[OpenID] Flickr / Yahoo OpenID implementation
Andrew Arnott
andrewarnott at gmail.com
Tue Jan 13 05:22:49 UTC 2009
Yahoo! is leverage something called directed identity. It's legal per the
spec. It's actually optional per-user, but Yahoo offers this as a default
specifically to prevent sites from knowing who their users are without the
users specifically telling them.
The only thing you can know when an OpenID user from Yahoo logs in using
that hashed claimed id, is that they are the same person who logged in last
time with that hashed URL. No way to know who is behind the hash though.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire
On Mon, Jan 12, 2009 at 9:17 PM, Ben Schwarz <ben.schwarz at gmail.com> wrote:
> Hi All,
>
> I'm looking to implement Flickr OpenID with Yahoo, unless I've incorrectly
> understood the specification; I believe they've implemented incorrectly /
> poorly.
>
> I make a request to auth with http://flickr.com/photos/benschwarz, which
> goes to yahoo; it allows me to auth successfully.
> The identity url returned by default, however is something like
> http://me.yahoo.com/some-hashed-url
>
> Without the correct identity url being returned, I have no way of knowing
> that my users are who they say they are.
>
> Have I missed a detail in using OpenID or have Yahoo implemented poorly?
>
>
> Cheers,
>
>
> Ben
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090112/66ef4c49/attachment-0002.htm>
More information about the general
mailing list