[security] Validating openid.identity in authentication responses
Johnny Bufu
johnny at sxip.com
Fri Nov 16 18:07:37 UTC 2007
On 16-Nov-07, at 9:01 AM, David Recordon wrote:
> This is actually desired functionality to allow for "directed
> identity". The use case here is that an End User might type their OP
> Identifier such as "http://aol.com" to start the discovery process.
> Then while at the OP, they could potentially create a new OpenID
> Identifier on the fly or might only have one which is where this can
> also serve as a convenience feature.
I'll add to that:
- OP initiated login
- user changing their mind at the OP (OP can keep better track of
which identifiers the user presented at each RP)
Johnny
More information about the security
mailing list