OpenID best practices

Any recommendations for sites out there that I can study to see how to gracefully convert to OpenID from a non-OpenID based account system?

I just poked around trenchmice, and that’s a good way _not_ to do it. Specifically:

  • UI for logging in splits out signing in from registering at the beginning, whereas I think with an OpenID it’d be better to authenticate first and then create an account if needed.
  • No support for iNames
  • it’s a registration that requires a lot of sreg-data, including country, postal code, etc.
  • even with the sreg data filled in, it didn’t like my canadian postal code.

I’ve also noticed, which is interesting in that they hide OpenID quite well, it being indicated primarily by a link next to the choice of userid that reads “Use my AOL or AIM screen name”. A tweak on that process might work better for us, although we’d want to be clear about the use of OpenID.

NB: We would naturally not require the creation of a third-party OpenID to login to our web properties — most likely, we’d become an OpenID provider and simply upgrade existing accounts to be OpenID accounts — letting users decide whether to user their ActiveState OpenID on other sites or vice versa.


  1. David, we use the latest Canadian postal code data. So if a postal code wasn’t recognized, that’s a bug. Could you e-mail me your postal code, so I can find out what went wrong?



  2. Email sent. Note to the gallery: the important lesson learned is that if the OpenID sreg packet includes invalid data (e.g. an invalid email address, an invalid postal code), the site should let the user “correct” the data w/o having to reauthenticate. I’m thinking that the right way to think of the sreg data is as “advisory”. More on sreg later, I suspect, as I’m finding the usability of it for registration/signin less than ideal.


  3. Hi David,

    The choice of splitting up registration from initial sign-in was actually a tough one. We originally wanted to have it as a single flow through, but the logic gets fairly snarky when you want to both verify that someone has agreed to terms of service and have them respond with to a registration validation email to finalize the process. We corresponded quite a bit back and forth with folks in the OpenID arena, and ultimately decided that the split flow, while not ideal, was a good solution for us.

    Two of your points were about what data we wanted to collect, fair enough – but that is the whole point of enabling things like sReg, so that we can request the information, which we feel we’d like to have as a part of our internal processing. As john mentioned above, the canadian postal code is definitely a bug – and we’d love to have a little more information so that we could fix that.


  4. Confirming the postal code problem, our site is, today, very rigid about Canadian postal codes. They must be “cccccc”. It’s trivial, of course, to be less rigid the lack of a space. Flushed with shame, we are slithering off to fix an obvious bug, and we thank David for reporting it!


  5. That’s funny – I entered “ccc left angle space right angle ccc” in my prior comment. Looks like some HTTP preprocessing swallowed up the left angle space right angle text. :-).


  6. Hey, a little thing about postal codes: they’re all CNC NCN, and the space is optional in many notations.

    Which explains how canadians have Santa’s postal code: H0H 0H0


  7. It’s worth mentioning that even when you set “required” in the OpenID registration extras, the provided is not at all guaranteed to return it. That was a confusion we had early on, and why we try to “fail through” to a non-openid registration process. Your thoughts on assuming that all that information is advisory at best is right on the money.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s