[OpenID] Flickr / Yahoo OpenID implementation
Martin Atkins
mart at degeneration.co.uk
Tue Jan 13 07:20:43 UTC 2009
Ben Schwarz wrote:
> Hi All,
>
> I'm looking to implement Flickr OpenID with Yahoo, unless I've
> incorrectly understood the specification; I believe they've implemented
> incorrectly / poorly.
>
> I make a request to auth with http://flickr.com/photos/benschwarz, which
> goes to yahoo; it allows me to auth successfully.
> The identity url returned by default, however is something like
> http://me.yahoo.com/some-hashed-url
>
> Without the correct identity url being returned, I have no way of
> knowing that my users are who they say they are.
>
> Have I missed a detail in using OpenID or have Yahoo implemented poorly?
>
What's going on here is that Yahoo! is disregarding the question and
treating everything as directed identity. Directed identity asks the
question "who is this user?" rather than "Is this user <x>?".
This is valid to the letter of the spec if you read it in a particular
way, but it's certainly not true to the spirit of the spec.
What this means in practice is that what the user enters must be
completely disregarded once you get the positive assertion. Use the
identifier in the positive assertion as the identifier for the user.
Hopefully this will be clarified in the next version of the OpenID
Authentication specification.
More information about the general
mailing list