<br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div>
For instance, a user might try to log in as X. The OP might decide "you're not X, but you can log in as Y if you want". The user can say "sure", and then the OP sends an assertion for Y. That's legal (per my reading of the spec), and the RP would be wrong to assume that since it asked for X and got Y that that was "good enough".</div>
</blockquote><div><br>Which is precisely Ben's point. That's what Yahoo! does. <br><br>I give Ben's RP 'my' URL as <a href="http://flickr.com/photos/billgates">http://flickr.com/photos/billgates</a> and it sends me off to Yahoo!<br>
Yahoo! say, well, you're not Bill Gates but you can log in as Lachlan Hardy, so I do.<br>Then Yahoo! sends off a successful response to Ben with one of the OpenID URLs I have with them.<br><br>That's what happens right, Ben?<br>
<br>I'm guessing this really is according to spec, but I'm struggling with the sense of it. What it really means is that the URL provided by the RP to the OP is irrelevant. It might as well not exist. (Is that how those 'login with Yahoo! buttons work?)<br>
<br>It kind of solves all those issues folks have with "but my users won't remember their identity URL", but seems to cut out what I consider a major part of the functionality of OpenID. <br><br>When I validate a user's identity URL, I *often* want to know that it *is* their specific URL.<br>
<br>What's the reasoning for this and is there a workaround?<br><br>Lachlan Hardy<br><br><br></div></div>