[OpenID] Directed Identity vs. "what the user typed"
SitG Admin
sysadmin at shadowsinthegarden.com
Mon Mar 23 18:06:42 UTC 2009
>Of course, a user can also enter some other email address in the
>same domain and have it quietly switch on him when he logs in.
One solution, then, would be to loudly complain (RP-side) when this
happens, alerting the user to this switch. Ironically, it was Andrew
who convinced me to let Directed Identity decide, and you who once
said "Certainly I can't think of any advantage you gain by storing
the OP identifier." :)
>This is a specific case of the general problem of "user doesn't
>actually get logged in as what they typed", which is troublesome
>because the user then is left with no idea of what his OpenID
>identifier actually *is*, and is likely to be confused when he's
>identified as something other than what he entered.
"You typed in '=arnott', but your OP claims that your OpenID is
'=!30ds!30df!30df!30df'. Did you want to log in with that Identity
anyway?"
-Shade
More information about the general
mailing list