[OpenID] More G+ weird behavior. Was: Google+ and Unique Identifiers -- different again?
Andrew Arnott
andrewarnott at gmail.com
Sun Jul 3 19:28:24 UTC 2011
Here is the relevant RP test, by the way:
http://www.test-id.org/RP/VerifyAssertionDiscovery.aspx
On 7/3/11, Andrew Arnott <andrewarnott at gmail.com> wrote:
> It seems to me that any RP that accepts Google Profiles logins right now
> has significant security flaws because they are not validating that the
> asserting OP Endpoint has authority to assert for the claimed_id.
>
> Sent from my Windows Phone
> ------------------------------
> From: Johannes Ernst
> Sent: Sunday, July 03, 2011 11:31 AM
> To: openid-general at lists.openid.net
> Subject: [OpenID] More G+ weird behavior. Was: Google+ and Unique
> Identifiers -- different again?
>
> On the first login, I specify
> http://profiles.google.com/Johannes.Ernst
> which logs me in after having been automagically transformed into
> https://plus.google.com/104555285104903729468
> per previous message.
>
> Then, the next day, (because my session cookie is expired), I try to
> re-login with the apparently canonical identifier
> https://plus.google.com/104555285104903729468
> which leads me to a Google page at
> https://accounts.google.com/o/openid2/ProfileCreation
> that says
> <relying party URL> is asking for your Google profile, but you don't have
> one yet
> and only gives me the option to cancel or "create a Google profile now".
> Trouble is, I already have a Google profile, and even adding to it does not
> let me proceed from that page.
>
> So I cancel that attempt, and try again with
> http://profiles.google.com/Johannes.Ernst
> which works like a charm -- except that I'm
> https://plus.google.com/104555285104903729468
> again.
>
>
> On Jul 1, 2011, at 20:48, Johannes Ernst wrote:
>
> It seems Google has changed their unique identifiers for people again.
>
> Apparently I'm now:
> https://plus.google.com/104555285104903729468
> as opposed to
> http://profiles.google.com/Johannes.Ernst
> and so many other variations over the years.
>
> My relying party implementation does not recognize me any more although I
> use the same URL as identifier. Which means I can't access my account!
>
> Is it me who is doing something wrong here? What's the official Google
> migration path?
>
> Thanks,
>
>
>
> Johannes.
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
--
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre
More information about the general
mailing list