The user part is never sent to the OP, regardless of the RP's implementation. Discovery is performed with an HTTP GET on either <a href="mailto:user@domain.com">user@domain.com</a> or <a href="http://domain.com">domain.com</a>. Discovery results in the OP endpoint URI and an identifier_select claimed identifier. The RP then redirects the user, not to <a href="http://domain.com">domain.com</a>, but to the OP endpoint, which could be anywhere, and certainly does NOT include the user@ portion because the redirect is determined by the OP's advertised OP endpoint via their XRDS document.<div>
<br></div><div>So the OP never sees user1@ or user2@. The RP has no way to correlate user1@ to a user account or a claimed identifier on the OP, and the RP never sees user2@ because the claimed identifier is not in the form of an email address. :)</div>
<div><br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br>
<br><br><div class="gmail_quote">On Mon, Mar 23, 2009 at 6:26 PM, John Panzer <span dir="ltr"><<a href="mailto:jpanzer@acm.org">jpanzer@acm.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On Mon, Mar 23, 2009 at 11:06 AM, SitG Admin<br>
<<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>> wrote:<br>
>> Of course, a user can also enter some other email address in the same<br>
>> domain and have it quietly switch on him when he logs in.<br>
<br>
</div>Stupid question: Seems to me that the OP can deal with this, assuming<br>
that it does get the "user" part of the "<a href="mailto:user@domain.com">user@domain.com</a>" URL.<br>
According to the HTTP spec, it should, and at least JSP frameworks<br>
were able to pick up on this last time I checked. (It's equivalent to<br>
HTTP Basic auth, but without sending a password, which gives you an<br>
empty password.) This could be used for pre-filling forms, or for<br>
selecting the "right" identity from a set already pre-authenticated at<br>
the OP, or just for warning the user "you said X, about to change that<br>
to Y, click OK to continue".<br>
<div><div></div><div class="h5">_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br></div>