I was going through the logs of <a href="http://nerdbank.org/RP/login.aspx">my test RP</a> and was surprised to see what looked like the efforts of someone who didn't understand how OpenID worked. One of the attempts included just using a Yahoo! email address. Guess what?! It worked.<div>
<br>It worked because (at least in .NET), the URL may validly include a user@ portion, as has been discussed on this list recently. It's just quietly dropped. That left "<a href="http://yahoo.com">http://yahoo.com</a>" as the identifier to perform discovery on, which of course worked. To the user, the experience is nearly perfect. They see Yahoo where they must log in, choose an identifier, and then return to the RP. The only weirdness is that although the Claimed Identifier will always be right, if for prettiness' sake the RP were to display the user-supplied-identifier as the user originally typed it in that it might not match who actually logged into Yahoo. </div>
<div><br></div><div>For instance, I can type in <a href="mailto:yourname@yahoo.com">yourname@yahoo.com</a> and completely log in, even though that's not my email address. The claimed ID is mine, and that's what really matters, but it's a little quirky (from the end user's perspective) that I can type in anyone's yahoo email address and it just works. As a new user I may think that I managed to log in as someone else. </div>
<div><br></div><div>Again, I know <span class="Apple-style-span" style="font-style: italic;">why </span>all this works based on the spec and my implementation of it; I just didn't expect that email discovery would come without at least some work (perhaps to trim off the username@ part). So I was pleasantly surprised.</div>
<div><br>Anyway, something to think about.</div>