[OpenID] Delegation leading to new accounts on websites
John Bradley
john.bradley at wingaa.com
Sat Jul 11 04:09:30 UTC 2009
Using the OP Local ID as the claimed_id would be broken.
I just had a quick look at Userstyles.org they have broken ruby code
in there RP.
The good news is that they have a flaw that will let the user log back
in withy his original claimed_id.
The bad news is that anyone else can as well.
They have bigger problems than delegation they should update to the
latest version of the Ruby library.
I didn't check the other RP.
It would be a good idea for those RPs to check themselves against the
OSIS tests.
John B.
On 10-Jul-09, at 10:35 PM, general-request at openid.net wrote:
> Date: Fri, 10 Jul 2009 17:12:40 -0700
> From: John Panzer <jpanzer at acm.org>
> Subject: Re: [OpenID] Delegation leading to new accounts on websites
> Cc: general at openid.net
> Message-ID:
> <30ac519d0907101712s7e7088e4p1e45a1a10f13f0b8 at mail.gmail.com>
> Content-Type: multipart/alternative;
> boundary=0015174bdf287974be046e62f25e
>
> --0015174bdf287974be046e62f25e
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: 7bit
>
> Just to double check, it sounds like Get Satisfaction and
> Userstyles.org are
> not spec-compliant if they are picking up the OP-relative local_id
> and using
> it as the users's claimed_id. Right?
>
> On Sun, Jun 21, 2009 at 3:21 PM, Tom Edwards
> <t_edwards at btinternet.com>wrote:
>
>> My personal OpenID server broke a while back, and I've decided this
>> evening
>> to start delegating in order continue using my personal URL (<
>> http://steamreview.org>). This is the code now in my page header:
>>
>>> <link rel="openid.delegate openid2.local_id" href="
>>> http://www.flickr.com/photos/varsity/" />
>>> <link rel="openid.server openid2.provider" href="
>>> https://open.login.yahooapis.com/openid/op/auth" />
>>>
>> But when I login to the sites I used my openid on before it broke
>> (I've
>> tried Get Satisfaction and Userstyles.org so far), they don't
>> recognise me
>> as an pre-existing user. They think I'm www.flickr.com/photos/varsity/
>> ,
>> whereas I actually still want to be steamreview.org.
>>
>> Is this intended behaviour? I thought the point of delegation was
>> to allow
>> people to switch providers without changing consumer-facing identity.
>>
>> ____________________________________
More information about the general
mailing list