[OpenID] Directed Identity vs. "what the user typed"

John Panzer jpanzer at acm.org
Tue Mar 24 05:24:31 UTC 2009 

On Mon, Mar 23, 2009 at 10:10 PM, Andrew Arnott <andrewarnott at gmail.com> wrote:
> The user part is never sent to the OP, regardless of the RP's
> implementation.  Discovery is performed with an HTTP GET on either
> user at domain.com or domain.com.

Not clear on whether OpenID normalization requires stripping the user@
part, but notionally user at domain.com/ is a valid URI and could be used
for discovery.

Discovery results in the OP endpoint URI and
> an identifier_select claimed identifier.  The RP then redirects the user,
> not to domain.com, but to the OP endpoint, which could be anywhere, and
> certainly does NOT include the user@ portion because the redirect is
> determined by the OP's advertised OP endpoint via their XRDS document.

The XRDS document could be generated dynamically based on the $USER
variable, thus incorporating the data as an argument to the OP
endpoint.  This would of course rule out a static XRDS file.

> So the OP never sees user1@ or user2 at .  The RP has no way to correlate
> user1@ to a user account or a claimed identifier on the OP, and the RP never
> sees user2@ because the claimed identifier is not in the form of an email
> address. :)

What stops the OP from sending back a URI http://user2@example.org/?

I am not advocating for any of this, just pushing the boundaries a bit.


>
> On Mon, Mar 23, 2009 at 6:26 PM, John Panzer <jpanzer at acm.org> wrote:
>>
>> On Mon, Mar 23, 2009 at 11:06 AM, SitG Admin
>> <sysadmin at shadowsinthegarden.com> wrote:
>> >> Of course, a user can also enter some other email address in the same
>> >> domain and have it quietly switch on him when he logs in.
>>
>> Stupid question:  Seems to me that the OP can deal with this, assuming
>> that it does get the "user" part of the "user at domain.com" URL.
>> According to the HTTP spec, it should, and at least JSP frameworks
>> were able to pick up on this last time I checked.  (It's equivalent to
>> HTTP Basic auth, but without sending a password, which gives you an
>> empty password.)  This could be used for pre-filling forms, or for
>> selecting the "right" identity from a set already pre-authenticated at
>> the OP, or just for warning the user "you said X, about to change that
>> to Y, click OK to continue".
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>
>

More information about the general mailing list