OpenID Email Discovery

Eran Hammer-Lahav eran at hueniverse.com
Thu Jan 3 21:01:58 UTC 2008


(The full story is posted at http://www.hueniverse.com/hueniverse/2008/01/addressing-open.html but this contains the technical parts of the post).

This proposal adds Email Discovery allowing users to use their email address as an OpenID.

...

We need to map between the email to the OpenID identifier and this is where DNS comes in. DNS already has a system for resolving email addresses into an actual server - email resolution using an MX record. Why not add a new record type for OpenID. Basically another way to perform OpenID discovery that is all about making it user-friendly.

All that is needed is a URL the site performing discovery can append the email to and treat it as an OpenID identifier. This can be done using a OpenID TXT record: 'OpenID [username rule] [priority] [URL]' where [username rule] is a wildcard expression used to match the username part of the email (everything up to the '@'), [priority] is the MX-like priority value, and [URL] is the URL used to generate the OpenID identifier. The URL uses '*' to indicate where the username is inserted, and '**' to indicate where the full, URL-encoded, email address is inserted (both optional). For example:

example.com   TXT   'OpenID * 10 http://*.example.com/'
example.com   TXT   'OpenID joe 10 http://example.org/openid?**'

Which reads: for any email address '@example.com' other than 'joe' use 'http://username.example.com/' as the OpenID identifier. For email address 'joe at example.com' use 'http://example.org/openid?joe%40example.com' as the OpenID identifier. Rules are processed first based on the username rule match (in order of match closeness) and then on priority which is used in the same manner as MX records priority.

...

There are many ways to implement identity delegation, but in the context of email identifiers and simplifying the user experience, the idea is to move the delegation mapping to the OpenID provider. When users sign-up for a new OpenID, they will be given the option, perhaps as a premium paid service, to make the OpenID provider map incoming identity checks for the user email address with their local OpenID identifier. So instead of the users telling the site about their local identity (using delegation), the OpenID provider will perform the mapping.

In the above example, 'joe at example.com' has his OpenID managed by 'example.org'. When signing up for an OpenID at 'example.org', Joe asked it to accept identity requests for 'joe at example.com' or at least provide delegation discovery. When Joe tries to log into an OpenID-enabled site using 'joe at example.com', the site convert the email address to the URL 'http://example.org/openid?joe%40example.com' and use it like a regular OpenID identifier. 'example.org' will reply with the needed discovery information to get Joe authenticated using the OpenID protocol. By using the '**' symbol, the full email address is sent over to the OpenID provider which can perform mapping of identities other than its own local ones.

This can be viewed as hosted delegated identity where the OpenID provider also provides hosting of the OpenID delegation information for the user. It doesn't require any new standards except for implementation and support by OpenID providers.

---

Would love to get some feedback.

Thanks,

EHL
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20080103/a15b7502/attachment-0002.htm>


More information about the specs mailing list