[OpenID] More G+ weird behavior. Was: Google+ and Unique Identifiers -- different again?
Andrew Arnott
andrewarnott at gmail.com
Sun Jul 3 19:22:25 UTC 2011
It seems to me that any RP that accepts Google Profiles logins right now
has significant security flaws because they are not validating that the
asserting OP Endpoint has authority to assert for the claimed_id.
Sent from my Windows Phone
------------------------------
From: Johannes Ernst
Sent: Sunday, July 03, 2011 11:31 AM
To: openid-general at lists.openid.net
Subject: [OpenID] More G+ weird behavior. Was: Google+ and Unique
Identifiers -- different again?
On the first login, I specify
http://profiles.google.com/Johannes.Ernst
which logs me in after having been automagically transformed into
https://plus.google.com/104555285104903729468
per previous message.
Then, the next day, (because my session cookie is expired), I try to
re-login with the apparently canonical identifier
https://plus.google.com/104555285104903729468
which leads me to a Google page at
https://accounts.google.com/o/openid2/ProfileCreation
that says
<relying party URL> is asking for your Google profile, but you don't have
one yet
and only gives me the option to cancel or "create a Google profile now".
Trouble is, I already have a Google profile, and even adding to it does not
let me proceed from that page.
So I cancel that attempt, and try again with
http://profiles.google.com/Johannes.Ernst
which works like a charm -- except that I'm
https://plus.google.com/104555285104903729468
again.
On Jul 1, 2011, at 20:48, Johannes Ernst wrote:
It seems Google has changed their unique identifiers for people again.
Apparently I'm now:
https://plus.google.com/104555285104903729468
as opposed to
http://profiles.google.com/Johannes.Ernst
and so many other variations over the years.
My relying party implementation does not recognize me any more although I
use the same URL as identifier. Which means I can't access my account!
Is it me who is doing something wrong here? What's the official Google
migration path?
Thanks,
Johannes.
_______________________________________________
general mailing list
general at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20110703/36521581/attachment.html>
More information about the general
mailing list