When trying to log into CiviCRM with an OpenID, and the OpenID is validated, but the user is not known to CiviCRM and is thus not allowed to log in, a contact record is created from the OpenID info. This is bad for several reasons:
1) The probably the most common use case: after failing to log in, the user contacts me and asks me to grant access. I go ahead and create a contact for him, provide his openid, and check the "allowed to log in" box. Now the user wil STILL FAIL TO LOG IN. The reason is that there are now TWO RECORDS with the same OpenID, one allowed to log in, the other not. More specifically, there are two records for the same OpenID in the civicrm_openid table, one with allowed_to_login = 0, and one with allowed_to_login = 1. This means access will be nedied (at least if the one thathas no access has the lower ID - I did not try the reverse case).
2) There may already be a record for that person, but it doesn't have an OpenID assigned. This leads to duplicate entries.
3) That person may have no reason to log in, and I would have no reason to have his contact record. It just causes clutter. This may go unnoticed for a while, too, and cause confusion at some point.
4) The person may have mistakenly tried to log into my site. He now left all his private info.
There are two things that should be done about this:
1) do NOT automatically create a contact record upon successful OpenID verification, unless the user is actually allowed to log in, and does not yet have a user record (only happens with CIVICRM_ALLOW_ALL set). In that case, prompt the user for additional info, just like when creating the initial account.
2) Warn when manually creating a contact with an OpenID already used for another contact. Perhaps even make it a database-level contraint that an OpenID may be used only once. Maybe this is a bit harsh... but if the OpenID is used as a login token, then it's probably necessary.