[OpenID] Flickr / Yahoo OpenID implementation
Lachlan Hardy
lachlan.hardy at gmail.com
Tue Jan 13 06:24:12 UTC 2009
> For instance, a user might try to log in as X. The OP might decide "you're
> not X, but you can log in as Y if you want". The user can say "sure", and
> then the OP sends an assertion for Y. That's legal (per my reading of the
> spec), and the RP would be wrong to assume that since it asked for X and got
> Y that that was "good enough".
>
Which is precisely Ben's point. That's what Yahoo! does.
I give Ben's RP 'my' URL as http://flickr.com/photos/billgates and it sends
me off to Yahoo!
Yahoo! say, well, you're not Bill Gates but you can log in as Lachlan Hardy,
so I do.
Then Yahoo! sends off a successful response to Ben with one of the OpenID
URLs I have with them.
That's what happens right, Ben?
I'm guessing this really is according to spec, but I'm struggling with the
sense of it. What it really means is that the URL provided by the RP to the
OP is irrelevant. It might as well not exist. (Is that how those 'login with
Yahoo! buttons work?)
It kind of solves all those issues folks have with "but my users won't
remember their identity URL", but seems to cut out what I consider a major
part of the functionality of OpenID.
When I validate a user's identity URL, I *often* want to know that it *is*
their specific URL.
What's the reasoning for this and is there a workaround?
Lachlan Hardy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090113/5028cfbf/attachment-0002.htm>
More information about the general
mailing list