If you start with /lukesheppard at the RP, and the OP sends back /lukesheppard, then you know. If the OP sends something different back, all you know is that the user controls something different. You don't know anything about whether /lukesheppard is also controlled by the same user.<br clear="all">
--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br>
<br><br><div class="gmail_quote">On Mon, Jan 12, 2009 at 10:13 PM, Ben Schwarz <span dir="ltr"><<a href="mailto:ben.schwarz@gmail.com">ben.schwarz@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div style="word-wrap:break-word">Except, when I use the Yahoo open ID service, I say:<div><br></div><div><span style="white-space:pre"> </span>Hi, I'm <a href="http://flickr.com/photos/lukesheppard" target="_blank">http://flickr.com/photos/lukesheppard</a></div>
<div><br></div><div>Yahoo ask me to sign in (as myself) I do, I can choose which OpenID I want to respond with (<a href="http://flickr.com/photos/benschwarz" target="_blank">flickr.com/photos/benschwarz</a> or the me.yahoo hashed one)</div>
<div><br></div><div><span style="white-space:pre"> </span>Yahoo then returns a <b>successful response</b><br></div><div><b><br></b></div><div>How do I as a developer, know that I'm really not lukesheppard?</div><div><br>
</div><div><br></div><div>Cheers, </div><div><br></div><font color="#888888"><div>Ben</div></font><div><div></div><div class="Wj3C7c"><div><br></div><div><br></div><div><br><div><div>On 13/01/2009, at 4:59 PM, Luke Shepard wrote:</div>
<br><blockquote type="cite"><div> <font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size:11pt">If you go to <a href="http://flickr.com/photos/benschwarz" target="_blank">http://flickr.com/photos/benschwarz</a>, you'll see this tag:<br>
<br> <link rel="openid2.provider" href="<a>https://</a><a href="http://open.login.yahooapis.com/openid/op/auth" target="_blank">open.login.yahooapis.com/openid/op/auth</a>" /><br> <br> That basically says "I authorize Yahooapis.com to say who I am". So you attempt to login as X, and X says "trust Yahoo", and then Yahoo says "this is Z". So it's still a cycle of trust.<br>
<br> On 1/12/09 9:55 PM, "Ben Schwarz" <<a href="http://ben.schwarz@gmail.com" target="_blank">ben.schwarz@gmail.com</a>> wrote:<br> <br> </span></font><blockquote><font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size:11pt">How can that serve as authentication? <br>
I've requested the user to login as x and I get a z in return? I have no way of telling that the user is indeed who they said they were. <br> <br> Thus rendering the service unusable.<br> <br> I'm rather surprised that this is considered part of the specification.<br>
<br> <br> <br> <br> On 13/01/2009, at 4:48 PM, Andrew Arnott wrote:<br> <br> </span></font><blockquote><font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size:11pt">That's the tricky bit. See, even though you as the RP send a claimed identifier with a URL that is readable, once Yahoo! identifies which user is logged in to itself, it can negotiate with that user (or look up a previous setting) what claimed id to actually send back to the RP, and it may be different, in fact a hashed-looking URL as you're seeing.<br>
<br> When I first saw this behavior I thought it was a bug too. But a careful reading of the OpenID 2.0 spec seems to not forbid OPs from changing the claimed id that the RP initiated the request with. <br> <br> <br>
Although if an OP changes the claimed id when the claimed id and the local_id are different, then that OP just broke OpenID delegation, which I consider a bug.<br> <br> --<br> Andrew Arnott<br> "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br>
<br> <br> On Mon, Jan 12, 2009 at 9:25 PM, Ben Schwarz <<a href="http://ben.schwarz@gmail.com" target="_blank">ben.schwarz@gmail.com</a>> wrote:<br> </span></font><blockquote><font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size:11pt"> <br>
Thanks for the quick and detailed reply Andrew.<br> <br> However, I am requesting auth using the Flickr address, which is a direct link to the identity of said user, Yahoo is indeed returning a <i>different</i> URL.<br> <br>
<br> <br> On 13/01/2009, at 4:22 PM, Andrew Arnott wrote:<br> <br> </span></font><blockquote><font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size:11pt">Yahoo! is leverage something called directed identity. It's legal per the spec. It's actually optional per-user, but Yahoo offers this as a default specifically to prevent sites from knowing who their users are without the users specifically telling them.<br>
<br> The only thing you can know when an OpenID user from Yahoo logs in using that hashed claimed id, is that they are the same person who logged in last time with that hashed URL. No way to know who is behind the hash though.<br>
<br> <br> --<br> Andrew Arnott<br> "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br> <br> <br> On Mon, Jan 12, 2009 at 9:17 PM, Ben Schwarz <<a href="http://ben.schwarz@gmail.com" target="_blank">ben.schwarz@gmail.com</a>> wrote:<br>
<br> </span></font><blockquote><font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size:11pt"> Hi All,<br> <br> I'm looking to implement Flickr OpenID with Yahoo, unless I've incorrectly understood the specification; I believe they've implemented incorrectly / poorly.<br>
<br> I make a request to auth with <a href="http://flickr.com/photos/benschwarz" target="_blank">http://flickr.com/photos/benschwarz</a>, which goes to yahoo; it allows me to auth successfully.<br> The identity url returned by default, however is something like <a href="http://me.yahoo.com/some-hashed-url" target="_blank">http://me.yahoo.com/some-hashed-url</a><br>
<br> Without the correct identity url being returned, I have no way of knowing that my users are who they say they are.<br> <br> Have I missed a detail in using OpenID or have Yahoo implemented poorly?<br> <br> <br>
Cheers,<br> <br> <br> Ben<br> _______________________________________________<br> general mailing list<br> <a href="http://general@openid.net" target="_blank">general@openid.net</a><br> <a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
<br> </span></font></blockquote><font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size:11pt"><br> <br> </span></font></blockquote><font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size:11pt"><br>
</span></font></blockquote><font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size:11pt"><br> </span></font></blockquote><font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size:11pt"><br> <br>
</span></font></blockquote> </div> </blockquote></div><br></div></div></div></div><br>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
<br></blockquote></div><br>