Questions about openid and dotnetauthentication

I am looking into openid and dotnetauthentication library. However I still go some outstanding questions.

1. the id that comes back is that unique for each user? Can I store this id in a database as the userId(currently this field is a primary key and unique identifier)

2. I read that you can try to request information such as email address but you may not give it to you. What happens if you need this information?

I think it kinda sucks if I have to popup another field right away and ask for their email address and whatever else fields I need. Sort of seems to defeat the purpose a bit as I always considered a benefit of openid is that you don't have to fill out registration forms.

1. Is it better to only have some predefined choices(google,yahoo,openid,facebook). Then letting them type in their own ones(ie gray out the field to l开发者_运维技巧et them type in a url).

I am thinking of this because it goes back to point number 2 if they type in a provider that does not give me the information that I need I am then stuck.

1. How do you a log person out? Do you just kill the form authentication ticket?

The ClaimedIdentifier is the unique ID that you should associate with each user and use for lookup when the user returns. It doesn't "keep changing" as some people seem to believe. If you have Google users and your domain name ever changes, yes, the Claimed IDs you get from Google will change. So don't change your domain name (or more specifically, the "realm" you report to Google) and you'll be fine.

Some users and some Providers won't want to turn over their email address. The best approach (IMO) is that you don't insist that users give you an email address, but ask for it when they want to do something on your site that you require an email address for. If the Provider gives you an email address (and if you've done all the right things it probably will) then you can skip that step. If they don't, well, you're no worse off than before you used OpenID. But seriously, the big selling point of OpenID in my opinion isn't that it prefills registration forms. It's that it makes your users more secure.

See Is OpenID Worth It? for a discussion on this.

Rob Conery has a great blog post exploring the topic of Open ID from first-hand experience and lessons learned. The blog comments include feedback from Jeff Atwood (Stack Overflow) and others. It is a great read for technical resources that do not have exposure to Open ID.

Open ID Is A Nightmare -- Rob Conery