[OpenID] Flickr / Yahoo OpenID implementation

Ben Schwarz ben.schwarz at gmail.com
Tue Jan 13 07:16:50 UTC 2009 

So without my users specifically saying:

	Hi, I'm http://flickr.com/photos/benschwarz

	No really, I'm http://flickr.com/photos/benschwarz

I cannot confirm that they own the Flickr account that they originally  
ID'd with.
While this might be an edge case as far as OpenID goes, I believe it  
to be highly problematic and somewhat of a barrier for further OpenID  
implementations.

--


On 13/01/2009, at 5:17 PM, Peter Williams wrote:

> Let’s say you logged some  user in normally, to your webapp’s local  
> account A. Then, you perform invite the user of A to nominate an OP  
> (by name), and your site invokes the procedure you dispute. When you  
> get an openid by return, asserted by the OP, locally bind the user  
> account A to that openid P. Let the user now logout of A, locally.
>
> Should some user now use your app’s openid login form citing the OP  
> name, rather than engage with your local login form’s uid/password  
> fields, the OP’s assertion will cite the same persistent pseudonym  
> as  last time. Upon receipt, you may then deduce that the local  
> account is A, and provide a local session for A.
>
> From: general-bounces at openid.net [mailto:general-bounces at openid.net]  
> On Behalf Of Ben Schwarz
> Sent: Monday, January 12, 2009 9:56 PM
> To: general at openid.net
> Subject: Re: [OpenID] Flickr / Yahoo OpenID implementation
>
> How can that serve as authentication?
> I've requested the user to login as x and I get a z in return? I  
> have no way of telling that the user is indeed who they said they  
> were.
>
> Thus rendering the service unusable.
>
> I'm rather surprised that this is considered part of the  
> specification.
>
>
>
>
> On 13/01/2009, at 4:48 PM, Andrew Arnott wrote:
>
>
> That's the tricky bit.  See, even though you as the RP send a  
> claimed identifier with a URL that is readable, once Yahoo!  
> identifies which user is logged in to itself, it can negotiate with  
> that user (or look up a previous setting) what claimed id to  
> actually send back to the RP, and it may be different, in fact a  
> hashed-looking URL as you're seeing.
>
> When I first saw this behavior I thought it was a bug too.  But a  
> careful reading of the OpenID 2.0 spec seems to not forbid OPs from  
> changing the claimed id that the RP initiated the request with.
>
> Although if an OP changes the claimed id when the claimed id and the  
> local_id are different, then that OP just broke OpenID delegation,  
> which I consider a bug.
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the  
> death your right to say it." - Voltaire
>
> On Mon, Jan 12, 2009 at 9:25 PM, Ben Schwarz <ben.schwarz at gmail.com>  
> wrote:
> Thanks for the quick and detailed reply Andrew.
>
> However, I am requesting auth using the Flickr address, which is a  
> direct link to the identity of said user, Yahoo is indeed returning  
> a different URL.
>
>
> On 13/01/2009, at 4:22 PM, Andrew Arnott wrote:
>
>
> Yahoo! is leverage something called directed identity.  It's legal  
> per the spec.  It's actually optional per-user, but Yahoo offers  
> this as a default specifically to prevent sites from knowing who  
> their users are without the users specifically telling them.
>
> The only thing you can know when an OpenID user from Yahoo logs in  
> using that hashed claimed id, is that they are the same person who  
> logged in last time with that hashed URL.  No way to know who is  
> behind the hash though.
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the  
> death your right to say it." - Voltaire
>
> On Mon, Jan 12, 2009 at 9:17 PM, Ben Schwarz <ben.schwarz at gmail.com>  
> wrote:
> Hi All,
>
> I'm looking to implement Flickr OpenID with Yahoo, unless I've  
> incorrectly understood the specification; I believe they've  
> implemented incorrectly / poorly.
>
> I make a request to auth with http://flickr.com/photos/benschwarz,  
> which goes to yahoo; it allows me to auth successfully.
> The identity url returned by default, however is something like http://me.yahoo.com/some-hashed-url
>
> Without the correct identity url being returned, I have no way of  
> knowing that my users are who they say they are.
>
> Have I missed a detail in using OpenID or have Yahoo implemented  
> poorly?
>
>
> Cheers,
>
>
> Ben
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090113/12e7d2d6/attachment-0002.htm>

More information about the general mailing list