[OpenID] OpenID based on email addresses... Just Works!

Andrew Arnott andrewarnott at gmail.com
Wed Oct 29 14:44:36 UTC 2008


This method does use directed identity, but as such it does not provide the
email address in the openid.identity field and it would be contrary to the
spec to do so.  Perhaps though you were suggesting that a future version
support this?  (I would be in favor of investigating this as well).

On Wed, Oct 29, 2008 at 7:20 AM, David Recordon <drecordon at sixapart.com>wrote:

> I'm a fan of this method, basically doing the directed identity flow and
> passing the user input (daveman692 at yahoo.com) in as openid.identity in the
> request.
> --David
>
> On Oct 28, 2008, at 9:14 AM, Andrew Arnott wrote:
>
> I was going through the logs of my test RP<http://nerdbank.org/RP/login.aspx> and
> was surprised to see what looked like the efforts of someone who didn't
> understand how OpenID worked.  One of the attempts included just using a
> Yahoo! email address.  Guess what?!  It worked.
> It worked because (at least in .NET), the URL may validly include a user at portion, as has been discussed on this list recently.  It's just quietly
> dropped.  That left "http://yahoo.com" as the identifier to perform
> discovery on, which of course worked.  To the user, the experience is nearly
> perfect.  They see Yahoo where they must log in, choose an identifier, and
> then return to the RP.  The only weirdness is that although the Claimed
> Identifier will always be right, if for prettiness' sake the RP were to
> display the user-supplied-identifier as the user originally typed it in that
> it might not match who actually logged into Yahoo.
>
> For instance, I can type in yourname at yahoo.com and completely log in, even
> though that's not my email address.  The claimed ID is mine, and that's what
> really matters, but it's a little quirky (from the end user's perspective)
> that I can type in anyone's yahoo email address and it just works.  As a new
> user I may think that I managed to log in as someone else.
>
> Again, I know why all this works based on the spec and my implementation
> of it; I just didn't expect that email discovery would come without at least
> some work (perhaps to trim off the username@ part).  So I was pleasantly
> surprised.
>
> Anyway, something to think about.
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081029/9e35d97b/attachment-0002.htm>


More information about the general mailing list