[OpenID] Supporting OpenID
Martin Atkins
mart at degeneration.co.uk
Sat Apr 12 19:32:41 UTC 2008
Will Merydith wrote:
> Paul, actually Yahoo! appends something like "#f8407" to the end of
> those identity uris when negotiating authentication. So the uri
> retrieved back from Yahoo is not the same as the one sent.
>
Yahoo! is using two techniques that are currently quite unusual, but are
allowed per the OpenID 2.0 specification:
* By default, users are assigned identifiers that are long, opaque
strings. This is to prevent the trivial mapping from OpenID Identifier
to Yahoo! email address. While the OpenID feature used to implement this
can be used to prevent correlation by presenting a different identifier
to each RP, Yahoo! isn't using it in this way.
* Where you see a fragment part on the URL (like your "#f8407" example
above), this is a "generation" identifier. If one user uses a particular
identifier, then that account gets closed (for whatever reason) and
another identical identifier is created, the fragment is used to
disambiguate them to RPs and to prevent the new identifier owner gaining
access to RP accounts of the previous owner.
More information about the general
mailing list