infos when users register/login with LighOpenID, I'd like to know if it's technically ok to use user's email as unique id in my USERS table or if it's a bad idea ?

Thanks guys ,

FX

Answer 1

Thinks to consider:

1. It isn't mandatory to have an e-mail account linked to your OpenID account.
2. If there is an e-mail address, you are not guaranteed to get it back from the server, even if you ask.
3. Even if you get the address, you'd still need to validate it (e.g., by sending an e-mail message with a random token).
4. Users will probably own more than one OpenID identifiers (you are in such situation as soon as you open accounts at some major services like Google or Yahoo). Some of them will share the same e-mail address, some will not, and some will not even have an e-mail address set.
5. When the user changes his e-mail address behind the scenes, he'll lose his account at your site.
6. Using the e-mail as key does not really offer any advantage I can think of.

My advice is that, if you want to use OpenID, you should do it right. Read the OpenID URL from $openid->identity() after successful validation and use that to identify the user.

Additionally:

• Keep in mind that URLs can be long; don't try to stuff it into a VARCHAR(100) column.
• You might want to implement linked identities as Stack Overflow does.

Answer 2

It depends on your service. Normally, every email-adress is only assigned to one person. If multiple accounts per user are not wanted, it's ok. Some families have a family-email-adress. But I guess they would also use the same account.

Why don't you take the OpenID as the unique ID? OpenIDs are unique and you get the OpenID before you get the Email-Adress, if you use only OpenID for logging in.