Attributing delegated OpenID identifiers to the "real" identifier at login?

Hi group! I'm playing with the ruby-openid gem, and was able to get to a "hello world" state pretty easily, thanks to some of the recipes out there. I'm able to display a page, have the user enter their identifier, shoot off to their identity provider, and return, at which time their openID identifier (and other profile extension data) is included.

So if it were the case that every user had exactly one openID identifier, I'd be totally happy.

But here's the thing -- I notice that some users have more than one openID identifier, even though they may be delegates of each other. For example, anything at "[username]" will programatically delegate to "[username]". So if I thought the "pieisgood" page was a nifty hack (which I do), and my normal username was "imaginaryuser", it's concievable that I could arrive at my own consumer application EITHER with the identifier "", or the identifier "". But they'd both be me.

Now, I know that if I went and created a whole new OpenID identifier out of whole cloth (, there's no way that my consumer application would or should recognize me as "me". The thing I'm going for is to recognize users that use identities that are delegates to other identities, even though the identity returned upon OpenID completion will be different. IF that's making any sense.

I notice that jyte does this; I've logged in to jyte BOTH as [username],[username], and using a hand-rolled page on my own blog that delegates to [username], and each time Jyte recognized that it was me, and simply added the new identifiers to a list of "known identifiers" on my profile page. So they've got this one licked.

Okay, here's the question part (sorry to be so wordy): I know CONCEPTUALLY how I would go about doing this, I think: in the part of the library responsible for retrieving the OpenID identifier URL, I would make note that the identity retrieved delegates to another, and then I would have to store that relationship locally -- including BOTH the identity entered AND the eventual, delegated-to identifier, so that when the user eventually returns with the approval for the identity entered, I'd know to "attribute" that login to the delegated-to identifier. "oh, you've authenticated as, have you? Well, when I was fetching your identity, I remember that that was ACTALLY a delegate to, so I'll show you logged in as "", but I'm actually going to access the profile that I associate with "".

I can also think of some exception cases that I would have to handle: what if the "pieisgood" author decided that they don't like me, and decided to delegate "" to ""-- how would I go about making sure that I didn't "trust" the delegation links from session to session? What other things am I overlooking? Whew!

It's possible that the ruby-openid library already gives me the tools to do this, but I'm afraid I'm in a bit over my head here. Is there a description out there of how this is done, or (even better) a working code sample that I could poke at to do this? I also haven't had much luck finding a "ruby-openid" group that I could pester with this question. Can anyone steer me in the right direction?

Grateful regards, John Young