Server should provide the identity URL

Richard 'toast' Russo russor at msoe.edu
Tue Jul 5 09:52:10 PDT 2005 

Doing it this way makes it pretty easy to see who is looking at your site 
without (most of) the users knowing you're finding out.  With the current 
method, you can only try to see if everyone visiting your site is 
bradfitz.com.

Nefarious example:

You want to out users who read an lj community you're a member of.  You 
link to an offsite page (which you control) from the community journal. 
The offsite page contains invisible images which require openid 
authentication from livejournal.  Depending on where you host it, and what 
meme was at the domain before, maybe a few people will login to get the 
invisible images, and you've got a list of users who probably read the 
community journal (regardless of if they have friended it).




On Tue, 5 Jul 2005, Omar Syed wrote:

> Looks to me like there is no need for the EndUser to tell the Consumer
> what their identity URL is. In the end what the Consumer
> really does is check to see if the EndUser is logged into the account
> they have with an OpenID Server site (via the User-Agent). Provided
> that the EndUser is logged in and has notified the Server that they
> trust the Consumer site, the Server can give the Consumer the
> identity URL of the EndUser from where additional information can
> be accessed (such as a public FOAF document). The EndUser only
> needs to tell the Consumer the "simple" URL of their OpenID Server.
>
> In the Overview section of the Specs page:
>  http://openid.net/specs.bml
> if Bob wants to use livejournal.com as his OpenID Server then
> Bob should only have to enter:
>  livejournal.com
> in the text box of the Consumer site. The front page of a site
> that is an OpenID Server (livejournal.com in this example)
> should provide the LINK tag which defines "openid.server".
> The Consumer will then get Bob's identity URL from the OpenID
> Server.
>
> But how will the OpenID Server know what Bob's identity
> URL is? Well Bob already needs to maintain an account with the
> Server and tell the Server which Consumers he trusts. Bob can
> also provide his identity URL in this account.
>
> What if Bob wants to change his OpenID Server from livejournal.com
> to deadjournal.com. It's just as simple as before. Bob enters his
> identity URL (http://bob.com/) in the new account he opened with
> deadjournal.com and begins entering:
>  deadjournal.com
> in the text box of Consumer sites.
>
> This avoids the problem of EndUsers needing to tell the Consumer
> sites their identity URL which are typically specifed down to the
> level of a username (not a good thing). This also avoids the
> whole issue of wanting to enter an email address like URL for
> the identity URL.
>
> I won't go into the details right now, but doing it this way will
> also allow for more flexibility and enhancements in the future if the
> scope of this project increases. Right now you are only looking at
> this project to satisfy the need of simple identification for
> adding comments to a blog or forum. However, if this project becomes
> popular and catches on people will want to apply it for more
> broader use.
>
> This is a critical design issue and I think you still have time to
> change it if you want to. Later on it will be hard to change.
>
> Omar
>
>
>

-- 
Success! You are foaf http://openid.enslaves.us/

More information about the yadis mailing list