I am using DotNetOpenAuth to identify Google users. I am currently retrieving their e-mail address and saving a copy of that in my database. However, what if they change their e-mail address in their Google account? Then my copy can no longer be linked to their profile.
Is there a way to uniquely identify a Google account through DotNetOpenAuth?
Always use the IAuthenticationResponse.ClaimedIdentifier to uniquely identify users!
OpenID's security model is based on this design. Using email addresses is insecure in many ways. Any Provider can issue a positive assertion claiming that the user owns a particular email address. OpenID doesn't prevent the OP from lying about email addresses, so if you just used email addresses and the user key then you'd be wide open to user spoofing attacks. Even if the OP isn't trying to be dishonest, you couldn't generally trust it because you don't know whether the OP verified the email address or simply asked the user what their email address was.
Even if you trust Google to not lie, there are several reasons (some of them can be mitigated, but aren't obvious) to not treat email address as the user identifier. For example, Google lets users change the email address behind their Google account. If the user did this and then returned to your web site, your site would identify them as a different user. Even worse, if another user later claimed a recycled email address for their new Google account, your site would recognize them as the older user and give the new user access to a bunch of old user data.
OpenID Claimed Identifiers are designed to avoid all this trouble.
