[OpenID] OpenID based on email addresses... Just Works!

David Recordon drecordon at sixapart.com
Wed Oct 29 14:48:13 UTC 2008 

Yeah, I think this general approach with the addition of knowing it is  
an email, doing directed identity, and passing the email as  
OpenID.identity is a good one. I really prefer to find a simple  
solution that doesn't involve running a mapping service or mucking  
with DNS.

---
Sent from my iPhone Classic.

On Oct 29, 2008, at 7:44 AM, "Andrew Arnott" <andrewarnott at gmail.com>  
wrote:

> This method does use directed identity, but as such it does not  
> provide the email address in the openid.identity field and it would  
> be contrary to the spec to do so.  Perhaps though you were  
> suggesting that a future version support this?  (I would be in favor  
> of investigating this as well).
>
> On Wed, Oct 29, 2008 at 7:20 AM, David Recordon <drecordon at sixapart.com 
> > wrote:
> I'm a fan of this method, basically doing the directed identity flow  
> and passing the user input (daveman692 at yahoo.com) in as  
> openid.identity in the request.
>
> --David
>
> On Oct 28, 2008, at 9:14 AM, Andrew Arnott wrote:
>
>> I was going through the logs of my test RP and was surprised to see  
>> what looked like the efforts of someone who didn't understand how  
>> OpenID worked.  One of the attempts included just using a Yahoo!  
>> email address.  Guess what?!  It worked.
>>
>> It worked because (at least in .NET), the URL may validly include a  
>> user@ portion, as has been discussed on this list recently.  It's  
>> just quietly dropped.  That left "http://yahoo.com" as the  
>> identifier to perform discovery on, which of course worked.  To the  
>> user, the experience is nearly perfect.  They see Yahoo where they  
>> must log in, choose an identifier, and then return to the RP.  The  
>> only weirdness is that although the Claimed Identifier will always  
>> be right, if for prettiness' sake the RP were to display the user- 
>> supplied-identifier as the user originally typed it in that it  
>> might not match who actually logged into Yahoo.
>>
>> For instance, I can type in yourname at yahoo.com and completely log  
>> in, even though that's not my email address.  The claimed ID is  
>> mine, and that's what really matters, but it's a little quirky  
>> (from the end user's perspective) that I can type in anyone's yahoo  
>> email address and it just works.  As a new user I may think that I  
>> managed to log in as someone else.
>>
>> Again, I know why all this works based on the spec and my  
>> implementation of it; I just didn't expect that email discovery  
>> would come without at least some work (perhaps to trim off the  
>> username@ part).  So I was pleasantly surprised.
>>
>> Anyway, something to think about.
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081029/903b22b8/attachment-0002.htm>

More information about the general mailing list