Using email address as OpenID identifier
James Henstridge
james at jamesh.id.au
Wed Apr 2 05:27:54 UTC 2008
On 02/04/2008, Paul E. Jones <paulej at packetizer.com> wrote:
> Brad,
>
> Your point about DNS limitations is valid. Then again, anybody who will be
> offering the open identity server is likely going to have control over their
> DNS. Still, I'm not opposed to alternatives.
>
> But, since you brought up the fact that one can enter yahoo.com and get
> redirected, I checked and, indeed, several OpenID sites already accept the
> e-mail ID as a form of identification—and I can get redirected to either
> Yahoo or MyOpenID.com. So, do some of the libraries already check for
> e-mail address forms? It seems that perhaps they do!
What you are seeing is probably not what you expect:
>>> from openid.consumer.discover import discover
>>> claimed_id, services = discover('anything at yahoo.com')
>>> for service in services:
... print 'Local ID:', service.getLocalID()
... print 'Server URL:', service.server_url
...
Local ID: None
Server URL: https://open.login.yahooapis.com/openid/op/auth
>>> claimed_id
'http://www.yahoo.com/'
What is happening is that "anything at yahoo.com" is being treated as
"http://anything@yahoo.com/". As "http://yahoo.com" results in an
identifier select endpoint that will work for any Yahoo user.
Note that the HTTP username isn't being used for anything here, and
you'll get the same result by just entering "yahoo.com". I wonder if
the Yahoo guys had considered this, or if it is just a happy accident?
James.
More information about the specs
mailing list