Question
I am in the process of completing an integration with a 3rd party for OpenID. We've got all of the hard parts done, and everything works.
This 3rd party, call them foo.com, is offering OpenID authentication for users with logins at their site, but they are authenticating and offering information about users on domains they don't control. Domains like gmail.com, my company's domain, and I'm sure any other domain from any email address for accounts that they have logins for.
Is this kosher according to OpenID spec? (I can't find documentation) It seems to me that foo.com providing OpenID authentication for bar.com, where foo.com and bar.com are unrelated, and bar.com potentially doesn't even offer OpenID support, seems to be missing the entire point of OpenID: you should only authenticate identities of people whose accounts you fully control.
Solution
It's fine as long as the identity URL refers to the OP during discovery.
OP is not supposed to have any control over user's identity. It only confirms relationships between the user in front of the computer and identity url to the best of its knowledge.
https://stackoverflow.com/questions/14504855
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian