[OpenID] Directed Identity vs. "what the user typed"

Andrew Arnott andrewarnott at gmail.com
Tue Mar 24 05:10:25 UTC 2009 

The user part is never sent to the OP, regardless of the RP's
implementation.  Discovery is performed with an HTTP GET on either
user at domain.com or domain.com.  Discovery results in the OP endpoint URI and
an identifier_select claimed identifier.  The RP then redirects the user,
not to domain.com, but to the OP endpoint, which could be anywhere, and
certainly does NOT include the user@ portion because the redirect is
determined by the OP's advertised OP endpoint via their XRDS document.
So the OP never sees user1@ or user2 at .  The RP has no way to correlate
user1@ to a user account or a claimed identifier on the OP, and the RP never
sees user2@ because the claimed identifier is not in the form of an email
address. :)

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire


On Mon, Mar 23, 2009 at 6:26 PM, John Panzer <jpanzer at acm.org> wrote:

> On Mon, Mar 23, 2009 at 11:06 AM, SitG Admin
> <sysadmin at shadowsinthegarden.com> wrote:
> >> Of course, a user can also enter some other email address in the same
> >> domain and have it quietly switch on him when he logs in.
>
> Stupid question:  Seems to me that the OP can deal with this, assuming
> that it does get the "user" part of the "user at domain.com" URL.
> According to the HTTP spec, it should, and at least JSP frameworks
> were able to pick up on this last time I checked.  (It's equivalent to
> HTTP Basic auth, but without sending a password, which gives you an
> empty password.)  This could be used for pre-filling forms, or for
> selecting the "right" identity from a set already pre-authenticated at
> the OP, or just for warning the user "you said X, about to change that
> to Y, click OK to continue".
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090323/b354719f/attachment-0002.htm>

More information about the general mailing list