Non-directed identity UX question

Breno de Medeiros breno at google.com
Fri Jan 15 17:23:40 UTC 2010


On Fri, Jan 15, 2010 at 06:58, George Fletcher <gffletch at aol.com> wrote:
> On 1/14/10 9:19 PM, Allen Tom wrote:
>>
>> On 1/14/10 3:51 PM, "Breno de Medeiros"<breno at google.com>  wrote:
>>
>>
>>
>>>
>>> You mean that the RP didn't perform discovery? Or that the user
>>> mistyped a URL and it happened to be a valid OpenID URL for someone
>>> else?
>>>
>>>
>>
>> The user mistyped their url, but the RP was still able to discover the OP.
>> For instance, the user might have typed in "me.yahoo.com/userid" even
>> though
>> they had not configured a vanity URL for their yahoo account.
>>
>> Another example is that the user didn't realize that Flickr OpenIDs start
>> with "www." and typed in "flickr.com/photos/username" when the correct
>> OpenID url is "www.flickr.com/photos/username"
>>
>> At any rate, the RP did managed to discover the user's OP endpoint, so the
>> string wasn't too badly mangled.
>>
>>
>
> I've done this (more on purpose than on accident) to test edge cases.
> Depending on the OP, it's one way of getting a directed identity like flow
> out of OpenID 1.1 :)
>
> My biggest concern is that if the RP is storing their data based on what the
> user entered and not waiting for the response to see if that's valid, it
> opens a security and usability hole. Seems like something either for the
> security document or a best practices document for RPs (or maybe both).

The OpenID 2.0 spec clearly says that you should use the value
returned by the IDP when it differs from the user-entered value (if
they differ, then the RP must repeat the discovery step to validate
the link between claimed_id and identity in the OP's response). This
is both sensible from a security standpoint as well as more robust
against typos and other edge cases.


>>>>
>>>> If the user initiated the login process by entering their email address,
>>>> then I think it would more likely that the string is correct, since the
>>>> user
>>>> probably knows their email address and is able to type it correctly.
>>>>
>>>
>>> I actually have doubts about that, because the email address space is
>>> so densely used.
>>>
>>>
>>
>> Yeah - also I've been noticing lately that many sites ask the user to
>> enter
>> their email address twice, to make sure that they didn't enter it
>> incorrectly.
>>
>
> If the user is initiating an authentication via their email address, then I
> think we need best practices around what to do at the RP if the resulting
> authN assertion and AX data does not match what the user typed. It seems
> like this should generate a UI to the user asking them whether they really
> meant what they typed? or what they used to login.
>
> We should probably have best practices for the OP as well (which is really
> the direction of my original question).
>
> Right now, at the OP, we tell the user that they are not currently
> authenticated as the OpenID they specified to the RP, and then allow the
> user to logout and sign back in as the requested OpenID. The user can't
> change the identity specified by the requested OpenID. However, this is not
> a consistent experience across other OPs.
>>
>> _______________________________________________
>> user-experience mailing list
>> user-experience at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-user-experience
>>
>>
>
> _______________________________________________
> user-experience mailing list
> user-experience at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-user-experience
>



-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)


More information about the user-experience mailing list