Asymptomatic

A Giant OpenID Hole

April 20, 2007 4:59pm · 5 Comments · , , , , and

I'm at the knowledge level of knowing enough about OpenID to get my foot lodged in my mouth very easily, so please (please, please) correct me if I've got something wrong because I'd really like to work this out.

I signed up for a Zooomr account months ago, and haven't really used it since. I did not use it because I was happy with my Flickr account. During those long months after having tried out the photo sharing service with too many Os, two things happened.

Continues here →

First, I became angry with Flickr for having to use my Yahoo ID to log in. I don't think it was necessarily the "sky is falling" event that I worried about, but I still really dislike having to sign in as "ringmasterow" (Yahoo ID) rather than "ringmaster" (Flickr ID), almost as much as having to use "/asy" instead of "/ringmaster" as my Flickr URL because Flickr attributes no value to their usernames at all. Grr.

Second, I completely forgot what OpenID service I used to log in to Zooomr. At the time, I'm sure that I didn't have OpenID on this domain. At that point, I either used a service or installed a sketchy WordPress plugin to implement an OpenID server based on WP logins. Either way, I'm not sure what my Zooomr OpenID account is.

Since then, I've tried to switch from Flickr to Zooomr due to my dislike of the whole Yahoo debacle. But I can't because I don't know how to log in to Zooomr via OpenID.

I've looked at my profile from outside Zooomr, but it doesn't give away any information about what my OpenID might be. This is odd because one of the advantages of OpenID is supposed to be that you can publish your OpenID address like your username, and your friends could grant you access to resources ahead of time, assuming that you'll be authenticating against the OpenID server you've specified.

Yeah, I know, it sounds outrageously complicated.

If I've used my own domain as an OpenID server (that would be really stupid to do here, though) then it should be reasonably simple to use delegation to point OpenID clients to another place to authenticate me. The trick is that I've yet to find any instructions that explain which URLs to use for this purpose. It requires two for some reason. Shouldn't I just be able to say, "Go look over at http://{OpenIDserver}.com instead of here"? Apparently not.

And I still don't know if that's going to work, because I don't know what URL I have on file at Zooomr. I don't even seem to be able to get Zooomr to send me an email with my OpenID info, because, well, I used OpenID for authentication, which doesn't require email.

This is perhaps just a support issue with Zooomr itself, but I think this problem will become more prevalent throughout sites that use OpenID for authenticaton.

For example, now, instead of having to remember simply a username and password, you must also remember the URL of your OpenID server. That might not be so bad, but because there are a handful of services offering OpenID logins, and they all add different features as they progress, you might try a few different services for login. And then, when you get really into OpenID, you might install an OpenID server module of your own on your own site, or maybe you'll figure out the delegate stuff. Either way, there's the potential for a lot of mixing and matching.

What would be ideal is if the OpenID servers could talk to each other and accept other OpenID server authentication as valid. It's not something that they should do automatically, of course, but it would be cool if you could accidentally provide the wrong OpenID domain, and then when you end up on OpenID Service A's authentication page, it would ask, "You have not previously allowed access to this site via this OpenID account. Do you want to search your other OpenID services for authentication?" That would be slick.

Anyway, I think this idea is important as we progress toward Identity 2.0, and I know that Habari will soon be part of the mix as we soon add OpenID client and service as default login options. Maybe Habari could spearhead this interconnectivity feature. I think it would be very useful.

Of course, if there is already technology in place for OpenID that employs this, I'm anxious to learn about it. Leave me a note, please. (Especially if you know how I can recover my Zooomr acocunt, since I'd really like to use it again.)

Other Posts

Comments

  1. Me too!!

    It's because of this that I currently despise OpenID, lol. I currently have three Zooomr accounts because of this as well. I have one that is Pro that I might want to use, at least check out new features, etc, on, I even got the "valerie" url for that one. But then they make it entirely too easy to create a new account when you try to use a different OpenID than what you've already used, apparently, if that makes sense. So I have two "numbered url" accounts, too. And what really stinks? They have no support whatsoever for you to find out what your OpenID is - and really, I only have the choice of two to use, so I don't know how I have three accounts in the first place. But I've emailed Zooomr three times with absolutely no reply.

    Personally, I take all that headache as another reason to stick with Flickr myself...

  2. Interesting comments... I know this was made a while ago, but I would say there are a few ways to go about "keeping it all straight". Likely the most useful way, get into OpenID with your own URL to start with. I realize that's not the easiest thing for most users, though, so for those that are prone to forgetting who they signed up with where, etc (like me, too), you can shell out a few bucks and grab an iName (ie, =slepp) which remains constant for a long time, and with XRDS, you don' t have to worry about managing your own URL, etc. over time.

    Of course, maybe I've just spent way too much time with OpenIDs lately (http://idbin.ca, after all, is my own provider :) But in my learning phase, I have no less than 18 OpenIDs from a whack of different providers.. I've forgotten the passwords to 2 of them.. But, I'm all settled in now and find OpenIDs to be extremely convenient..

    As for Valerie's comment, I think it would be useful if some OpenID sites would ask you 'did you typo or do you really want to register a new account?' when you login.. This is especially useful when using someone like myopenid.com or such which support both myopenid.com/username and username.myopenid.com as formats.. Some servers I've used seem to store the original URL and not the openid.delegate, and so it doesn't line up the second time you log in.

    Anyway, that's a lot of chatter from me :> (Btw, XRDS is sort of the 'solution to too many names', as it can provide a group of all your valid OpenIDs to be tried in order if auth fails.. at least that's how I understand it)

  3. Ha - I was thinking the same thing this morning - Googled 'openid remember which service' and found you. I totally agree. I guess the idea is that you're supposed to use just ONE of your OpenIDs but I think it'll still confuse consumers. I'm still trying to see what protocols are in place to 'join' logins so if I use my Yahoo! for a site one time and then my Vox the next - how does the site know they are both me and attach those two logins together. I'll ask the brainiacs at work.

  4. Hi, I've been having the same issue for a while, forgot which OpenID account I used to sign-up for Zooomr, and can't access it. Have you been able to resolve the issue? I tried sending Zooomr a support request but never got any reply..

swindler-cave
Real Time Web Analytics