[OpenID] OpenID based on email addresses... Just Works!
Andrew Arnott
andrewarnott at gmail.com
Tue Oct 28 16:14:08 UTC 2008
I was going through the logs of my test
RP<http://nerdbank.org/RP/login.aspx> and
was surprised to see what looked like the efforts of someone who didn't
understand how OpenID worked. One of the attempts included just using a
Yahoo! email address. Guess what?! It worked.
It worked because (at least in .NET), the URL may validly include a
user at portion, as has been discussed on this list recently. It's just
quietly
dropped. That left "http://yahoo.com" as the identifier to perform
discovery on, which of course worked. To the user, the experience is nearly
perfect. They see Yahoo where they must log in, choose an identifier, and
then return to the RP. The only weirdness is that although the Claimed
Identifier will always be right, if for prettiness' sake the RP were to
display the user-supplied-identifier as the user originally typed it in that
it might not match who actually logged into Yahoo.
For instance, I can type in yourname at yahoo.com and completely log in, even
though that's not my email address. The claimed ID is mine, and that's what
really matters, but it's a little quirky (from the end user's perspective)
that I can type in anyone's yahoo email address and it just works. As a new
user I may think that I managed to log in as someone else.
Again, I know why all this works based on the spec and my implementation of
it; I just didn't expect that email discovery would come without at least
some work (perhaps to trim off the username@ part). So I was pleasantly
surprised.
Anyway, something to think about.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081028/2c1a27f1/attachment-0002.htm>
More information about the general
mailing list