[OpenID] Flickr / Yahoo OpenID implementation

Andrew Arnott andrewarnott at gmail.com
Tue Jan 13 06:36:12 UTC 2009 

Well, it's not that the original request URI sent to the OP doesn't matter
at all -- it's just not entirely reliable.  The OP can use it either as a
mandatory "the user must fulfill X or fail" or it can just take it as a
suggestion.  If a user at an OP controls X, Y, and Z, then an incoming
request from an RP might ask for Y, and the OP can use that as a hint to
send an assertion for Y.
Another useful application of an OP just using it as a suggestion is what
live-int.com (MSFT's Live ID OpenID test OP) does to normalize identifiers.
 Since identifiers are case sensitive (do you hear
that<http://blog.nerdbank.net/2008/07/case-for-case-sensitive-openid-url.html>,
RPs?!), if the user types in a user-supplied identifier to an RP that needs
to be normalized to proper case, http->https, etc., the OP can choose to
send an assertion for the normalized identifier instead of (or in addition
to) using redirects to normalize.  If I try to log in as
live-int.com/AARNOTT, for example, rather than redirect to
live-int.com/aarnott, which might give away that it is a valid account to a
scraper, live-int.com doesn't use redirects. It just waits for an RP to
request auth for live-int.com/AARNOTT, and then the OP authenticates me, and
sends an assertion for live-int.com/aarnott instead.  That way the RP sees
me as the same person with each return visit, whether I type in aarnott,
AARNOTT, Aarnott, or just live-int.com.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire


On Mon, Jan 12, 2009 at 10:24 PM, Lachlan Hardy <lachlan.hardy at gmail.com>wrote:

>
> For instance, a user might try to log in as X.  The OP might decide "you're
>> not X, but you can log in as Y if you want".  The user can say "sure", and
>> then the OP sends an assertion for Y.  That's legal (per my reading of the
>> spec), and the RP would be wrong to assume that since it asked for X and got
>> Y that that was "good enough".
>>
>
> Which is precisely Ben's point. That's what Yahoo! does.
>
> I give Ben's RP 'my' URL as http://flickr.com/photos/billgates and it
> sends me off to Yahoo!
> Yahoo! say, well, you're not Bill Gates but you can log in as Lachlan
> Hardy, so I do.
> Then Yahoo! sends off a successful response to Ben with one of the OpenID
> URLs I have with them.
>
> That's what happens right, Ben?
>
> I'm guessing this really is according to spec, but I'm struggling with the
> sense of it. What it really means is that the URL provided by the RP to the
> OP is irrelevant. It might as well not exist. (Is that how those 'login with
> Yahoo! buttons work?)
>
> It kind of solves all those issues folks have with "but my users won't
> remember their identity URL", but seems to cut out what I consider a major
> part of the functionality of OpenID.
>
> When I validate a user's identity URL, I *often* want to know that it *is*
> their specific URL.
>
> What's the reasoning for this and is there a workaround?
>
> Lachlan Hardy
>
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090112/2c979652/attachment-0002.htm>

More information about the general mailing list