[OpenID] Flickr / Yahoo OpenID implementation

Andrew Arnott andrewarnott at gmail.com
Tue Jan 13 06:16:33 UTC 2009 

If you start with /lukesheppard at the RP, and the OP sends back
/lukesheppard, then you know.  If the OP sends something different back, all
you know is that the user controls something different.  You don't know
anything about whether /lukesheppard is also controlled by the same user.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire


On Mon, Jan 12, 2009 at 10:13 PM, Ben Schwarz <ben.schwarz at gmail.com> wrote:

> Except, when I use the Yahoo open ID service, I say:
> Hi, I'm http://flickr.com/photos/lukesheppard
>
> Yahoo ask me to sign in (as myself) I do, I can choose which OpenID I want
> to respond with (flickr.com/photos/benschwarz or the me.yahoo hashed one)
>
> Yahoo then returns a *successful response*
> *
> *
> How do I as a developer, know that I'm really not lukesheppard?
>
>
> Cheers,
>
> Ben
>
>
>
> On 13/01/2009, at 4:59 PM, Luke Shepard wrote:
>
> If you go to http://flickr.com/photos/benschwarz, you'll see this tag:
>
>  <link rel="openid2.provider" href="https://
> open.login.yahooapis.com/openid/op/auth" />
>
> That basically says "I authorize Yahooapis.com to say who I am". So you
> attempt to login as X, and X says "trust Yahoo", and then Yahoo says "this
> is Z". So it's still a cycle of trust.
>
> On 1/12/09 9:55 PM, "Ben Schwarz" <ben.schwarz at gmail.com> wrote:
>
> How can that serve as authentication?
> I've requested the user to login as x and I get a z in return? I have no
> way of telling that the user is indeed who they said they were.
>
> Thus rendering the service unusable.
>
> I'm rather surprised that this is considered part of the specification.
>
>
>
>
> On 13/01/2009, at 4:48 PM, Andrew Arnott wrote:
>
> That's the tricky bit.  See, even though you as the RP send a claimed
> identifier with a URL that is readable, once Yahoo! identifies which user is
> logged in to itself, it can negotiate with that user (or look up a previous
> setting) what claimed id to actually send back to the RP, and it may be
> different, in fact a hashed-looking URL as you're seeing.
>
> When I first saw this behavior I thought it was a bug too.  But a careful
> reading of the OpenID 2.0 spec seems to not forbid OPs from changing the
> claimed id that the RP initiated the request with.
>
>
> Although if an OP changes the claimed id when the claimed id and the
> local_id are different, then that OP just broke OpenID delegation, which I
> consider a bug.
>
> --
> Andrew Arnott
>  "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - Voltaire
>
>
> On Mon, Jan 12, 2009 at 9:25 PM, Ben Schwarz <ben.schwarz at gmail.com>
> wrote:
>
>
> Thanks for the quick and detailed reply Andrew.
>
> However, I am requesting auth using the Flickr address, which is a direct
> link to the identity of said user, Yahoo is indeed returning a *different*URL.
>
>
>
> On 13/01/2009, at 4:22 PM, Andrew Arnott wrote:
>
> Yahoo! is leverage something called directed identity.  It's legal per the
> spec.  It's actually optional per-user, but Yahoo offers this as a default
> specifically to prevent sites from knowing who their users are without the
> users specifically telling them.
>
> The only thing you can know when an OpenID user from Yahoo logs in using
> that hashed claimed id, is that they are the same person who logged in last
> time with that hashed URL.  No way to know who is behind the hash though.
>
>
>  --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - Voltaire
>
>
> On Mon, Jan 12, 2009 at 9:17 PM, Ben Schwarz <ben.schwarz at gmail.com>
> wrote:
>
>
> Hi All,
>
>  I'm looking to implement Flickr OpenID with Yahoo, unless I've incorrectly
> understood the specification; I believe they've implemented incorrectly /
> poorly.
>
>  I make a request to auth with http://flickr.com/photos/benschwarz, which
> goes to yahoo; it allows me to auth successfully.
>  The identity url returned by default, however is something like
> http://me.yahoo.com/some-hashed-url
>
>  Without the correct identity url being returned, I have no way of knowing
> that my users are who they say they are.
>
>  Have I missed a detail in using OpenID or have Yahoo implemented poorly?
>
>
>  Cheers,
>
>
>  Ben
>  _______________________________________________
>  general mailing list
>  general at openid.net
>  http://openid.net/mailman/listinfo/general
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090112/f0500833/attachment-0002.htm>

More information about the general mailing list