I have a (typical?) scenario: that my app's users can use multiple openids mapped to one app account (like stackoverflow). For me the unique thing on the account is the email address, so this binds openids to the profile.

Question is, how to allow a user to start using a second openid once one is setup. I am asking as I have read that it is a security hole to allow automatic account > openid syncing simply based on the provider-supplied email address as someone could easily spoof someone's email address to create a spoof openid and falsely access the account (how I am not sure) - although this seems to be exactly how stack operates.

See options a. and b. below. Problem for me with a. is what happens if the original openid no longer works for whatever reason - how would you set-up a new openid? Would b. be more acceptable if we used email verification?

Does anyone have an article detailing a "standard" way (set of user stories) for this - it seems to be an increasingly popular way to authenticate.

I have tried to detail this in a rough decision tree...

1. My Site > authentication landing page - user chooses an openid (facebook, google, myopenid etc), redirection >
2. Provider site returns with token (includes user registering a new openid, logging in or is already logged in to Provider site)
3. My Site > use token id to lookup user 

    3.1 Profile exists?

       Yes > authenticate. ends.

       No >

         3.1.1 was email address supplied by provider?
         Yes > lookup user by email address 
           3.1.1.1 Profile exists?
           Yes > a. error message - please login with existing openid and associate this openid (from special page)
           Yes > b. or associate this openid with existing profile automatically. authenticate. ends.

           No > Register profile. With registration email address follow 3.1.1, except this time where email is unique, we will associate openid. ends