[OpenID] OpenID based on email addresses... Just Works!

Drummond Reed drummond.reed at cordance.net
Wed Oct 29 15:10:01 UTC 2008 

If there were a clean way for the RP to pass the "display identifier" and
let the OP return both that and a safe, persistent identifier as the claimed
identity (either a hash URL or an XRI i-number), it would solve many
usability problems.

 

=Drummond 

 

  _____  

From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of David Recordon
Sent: Wednesday, October 29, 2008 7:48 AM
To: Andrew Arnott
Cc: OpenID List
Subject: Re: [OpenID] OpenID based on email addresses... Just Works!

 

Yeah, I think this general approach with the addition of knowing it is an
email, doing directed identity, and passing the email as OpenID.identity is
a good one. I really prefer to find a simple solution that doesn't involve
running a mapping service or mucking with DNS.

---

Sent from my iPhone Classic.


On Oct 29, 2008, at 7:44 AM, "Andrew Arnott" <andrewarnott at gmail.com> wrote:

This method does use directed identity, but as such it does not provide the
email address in the openid.identity field and it would be contrary to the
spec to do so.  Perhaps though you were suggesting that a future version
support this?  (I would be in favor of investigating this as well).  

On Wed, Oct 29, 2008 at 7:20 AM, David Recordon <
<mailto:drecordon at sixapart.com> drecordon at sixapart.com> wrote:

I'm a fan of this method, basically doing the directed identity flow and
passing the user input ( <mailto:daveman692 at yahoo.com> daveman692 at yahoo.com)
in as openid.identity in the request.

 

--David

 

On Oct 28, 2008, at 9:14 AM, Andrew Arnott wrote:

 

I was going through the logs of my test RP
<http://nerdbank.org/RP/login.aspx>  and was surprised to see what looked
like the efforts of someone who didn't understand how OpenID worked.  One of
the attempts included just using a Yahoo! email address.  Guess what?!  It
worked.


It worked because (at least in .NET), the URL may validly include a user@
portion, as has been discussed on this list recently.  It's just quietly
dropped.  That left " <http://yahoo.com> http://yahoo.com" as the identifier
to perform discovery on, which of course worked.  To the user, the
experience is nearly perfect.  They see Yahoo where they must log in, choose
an identifier, and then return to the RP.  The only weirdness is that
although the Claimed Identifier will always be right, if for prettiness'
sake the RP were to display the user-supplied-identifier as the user
originally typed it in that it might not match who actually logged into
Yahoo.  

 

For instance, I can type in  <mailto:yourname at yahoo.com> yourname at yahoo.com
and completely log in, even though that's not my email address.  The claimed
ID is mine, and that's what really matters, but it's a little quirky (from
the end user's perspective) that I can type in anyone's yahoo email address
and it just works.  As a new user I may think that I managed to log in as
someone else. 

 

Again, I know why all this works based on the spec and my implementation of
it; I just didn't expect that email discovery would come without at least
some work (perhaps to trim off the username@ part).  So I was pleasantly
surprised.


Anyway, something to think about.

_______________________________________________
general mailing list
 <mailto:general at openid.net> general at openid.net
 <http://openid.net/mailman/listinfo/general>
http://openid.net/mailman/listinfo/general

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081029/379d013e/attachment-0002.htm>

More information about the general mailing list