[OpenID] Directed Identity vs. "what the user typed"

[John Panzer]

On Mon, Mar 23, 2009 at 11:06 AM, SitG Admin
<sysadmin at shadowsinthegarden.com> wrote:
>> Of course, a user can also enter some other email address in the same
>> domain and have it quietly switch on him when he logs in.

Stupid question:  Seems to me that the OP can deal with this, assuming
that it does get the "user" part of the "user at domain.com" URL.
According to the HTTP spec, it should, and at least JSP frameworks
were able to pick up on this last time I checked.  (It's equivalent to
HTTP Basic auth, but without sending a password, which gives you an
empty password.)  This could be used for pre-filling forms, or for
selecting the "right" identity from a set already pre-authenticated at
the OP, or just for warning the user "you said X, about to change that
to Y, click OK to continue".