Comments on: Overloading username and openid_url

By: Dan Parker

Dan Parker — Mon, 15 Oct 2007 18:37:45 +0000

My principles for thinking about models is that they should mirror the real world as well as possible. In the real world, a username is not necessarily my name. It could be a number. I should be greeted and represented to others via a nickname, not an identifier. Also, an openid_url is an identifier, and since it links to the ‘official online representation of me,’ it shouldn’t be displayed everywhere. Use a nickname. And hey, why don’t I make my app allow me to type in my _nickname_, then look up my openid and authenticate me with that?

This is who I am: username
This is how you can authenticate me: openid_url
This is what you can call me: nickname
(or combine username and nickname if you wish)

By: Dmitry Shechtman

Dmitry Shechtman — Tue, 06 Mar 2007 04:42:40 +0000

Indeed. I need a better host…

The link should work now, check it out. DHH already has.

By: Bernie Thompson

Bernie Thompson — Sun, 04 Mar 2007 23:05:45 +0000

Great comments. For a combined login form, I liked the look of yours Dmitry (note the link isn’t working right now, your host is saying ‘exceeded bandwidth limit).

This is a good time to experiment with this stuff. It’s too early to settle on one, true way — although we have to watch confusing and turning users off on OpenID completely.

I’ve struggled with how to implement OpenID side-by-side with password authentication, both to the user, and internally in the application.

Right now, I’m in the traditional camp of having separate openID and password login forms which may, of course, be displayed on the same page.

And on the internal side, I do believe password authentication and openid are often going to be supported together, I’m in the camp of having as cleanly decoupled implementations as possible. Sometimes easier said than done.

By: bignose

bignose — Sun, 04 Mar 2007 07:45:03 +0000

Of course, there may be cases where a username value *will* contain a fullstop (e.g., where the username is firstname.lastname); and there may be cases where the DNS hostname of the OpenID contains no fullstop (because the application and OpenID provider are both within a local network where hostnames are regularly typed without a domain part).

By: bignose

bignose — Sun, 04 Mar 2007 07:41:42 +0000

One possibility is to make the following assumptions: Usernames should never contain a fullstop “.” character, and an OpenID (because it contains a DNS domain name) must contain at least one.

That way, the form can use Javascript to dynamically determine whether the “Username or OpenID:” field currently contains an OpenID or not; and disable or enable the “Password:” field as this changes.

Thus, the user gets immediate feedback, while they type in their OpenID, that the Password field is not needed. Those who are logging in with a regular username + password see the form remain the way they expect.

What do you think?

By: Lukas Rosenstock

Lukas Rosenstock — Thu, 01 Mar 2007 22:11:26 +0000

I don’t like the idea of having the same field for local usernames and OpenIDs. It might confuse users if they see a password field and they type in their password, although we should tell them to never use their password on a site different from the OP (phishing!). If both are enabled on a site, they should be clearly seperated. I can’t see how that could confuse a user.

By: Dmitry Shechtman

Dmitry Shechtman — Thu, 01 Mar 2007 00:24:53 +0000

The less fields, the better!

Removing at least three of those cons is quite easy. Neither http:// has to be arbitrary nor the username has to be the URL.

Check out the bottom of http://test2.phpbb.cc/