[OpenID] OpenID based on email addresses... Just Works!

David Recordon drecordon at sixapart.com
Wed Oct 29 14:20:05 UTC 2008 

I'm a fan of this method, basically doing the directed identity flow  
and passing the user input (daveman692 at yahoo.com) in as  
openid.identity in the request.

--David

On Oct 28, 2008, at 9:14 AM, Andrew Arnott wrote:

> I was going through the logs of my test RP and was surprised to see  
> what looked like the efforts of someone who didn't understand how  
> OpenID worked.  One of the attempts included just using a Yahoo!  
> email address.  Guess what?!  It worked.
>
> It worked because (at least in .NET), the URL may validly include a  
> user@ portion, as has been discussed on this list recently.  It's  
> just quietly dropped.  That left "http://yahoo.com" as the  
> identifier to perform discovery on, which of course worked.  To the  
> user, the experience is nearly perfect.  They see Yahoo where they  
> must log in, choose an identifier, and then return to the RP.  The  
> only weirdness is that although the Claimed Identifier will always  
> be right, if for prettiness' sake the RP were to display the user- 
> supplied-identifier as the user originally typed it in that it might  
> not match who actually logged into Yahoo.
>
> For instance, I can type in yourname at yahoo.com and completely log  
> in, even though that's not my email address.  The claimed ID is  
> mine, and that's what really matters, but it's a little quirky (from  
> the end user's perspective) that I can type in anyone's yahoo email  
> address and it just works.  As a new user I may think that I managed  
> to log in as someone else.
>
> Again, I know why all this works based on the spec and my  
> implementation of it; I just didn't expect that email discovery  
> would come without at least some work (perhaps to trim off the  
> username@ part).  So I was pleasantly surprised.
>
> Anyway, something to think about.
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081029/f23bc70f/attachment-0002.htm>

More information about the general mailing list