Now that we’ve got OpenID running as a login/registration option on The Conversations Network, I’m concerned about a particular weakness. Maybe the Identity Gurus can help me out.
I’ve taken the advice of others and allowed registered members to attach multiple OpenIDs to their CN logins. It’s very convenient. For example, I can login with http://dkaye.myopenid.com, http://rds.com (a delegated OpenID) or a variety of others. But this isn’t solving an important problem that I think it should. What happens when I, as an OpenID owner, change my email address? I’d like to just change it in one place (my OpenID provider’s site) and have that change automatically propagate to the sites where I use my OpenID the next time I log into them (if not before). The service providers allow me to change my email address and that address is transmitted to the sites when I use my OpenID.
The problem is that because we receive those email addresses from potentially multiple providers, they can be different. And when we receive an email address as part of an OpenID authentication transaction, we have no idea whether we’re supposed to change our database to reflect that new email address or not. Bottom line: We have no choice but to ignore the email address we receive except the very first time when we can use it as the default for a registration-form field.
I thought OpenId credentials were like the old wallet concept, but how is a web site supposed to deal with an individual who supplies multiple wallets? Am I missing something here?