[OpenID] Flickr / Yahoo OpenID implementation

Eran Hammer-Lahav eran at hueniverse.com
Tue Jan 13 06:40:25 UTC 2009 

But that’s not what OpenID is for. It is design to validate the a Claimed Identifier is under the control of a specific individual. If the same Claimed Identifier is asserted, the RP can match against that and be sure it is the same user. At this point, there are no guarantees that the Claimed Identifier means anything other than a unique (and hopefully un-recycled) identifier. Typically in directed identity, the user does not enter their identifier, just the service they use. When they come back, they have an identifier. That is how the Yahoo! button works.

OpenID is a little/vary/completely broken when it comes to its handling of Claimed Identifiers. The level of how broken depends on your use case and threat model. It is also inconsistent in that if you use your blog URL (custom domain name) as an OpenID, but the hosting service you use redirects to another domain (for example, you use http://example.com as your blog, but your service is serving it off http://example.blogservice.com or http://blogservice.com/example), the RP has to use the redirected URL and not the one you entered.

EHL

From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Lachlan Hardy
Sent: Monday, January 12, 2009 10:24 PM
To: general at openid.net
Subject: Re: [OpenID] Flickr / Yahoo OpenID implementation


For instance, a user might try to log in as X.  The OP might decide "you're not X, but you can log in as Y if you want".  The user can say "sure", and then the OP sends an assertion for Y.  That's legal (per my reading of the spec), and the RP would be wrong to assume that since it asked for X and got Y that that was "good enough".

Which is precisely Ben's point. That's what Yahoo! does.

I give Ben's RP 'my' URL as http://flickr.com/photos/billgates and it sends me off to Yahoo!
Yahoo! say, well, you're not Bill Gates but you can log in as Lachlan Hardy, so I do.
Then Yahoo! sends off a successful response to Ben with one of the OpenID URLs I have with them.

That's what happens right, Ben?

I'm guessing this really is according to spec, but I'm struggling with the sense of it. What it really means is that the URL provided by the RP to the OP is irrelevant. It might as well not exist. (Is that how those 'login with Yahoo! buttons work?)

It kind of solves all those issues folks have with "but my users won't remember their identity URL", but seems to cut out what I consider a major part of the functionality of OpenID.

When I validate a user's identity URL, I *often* want to know that it *is* their specific URL.

What's the reasoning for this and is there a workaround?

Lachlan Hardy

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090112/a00702f7/attachment-0002.htm>

More information about the general mailing list