[OpenID] email address retrieval

SitG Admin sysadmin at shadowsinthegarden.com
Mon Jul 6 21:23:55 UTC 2009 

>Am I right in thinking that an OpenID-enabled site cannot retrieve a 
>user's email address? But that it can use their email address to 
>send notifications?

You can use Simple Registration (SREG) or Attribute Exchange (AX) to 
request the user's E-mail address, but whether you *trust* what the 
OP sends you (remember: OP's can be user-run) is an entirely 
different matter.

Large-scale RP's may be trying to identify OP's that *they* can trust 
to verify E-mail addresses, so they don't have to handle verification 
themselves (potentially an extra task for the user, though we've also 
discussed such solutions as autoresponders), but REQUIRING users to 
have an E-mail address (and supply it to the RP) annoyed several of 
us when proposed - leading to declarations that we would just create 
temporary (disposable) addresses (possibly as an automated process, 
through our OP).

There is much, MUCH more on this to be found in the mailing list 
archives. If you can, please be more specific about how you hope to 
use E-mail addresses, and generally what you expect to be different 
(about the operation of your site, and/or the user's interaction with 
it) if you have that information versus if you do not.

>So in the settings it would say something like "email address: 
>contact via OpenID" but would not be able to actually state the 
>email address?

Are you thinking that, to contact a user via E-mail, you would have 
to contact their OP (perhaps through OAuth) and request that the OP 
send that user a message on your behalf?

What if I don't want the *OP* to know my E-mail address, but I'm fine 
with *you* knowing it?

I can use SREG/AX to autofill *some* of my information from the OP, 
but if that isn't enough, you can then ask me to fill out the rest of 
it manually, and I can supply that information on my own.

Even if that information is *required*, you still shouldn't rely on 
the OP to either send a user back with all information or send a user 
back with "Sorry, we'll just have to call this whole deal off."; 
imagine that you're bringing cash to a club that requires a high 
entrance fee. Outside, you meet a shady-looking fella who offers to 
"escort" you past the doorman, but you'd better not even bother going 
near the door unless you can hand him enough greenbacks to "bribe" 
the doorman with, 'cause the doorman will throw you BOTH out if 
that's the case. You feel kinda nervous about showin' this fella your 
wallet - what if he turned out to be a thief who wanted to rob you? 
Besides, isn't the size of your wallet a private matter between you 
and the *doorman*? Why can't you just walk in on your own confidence 
and risk getting thrown out *yourself* if it turns out you can't 
afford their fee? That shady-looking fella is the OP that tells users 
"E-mail addresses are *required* by this RP, so hand it over TO ME 
and I, in turn, will hand it over to *them." - it's the user's right 
to establish a trust relationship with *you*, directly, cutting out 
the OP middleman to keep that OP from gaining too much power and 
getting greedy.

Whether you actually state the E-mail address (in a way that it's 
visible to the user) is up to you. Or, if you want to make it 
configurable, up to the user :)

-Shade

More information about the general mailing list