如果站点仅支持OpenID登录，则使用访问恢复机制 [英] Access recovery mechanism if site only supports OpenID login

问题描述

说我有一个网站，例如StackOverflow，它仅支持OpenID登录.假设某人在该站点上拥有一个绑定到他的OpenID的帐户，然后他失去了访问他的OpenID提供程序的权限(这肯定有可能，并且比丢失您的电子邮件密码更容易).然后他将如何恢复对其帐户的访问权限?

Say I have a site, like StackOverflow, which supports OpenID login only. Suppose someone had an account on the site, bound to his OpenID, and then he lost access to his OpenID provider (that's surely possible and not harder than losing your email password). How would he then restore access to his account?

我看到两种选择:一种是通常的按邮件发送我的密码"序列，仅当他提供了电子邮件地址时才适用.

I see two options: one is the usual mail-me-a-key sequence, only appropriate if he had provided an email address.

两个是他本可以为此类紧急情况提供备用OpenID(这是我所假定的).

Two is he could have provided a backup OpenID for such emergencies (that's what SO does i presume).

您(或您将)如何使用OpenID实施访问恢复?有什么想法吗?

How do you (or would you) implement access recovery with OpenID? Any thoughts?

如果这很重要，我正在使用RoR + Authlogic-openid.

I'm using RoR + Authlogic-openid, if that matters.

推荐答案

我不会.我将依靠用户的ID提供程序来处理此问题.如果用户的提供者不满意，那么用户下次应该选择新的提供者:)这听起来对用户不友好，但这只是将要求推送给了提供者，这是OpenID哲学的一部分.失去访问权限并不是提供商对用户所做的最坏的事情，因此，我很乐意依靠提供商来正确处理这种情况.

I wouldn't. I'd rely on the user's ID provider to handle this. If the user's provider doesn't, well, the user should pick a new provider next time :) This may sound user-unfriendly, but it just pushes the requirement to the provider, which is part of the OpenID philosophy. Losing access is not the worst thing the provider can do to the user, so I feel comfortable relying on the provider to deal with the situation properly.

一种有用的方法是允许用户将第二个身份与他们的帐户相关联-失去对一个身份的访问权的用户可以使用另一个身份.但是，必须由用户在 访问丢失之前完成.

One way to be helpful is to allow the user to associate a second identity with their account - a user who loses access to one can use the other. This has to be done, by the user, before access was lost, however.

这是StackOverflow的功能-您可以在身份验证时添加其他身份，如果您注销并尝试重新登录，则不会提供非OpenID登录选项.

This is what StackOverflow does - you can add additional identities while authenticated, and if you log out and try to log back in, you aren't offered a non-OpenID login option.

这篇关于如果站点仅支持OpenID登录，则使用访问恢复机制的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！