[Plugin: OpenID] Checking for existing user before new account is created

  • G’day,

    Thank you for a great start to an awesome plugin for wordpress.

    I am currently on a step OpenId learning curve and would like to contribute more later on. But for now I have noticed the following while running a couple of tests on my own sites.

    I created an account on my wp-blog with and email address [email protected]. I did this before logging in with an openid.

    I have an abc.myopenid.com OpenId with an email address of [email protected].

    When I logged into my wp-blog with the OpenId it created a new account for the the OpenId account.

    I now have 2 accounts with the same email address.
    Account 1
    Username: abc
    Email: [email protected]

    Account 2
    Username: abc.myopenid.com
    Email: [email protected]

    I would have thought that the plugin should check to see if the OpenId has an existing account with the same email address before it creates a new account.

    It would be great and make more sense to me, if the plugin said, ok, the email address from this OpenId is in use, I will add the OpenId to the “Your OpenIDs” and log you in under the existing account.

    I hope that makes sense. Would be great to see this added to the next release.

    Thanks,
    James
    =-)

Viewing 4 replies - 1 through 4 (of 4 total)

  • yes this makes sense… there is certainly a problem of a single user accidentally creating multiple wordpress accounts. We can’t simply match on email address and automatically log the user in as that account, simply because the email address coming from the OpenID provider is almost always self-asserted… we have no assurance that the user actually owns that email. There are a number of ways we CAN safely do this, they just haven’t risen to the top of the stack yet. There is an existing bug report for this at https://code.google.com/p/diso/issues/detail?id=15

    Thread Starter Jandal

    (@jandal)

    Interesting, thanks for the link, I read that post after I wrote the one here.

    When you say
    “simply because the email address coming from the OpenID provider is almost always self-asserted”
    I’m guessing, for example, if I used my blog as a provider (which I’m testing with your plugin), I could easily set my email to whatever I like with out confirming it.

    Interesting point, I never considered this. I’m adding OpenId to another application and I’m going to have to rethink that point. Thanks for the heads up.

    Any chance of sharing a couple of ideas on how we can safely do this please?

    I guess one way off the top of my head is if they do sign up as above, you could send them a confirmation email to the website account email address. After confirmation you could link the accounts. But I guess that comes with management issues too. eg, creating 2 accounts and merging later, or put the OpenId account on hold until the email address is confirmed?

    Does OpenId have a solution for it?

    Thanks,
    James
    =-)

    Thread Starter Jandal

    (@jandal)

    I’m sure you have considered a number of these things, but I like to throw ideas around anyway.

    Another thought while I’m googling for ideas. You could tell the user an account with the same email address exists, and prompt them if they would like to “merge” accounts, if so ask for the password to do so.

    And if you were really keen, offer an option in the user profile area if duplicate email addresses are found.

    Thanks,
    James
    =-)

    Yeah, the easiest way to do this securely is to offer account merging, either at the time of login or from the profile page. I’m not crazy about the idea of adding this feature into the OpenID plugin directly… it feels like it should be its own plugin, but we’ll see.

    As a long term solution, there are some good discussions happening right now in the OpenID community about asserting verified email addresses. This would prevent the need to send yet another confirmation email to the user.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘[Plugin: OpenID] Checking for existing user before new account is created’ is closed to new replies.