Comments on: Using email addresses as OpenID identities (almost)

By: James Henstridge

James Henstridge — Fri, 04 Apr 2008 08:05:22 +0000

Chris: I’m not arguing that providers should tell their users to enter email addresses into OpenID forms: giving them a shorter constant string is definitely the better option.

However if users do enter their email address anyway, if it is possible to give the desired behaviour why not do so?

By: Chris Cunningham

Chris Cunningham — Thu, 03 Apr 2008 13:21:24 +0000

I agree that this isn’t the sort of thing that you’d want to start relying on

That’d be why you wouldn’t be wanting to implicitly condone it.

– Chris

By: James Henstridge

James Henstridge — Thu, 03 Apr 2008 04:10:02 +0000

Kevin: I agree that typing “yahoo.com” is easier and what users should be directed to use. I just found it interesting that an approximation of the user’s intent happens if they enter their email address.

Armin: it is true that the HTTP RFC doesn’t specify handling of the userinfo portion of the authority section, but does seem to be supported by most implementations (they probably do URI generic syntax processing before any HTTP-specific processing). I agree that this isn’t the sort of thing that you’d want to start relying on, but it is nice that it half works though.

By: Armin Ronacher

Armin Ronacher — Wed, 02 Apr 2008 20:24:19 +0000

That’s against the spec though. HTTP URLs must not have a authentification part. That’s reserved for FTP and some others.

By: Kevin Turner

Kevin Turner — Wed, 02 Apr 2008 18:47:42 +0000

The thing to keep in mind though is this is currently an accident, and not a supported use case. The HTTP-fetching code in many OpenID implementations doesn’t really know what to do with the user@ part of the URL, i.e. it’ll try to use it as a hostname instead of translating it to parameters for basic auth, and it’ll break.

So you’re better off just typing in “yahoo.com”, really.