OpenID users can be just as trusty as local users
A recent discussion over in Brad's journal highlighted a common misconception about OpenID: that OpenID users are somehow “less trustworthy” than a site's locally-registered users. While it's true that you can create an implementation in which OpenID users are “less trusted”, there's no reason why they can't be first-class citizens in your system.
It's all down to how your application reacts when it is first introduced to a previously-unknown identifier. You can ask the user to enter any details you like, and validate an email address, and perform a CAPTCHA test, and present a Terms of Service checkbox and anything else you'd normally do when creating a “local” account. It's entirely up to you and your application. Taking things to the logical extreme, you can present the user with a replica of your normal sign-up form but with the options to choose a username and password removed.
Whatever you do, don't go copying LiveJournal's implementation. LiveJournal was one of the first sites to allow OpenID logins, and the community has got a lot of implementation experience in the mean time; LiveJournal doesn't currently follow the vast majority of the best practices that have come about since then. Hopefully at some point LiveJournal's implementation can be improved.
Comments
(comment with no subject)
Which one is the best? Well, there's the tradeoff between "instant login" and "registration". We wouldn't want somebody who "signs in" to be immediately taken to "singup" (the ma.gnolia case).
I'm not saying my implementation is the best. I just think it's better than that of LJ's and ma.gnolia's. When a new OpenID is entered, Simple Registration is used to try and get a username and an email address. A username alone (after validation) suffices to silently register the user. Now, if something fails, the user is presented with a registration form, this time requiring a valid email and ToS.
(comment with no subject)
I imagine that LiveJournal, and possibly other sites with similar requirements, would probably go for a multi-stage process where your “instant login” (done at the LiveJournal comment form, for example) would just get you the ability to post anonymous comments, but you could upgrade to being able to post “real” comments by going through a simple process where you agree to the TOS, supply an email address and pass a CAPTCHA test.
You could then theoretically elect to upgrade again to being a fully-fledged LiveJournal user with a journal and all of the other associated features by choosing a journal name for use in the URL but still authenticating with OpenID.
However, getting from where LJ is now to that point is probably not trivial!
(comment with no subject)
The current problem with LiveJournal is best illustrated by the reply form I am typing into. It says "Anonymous (will be screened)" and "OpenID (will be screened)", and not because you chose to screen OpenID comments. If OpenID is no better than anonymous, why use it?
Well, Eran used MyOpenID to authenticate and then supplied a link to his blog in the comment text. Instead, he should have used his blog as OpenID and let me the curious reader look for that bridge post. Yet, that alone does not seem like sufficient justification for people to use OpenID for commenting in LiveJournal.
Absolutely
Yahoo BBAuth
Instead, I wrote about my BBAuth bridge here:
http://eran.sandler.co.il/2007/01/16/pro
I'm hoping to release something next week which will be workable :-)