Question

In my system, the user logs in with either Yahoo or Google, and a cookie is set so the user stays logged in.

I'm picturing a mismatch between the user being logged in to my system and him being logged in to the outside system.

  1. What if the user is still logged in on my system but he logs out of his Google account? Should I check for this and log him out? If so, how often should I check?
  2. What if the user is still logged in on my system but he has deleted his Google account. Technically his account shouldn't exist anymore on my system, right?

How should I go about dealing with these situations?

If it matters, I'm using LightOpenID.

Was it helpful?

Solution

Instead of doing a 1-to-1 account mapping with an identity provider, it might be a better idea to keep your own system accounts, and map OpenIDs to your accounts. Your users have an account on your system, but uses OpenID as the authentication mechanism (instead of user/pass).

For example, I might have multiple OpenIDs that I can log into StackOverflow with.

The advantages are:

  • Does not restrict your users to only one identity provider. Even if Google goes out of business tomorrow, your system still works.
  • You can handle login/logout of your system separately from Google.
  • OpenID is meant to work this way.
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top