Has anybody here had any experience of using OpenID (or FB, Twitter, Yahoo etc) to login into your site. I've been wondering whether I should adopt this approach for a new project. However, as a password will not be stored in my DB, how will the user remember which service he/she used to log in before. How will say data saved into DB while logged in through FB be available if they log in via Yahoo?
I did it once, for a project in which I adopted Janrain solution (most because I could not use the PEAR package): http://www.janrain.com/
This plugin remembers the user (even after logout) and when he comes back gives a suggestion.
In that project, users had the ability to create a standard account or to log with an available OpenID (Flickr, Twitter, Yahoo, Google, Windows Live and MySpace).
If that was first login from openID and there was no match with a standard accounts, then it was created a new account. Otherwise, the user was suggested to merge it with the matched account. Anyway, if the user had also a standard account he had the ability to merge the account.
A (requested) nightmare :S
Virtually, in that project, a user can login with many OpenIDs and link always to the same standard account.
To fully enable an account created with an OpenID, it was requested to complete the login inserting an email, usually from the OpenId service you get enough data but sometimes, as with Twitter, you don't get any email address. So, for this reason, it was requested.
Once you have an email and the user choose to login with Facebook and Twitter and Google and whatever else, when he completes with the same email you can merge the accounts..
I repeat: a requested nightmare :'(
Anyway, if you want to check, through janrain plugin you make a request to their api and they reply with an identifier and some data, here there is an example:
My suggestion is to keep it simple if you can. o_o'
Thanks for a great reply cereal. I've been pondering this for a while and thinking - what if an user has used different email accounts for different authentication services (yahoo!/google etc). As I'm targeting an audience with various levels of tech-know-how, I'm concerned that I could end up confusing them - e.g. merging accounts. I can imagine some of them 'oh-oh what's this?'
I'll certainly read through the links you've provided, but I'm starting to think that I've tried to be too clever for my own good. I had a look at janrain engage and got a slight nosebleed. :)