[OpenID] Combining Google & Yahoo user experience research
Allen Tom
atom at yahoo-inc.com
Wed Oct 22 02:12:52 UTC 2008
Hi Martin,
The Yahoo OP returns the OpenID URL of the authenticated user in the
response, so the RP does know who the user is. I believe that this is
consistent with the OpenID 2.0 spec.
Thanks
Allen
Martin Atkins wrote:
> SitG Admin wrote:
>
>>> We should never ignore any part of what the user enters.
>>>
>> That's what I thought, but then Directed Identity takes 'me.yahoo.com'
>> and wants to turn it into a more meaningful username ;)
>>
>>
>
> If you read "me.yahoo.com" as "me at Yahoo!" then it makes sense.
>
> Yahoo!'s implementation is interesting in that (at least, when I last
> checked, which was admittedly several months ago) even if you enter your
> own identifer rather than the OP identifier it'll ignore the supplied
> identifier and just verify the authenticated user. This has the same
> effect as ignoring the user part of the email address; a user can be
> unexpectedly switched to a different user account. This is particularly
> troublesome when delegation is used.
>
>
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081021/c369a7db/attachment-0002.htm>
More information about the general
mailing list