[OpenID] Combining Google & Yahoo user experience research
Allen Tom
atom at yahoo-inc.com
Thu Oct 23 21:58:05 UTC 2008
Hi Martin,
I believe that the OpenID 2.0 spec is ambiguous as to what the proper
behavior is, and we interpreted it to the best of our understanding.
Future revisions of the spec will hopefully clarify the proper behavior.
Thanks
Allen
Martin Atkins wrote:
> Allen Tom wrote:
>> Hi Martin,
>>
>> The Yahoo OP returns the OpenID URL of the authenticated user in the
>> response, so the RP does know who the user is. I believe that this is
>> consistent with the OpenID 2.0 spec.
>>
>
> The inconsistency I'm referring to is that, at least at the time I
> tested it, Yahoo!'s endpoint did not look at the openid.identity
> request field and check that the authenticated user is the same as the
> user identified by the identity.
>
> In the directed identity case a magic value for openid.identity is
> sent, but otherwise a particular user will be identified here who may
> or may not be the same user that authenticates.
>
> Other OPs (for example, LiveJournal's) will respond in this situation
> by returning an error message along the lines of "You entered the
> wrong identifier. Your identifier is ...".
>
>
More information about the general
mailing list