[OpenID] Flickr / Yahoo OpenID implementation

Ben Schwarz ben.schwarz at gmail.com
Tue Jan 13 06:13:32 UTC 2009 

Except, when I use the Yahoo open ID service, I say:

	Hi, I'm http://flickr.com/photos/lukesheppard

Yahoo ask me to sign in (as myself) I do, I can choose which OpenID I  
want to respond with (flickr.com/photos/benschwarz or the me.yahoo  
hashed one)

	Yahoo then returns a successful response

How do I as a developer, know that I'm really not lukesheppard?


Cheers,

Ben



On 13/01/2009, at 4:59 PM, Luke Shepard wrote:

> If you go to http://flickr.com/photos/benschwarz, you’ll see this tag:
>
>  <link rel="openid2.provider" href="https://open.login.yahooapis.com/openid/op/auth 
> " />
>
> That basically says “I authorize Yahooapis.com to say who I am”. So  
> you attempt to login as X, and X says “trust Yahoo”, and then Yahoo  
> says “this is Z”. So it’s still a cycle of trust.
>
> On 1/12/09 9:55 PM, "Ben Schwarz" <ben.schwarz at gmail.com> wrote:
>
> How can that serve as authentication?
> I've requested the user to login as x and I get a z in return? I  
> have no way of telling that the user is indeed who they said they  
> were.
>
> Thus rendering the service unusable.
>
> I'm rather surprised that this is considered part of the  
> specification.
>
>
>
>
> On 13/01/2009, at 4:48 PM, Andrew Arnott wrote:
>
> That's the tricky bit.  See, even though you as the RP send a  
> claimed identifier with a URL that is readable, once Yahoo!  
> identifies which user is logged in to itself, it can negotiate with  
> that user (or look up a previous setting) what claimed id to  
> actually send back to the RP, and it may be different, in fact a  
> hashed-looking URL as you're seeing.
>
> When I first saw this behavior I thought it was a bug too.  But a  
> careful reading of the OpenID 2.0 spec seems to not forbid OPs from  
> changing the claimed id that the RP initiated the request with.
>
>
> Although if an OP changes the claimed id when the claimed id and the  
> local_id are different, then that OP just broke OpenID delegation,  
> which I consider a bug.
>
> --
> Andrew Arnott
>  "I [may] not agree with what you have to say, but I'll defend to  
> the death your right to say it." - Voltaire
>
>
> On Mon, Jan 12, 2009 at 9:25 PM, Ben Schwarz <ben.schwarz at gmail.com>  
> wrote:
>
> Thanks for the quick and detailed reply Andrew.
>
> However, I am requesting auth using the Flickr address, which is a  
> direct link to the identity of said user, Yahoo is indeed returning  
> a different URL.
>
>
>
> On 13/01/2009, at 4:22 PM, Andrew Arnott wrote:
>
> Yahoo! is leverage something called directed identity.  It's legal  
> per the spec.  It's actually optional per-user, but Yahoo offers  
> this as a default specifically to prevent sites from knowing who  
> their users are without the users specifically telling them.
>
> The only thing you can know when an OpenID user from Yahoo logs in  
> using that hashed claimed id, is that they are the same person who  
> logged in last time with that hashed URL.  No way to know who is  
> behind the hash though.
>
>
>  --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the  
> death your right to say it." - Voltaire
>
>
> On Mon, Jan 12, 2009 at 9:17 PM, Ben Schwarz <ben.schwarz at gmail.com>  
> wrote:
>
> Hi All,
>
>  I'm looking to implement Flickr OpenID with Yahoo, unless I've  
> incorrectly understood the specification; I believe they've  
> implemented incorrectly / poorly.
>
>  I make a request to auth with http://flickr.com/photos/benschwarz,  
> which goes to yahoo; it allows me to auth successfully.
>  The identity url returned by default, however is something like http://me.yahoo.com/some-hashed-url
>
>  Without the correct identity url being returned, I have no way of  
> knowing that my users are who they say they are.
>
>  Have I missed a detail in using OpenID or have Yahoo implemented  
> poorly?
>
>
>  Cheers,
>
>
>  Ben
>  _______________________________________________
>  general mailing list
>  general at openid.net
>  http://openid.net/mailman/listinfo/general
>
>
>
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090113/d65fef2d/attachment-0002.htm>

More information about the general mailing list