[OpenID] Combining Google & Yahoo user experience research
Martin Atkins
mart at degeneration.co.uk
Wed Oct 22 02:35:37 UTC 2008
Allen Tom wrote:
> Hi Martin,
>
> The Yahoo OP returns the OpenID URL of the authenticated user in the
> response, so the RP does know who the user is. I believe that this is
> consistent with the OpenID 2.0 spec.
>
The inconsistency I'm referring to is that, at least at the time I
tested it, Yahoo!'s endpoint did not look at the openid.identity request
field and check that the authenticated user is the same as the user
identified by the identity.
In the directed identity case a magic value for openid.identity is sent,
but otherwise a particular user will be identified here who may or may
not be the same user that authenticates.
Other OPs (for example, LiveJournal's) will respond in this situation by
returning an error message along the lines of "You entered the wrong
identifier. Your identifier is ...".
More information about the general
mailing list