Martin Atkins (mart) wrote in apparentlymart,
Martin Atkins
mart
apparentlymart

OpenID Providers ignoring openid.identity

Yahoo!'s OP and now it seems Microsoft's OP both ignore the value of openid.identity provided to them, and just return an assertion for whatever user's logged in. While this is technically valid if you think of the result as an "unsolicited positive assertion" as per the spec, it's a bit counter-intuitive. While it works okay for the sign-on case, it's not so hot for the basic "prove I own a URL" case: consumers attempting to do this find that they end up with an assertion for a URL that they don't care about.

I think the ideal behavior, both to avoid breaking this use-case and to make it clear to users what they're logging in as, is to tell the user they're logged in as the wrong identifier and prompt them for the credentials for the identifier they entered. Of course, if openid.identity is the special value http://specs.openid.net/auth /2.0/identifier_select then the current behavior is fine; in this case, the RP is saying "tell me a URL this user owns", not "does this user own this URL?".

I'd be interested to hear what advantages there are to ignoring openid.identity. I've not been able to think of any.

Subscribe
  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 3 comments