Attributing delegated OpenID identifiers to the "real" ident

Hi group! I’m playing with the ruby-openid gem, and was able to get
to a “hello world” state pretty easily, thanks to some of the recipes
out there. I’m able to display a page, have the user enter their
identifier, shoot off to their identity provider, and return, at
which time their openID identifier (and other profile extension data)
is included.

So if it were the case that every user had exactly one openID
identifier, I’d be totally happy.

But here’s the thing – I notice that some users have more than one
openID identifier, even though they may be delegates of each other.
For example, anything at “[username]” will
programatically delegate to “[username]”. So if I
thought the “pieisgood” page was a nifty hack (which I do), and my
normal username was “imaginaryuser”, it’s concievable
that I could arrive at my own consumer application EITHER with the
identifier “”, or the identifier”. But they’d both be me.

Now, I know that if I went and created a whole new OpenID identifier
out of whole cloth (, there’s no way that
my consumer application would or should recognize me as “me”. The
thing I’m going for is to recognize users that use identities that
are delegates to other identities, even though the identity returned
upon OpenID completion will be different. IF that’s making any sense.

I notice that jyte does this; I’ve logged in to jyte BOTH as
[username],[username], and using a hand-
rolled page on my own blog that delegates to [username],
and each time Jyte recognized that it was me, and simply added the
new identifiers to a list of “known identifiers” on my profile page.
So they’ve got this one licked.

Okay, here’s the question part (sorry to be so wordy): I know
CONCEPTUALLY how I would go about doing this, I think: in the part of
the library responsible for retrieving the OpenID identifier URL, I
would make note that the identity retrieved delegates to another, and
then I would have to store that relationship locally – including
BOTH the identity entered AND the eventual, delegated-to identifier,
so that when the user eventually returns with the approval for the
identity entered, I’d know to “attribute” that login to the delegated-
to identifier. "oh, you’ve authenticated as
imaginaryuser, have you? Well, when I was fetching your identity, I
remember that that was ACTALLY a delegate to
imaginaryuser, so I’ll show you logged in as “
imaginaryuser”, but I’m actually going to access the profile that I
associate with “”.

I can also think of some exception cases that I would have to handle:
what if the “pieisgood” author decided that they don’t like me, and
decided to delegate “” to”-- how would I go about making sure that
I didn’t “trust” the delegation links from session to session? What
other things am I overlooking? Whew!

It’s possible that the ruby-openid library already gives me the tools
to do this, but I’m afraid I’m in a bit over my head here. Is there
a description out there of how this is done, or (even better) a
working code sample that I could poke at to do this? I also haven’t
had much luck finding a “ruby-openid” group that I could pester with
this question. Can anyone steer me in the right direction?

Grateful regards,
John Young