Account recovery

chris.messina at chris.messina at
Fri Jan 23 03:35:49 UTC 2009

My understanding is that Google only returns the Gmail address the
first time it's requested, rather than every time.

Some devs on the Google login mailing lists have expressed frustration
over this, so I'm curious if there's a rationale/ best practice around


On 1/22/09, Breno de Medeiros <breno at> wrote:
> For the record, the Google OP only returns validated email addresses.
> It is possible to create Google Accounts for some Google properties
> without validating the email address but the Google OP will not assert
> these emails, since otherwise RPs would not be able to accept any
> non-Gmail address from Google without independent validation.
> It is quite possible that some RPs would be happy to get any email
> address from Google users, and I hope AX 2.0 will also allow for RPs
> to communicate that they do not require validation, and OPs to give an
> answer + convey the information whether they were validated or not.
> This way the RPs will always be able to provide users with optimal
> experience.
> On Thu, Jan 22, 2009 at 6:09 PM, Martin Atkins <mart at>
> wrote:
>> Allen Tom wrote:
>>> In Yahoo's case (and as I believe Google's case), the only email address
>>> that we return is the address that is bound to the user's
>>> account. It is more than just a verified email address, the OP is
>>> actually
>>> the authority for email address.
>> My Google account uses a non-gmail email address, and Google returns this
>> in
>> AX responses.
>> I believe Plaxo currently just takes anything from Google's OP as
>> verified,
>> which seems sane to me.
>>> It would be great if there was a way for an RP to discover if the user's
>>> OP is authoritative for the user's email address.
>> I still think that using the email address *as* the OpenID identifier is
>> the
>> best way to achieve this. A prerequisite of that is to somehow support
>> discovery on the email address which allows you to determine which OpenID
>> provider is authoritative for it.
>> In Yahoo's case where directed identity is used I would expect this to
>> manifest as a directed identity response with the identity set to
>> mailto:username at, at which point the RP would do discovery on
>> that
>> email address (using a mechanism still to be determined) and find that the
>> OP is indeed allowed to make assertions for that email address, just as we
>> do for HTTP URLs today.
>> _______________________________________________
>> user-experience mailing list
>> user-experience at
> --
> --Breno
> +1 (650) 214-1007 desk
> +1 (408) 212-0135 (Grand Central)
> MTV-41-3 : 383-A
> PST (GMT-8) / PDT(GMT-7)
> _______________________________________________
> user-experience mailing list
> user-experience at

Chris Messina
Citizen-Participant &
  Open Web Advocate-at-Large # #
This email is:   [ ] bloggable    [X] ask first   [ ] private

More information about the user-experience mailing list