0

I was looking into claimed identifiers, but they seem to have some issues with some providers, evidently? What about an attribute exchange request for an account's email address or something like that? Would that be a good alternative?

Advice much appreciated.

Community
  • 1
  • 1
Hamster
  • 2,962
  • 7
  • 27
  • 38

1 Answers1

0

By "verify return users", I assume you just mean detect when a user returns to your account and log them in?

Attribute exchange data is provided by users, and is both optional and easily changed, so it can't be relied on for anything that is remotely related to account security.

Google's OpenID identifier is only unique per-domain — the workaround is just to have a single domain used for authentication. And that's assuming you have multiple domains. If you only have one domain, then there aren't any problems.

Trevor Johns
  • 15,682
  • 3
  • 55
  • 54
  • So I shouldn't assume that Google immutably binds accounts to their email (gmail) address? If not because it doesn't, then simply because it's not what attribute exchange is meant for? – Hamster Feb 09 '11 at 10:23
  • @Hamster I think Google does bind an email address to a unique user, forever, so, in the case of Google, you could use the email address as unique identifier. Well at least I've read this somewhere, as far as I can remember, but I don't remember where. — However, with most? some? other OpenID providers, you cannot trust the email address or any other user provided info. – KajMagnus Aug 03 '12 at 20:54