[OpenID] Problems with delegation and directed identity OPs

[Deron Meranda]

> As you note, this works on Yahoo!'s OP as well because it also ignores
> openid.identity.

No, Yahoo! does not strictly ignore openid.identity.  It does use
that field to pre-select among your set of identities.

For example if your Yahoo! account has multiple identities associated
with it, say X, Y and Z.

If using directed identities, i.e., openid.identity is set to
<http://specs.openid.net/auth/2.0/identifier_select>, then Yahoo! will
present the user with a drop-down selection box to allow them
to pick which identity of X, Y, or Z to send back to the RP.

However if the openid.identity is one of X, Y, or Z then Yahoo!
will NOT give the user a choice... it will instead auto-select
the given identity.

It is only when openid.identity is NOT identifier_select and also
not one of the logged-in user's identities that Yahoo will effectively
"ignore" it (effectively treating it as if it were identifier_select).
I believe this is of legal.  The RP is then responsible for performing
additional discovery on the returned identity before it trusts it though.


> Arguably in both cases here the OP should fail and say that it can't
> make an assertion for the given identifier rather than sending back an
> assertion for a completely unrelated identifier. (i.e. "answering the
> wrong question".)

I'm not sure that the OP *MUST* fail, although it certainly *MAY*.
If the OP wants to send back a different identity then isn't it is allowed
to?  It is the responsibility of the RP to ultimately decide whether it
likes the answer.

-- 
Deron Meranda