[OpenID] Flickr / Yahoo OpenID implementation

Tue Jan 13 19:41:01 UTC 2009

On Tue, Jan 13, 2009 at 05:24:12PM +1100, Lachlan Hardy wrote:

> I give Ben's RP 'my' URL as http://flickr.com/photos/billgates and it sends
> me off to Yahoo!
> Yahoo! say, well, you're not Bill Gates but you can log in as Lachlan Hardy,
> so I do.
> Then Yahoo! sends off a successful response to Ben with one of the OpenID
> URLs I have with them.

> I'm guessing this really is according to spec, but I'm struggling with the
> sense of it. What it really means is that the URL provided by the RP to the
> OP is irrelevant. It might as well not exist. (Is that how those 'login with
> Yahoo! buttons work?)

> What's the reasoning for this and is there a workaround?

The workaround, for Yahoo! as an OP, is to 
 1) choose a specific Yahoo identifier (when you log in, Yahoo! will
    let you see your current set of ID choices, and create new ones)
 2) embed that identifer in the HTML page at the claimed URL as 
    described in 
    http://openid.net/specs/openid-authentication-2_0.html#anchor50

If Yahoo sends an RP a positive assertion for a "local ID" (ugly
me.yahoo.com directed identity URL) that matches the local_id that
was embedded in the HTML page at the nice URL you entered, then
you've proved your identity of the nice URL without having to run
an OP on that domain name. Get tired of Yahoo? Get a new OP and put
the local ID they use for you on your web site. This is a very good,
pro-user feature of OpenID -- as long as you use control the web page
whose URL you claim, you can switch providers at will.

Yahoo! is very nice in that it will allow you to use the same hashed 
identifier URL when you want. So you can pick one Yahoo! hashed URL to
use for your "public" identifier, and N other hashed URLs that you can
use as "nyms" such that you only need your Yahoo! login account but RPs
cannot easily** associate any of the N other "nym" identifiers with
your one "public" identifier (nor any of your other Yahoo nym ids).

Google I don't understand. It will give the same URL to any given RP, but
it will NOT agree to send the same URL to different RPs. So if flickr.com
and yahoo.com had different login realm/return_to addresses, you couldn't 
easily use your Google account to log in to both and have Yahoo/Flickr
know that you were the same person. 

Google will send the user's email address, without the user's approval, 
to Flickr and Yahoo, but 1) that's not an OpenID and 2) emails are 
recycled, unlike fragmented OpenID URLs. At first glance, Google seems to
be aiming for privacy when they refuse to send the same local_id to 
different RPs. But it can't be for privacy, since forking over users' 
real email addresses without approval is much worse than sending the 
same opaque hashed ID to different web sites.

BTW, it would be really nice if Yahoo would let users assign nicknames/aliases
to their OpenID URLs ("main public ID", "ID set up for foo blog", "ID set
up for whistleblower.com", etc.) since the URLs themselves are not
really readable.

-Peter

** The usual 'nym' caveats apply -- e.g., use different OpenID URLs but pass
the same 3rd party tracking cookies and your identities can be linked.