Registration table for OpenID authentication

I'm creating a website with OpenID auth but I'm not sure what fields should be collected othe开发者_高级运维r than the Identifier.

What else should be considered when integration OpenID on a website?

This website has the fields you need and the steps you should apply to introduce them into your website.

http://www.plaxo.com/api/openid_recipe

Basically, the OpenID URL and a user id. The user id is used to point back to your user table because a single user can have multiple OpenIDs.

In addition to the user name and email etcetera, I'd consider storing:

• The user's OpenID, also known as the Claimed Identifier, i.e. openid.claimed_id in the response from the OpenID Provider. The Claimed Identifier [...] SHOULD be used by the Relying Party as a key for local storage of information about the user. The OpenID 2.0 spec

• The OpenID endpoint, openid.op_endpoint in the OpenID 2.0 Spec. So you know which OpenID Provider authenticated the user. Perhaps in the future you'll find out that one provider is not so very trustworthy, and then I think it's good to know if e.g. someuser.example.com was authenticated by that provider.

• The realm. The claimed ID sometimes varies by realm. For example, if your website is accessible at two or more realms (e.g. example.com and somewhere-else.com), and a user logs in with Gmail, then she'd be assigned one opaque ID at example.com and another ID at somewhere-else.com (so she can be more anonymous). You might want to know which realm the user logs in to, in cases you want to merge the user's two example.com and somewhere-else.com accounts to one single account (to do this, you can validate and compare email addresses).

• Perhaps the OP-Local Identifier, in case the user changes his/her User-Supplied Identifier. For example, if the user has an OpenID identifier username.example.com, but changes it to username.somewhereelse.com, then I think the OP-Local Identifier will remain unchanged (assuming the user continues using the same OpenID Provider). Terminology. And an example.

(I was rather unsure as to whether it makes sense to store these attributes. So I posted a question here. So far 1 person thinks they need not be stored.. )