[OpenID] Problems with delegation and directed identity OPs
Martin Atkins
mart at degeneration.co.uk
Sat Nov 8 07:57:14 UTC 2008
Allen Tom wrote:
> How does someone delegate their OpenID URL to Google?
>
> Putting following into the <head> section of the OpenID page:
>
> <link rel="openid2.provider" href="https://www.google.com/accounts/o8/ud" />
>
> seems to allow *any* user with a Google account to sign in with the
> delegated OpenID.
>
I'm not sure I'm completely understanding the situation you're
describing, but unless the openid.identity in the returned assertion
matches the value of openid2.local_id discovered from openid.claimed_id,
the RP should fail because the delegation is invalid.
If you just put in the openid2.provider value and no openid2.local_id,
then you're effectively giving Google's OP carte blanche to make
assertions about that identifier, though I'm not sure why they would
make assertions about URLs outside of their own domain.
More information about the general
mailing list