[OpenID] Combining Google & Yahoo user experience research
Allen Tom
atom at yahoo-inc.com
Wed Oct 22 02:34:23 UTC 2008
George Fletcher wrote:
> I don't think the OP should ignore it... but if the user is already
> signed into the OP with a different identifier, then the user should be
> presented with the situation (you are currently signed in with x but
> specified y) and be allowed to chose what to do next (either continue
> with x, or logout x and attempt to authenticate y).
>
>
> Also, if the RP is passing the whole "email address" to the OP, does
> that just go in the openid.claimed_id parameter of the authentication
> request? I'm assuming that "Normalization (section 7.2)" will have no
> issues with resolving http://user@example.com?
>
>
Just as a clarification - I believe that a case could be made to allow
the OP to return a different identifier than what was claimed, however,
the spec must be unambiguous about this.
> I did some simple testing and at least one major site doesn't handle the
> current "Accept: application/xrds+xml" header on requests to
> http://user@example.com.
>
There's definitely room for improvement for clarifying how OpenID
discovery is supposed to work. Hopefully, discovery can be clarified in
a future version of the spec.
Allen
More information about the general
mailing list