* You have to make sure the attributes are properly signed by the OpenID provider which is what the security advisories by Google and OpenID foundation were about.
* You can't trust any OpenID provider to give you a correct and verified email address. For the specific case of Google single sign-on, you can trust the Google OpenID provider.
2 comments
[ 3.2 ms ] story [ 15.3 ms ] thread* Can you be sure that the attribute has not been tampered with in transit? Check the signature (or make sure your library is checking the signature).
* Can you trust the OpenID provider to give you a correct and verified email address? Maybe if that provider is Google. Anyone else, probably not.
I prefer Mozilla Persona's approach to this problem; your identity effectively is an email address. It's also trivial to integrate.
* You have to make sure the attributes are properly signed by the OpenID provider which is what the security advisories by Google and OpenID foundation were about.
* You can't trust any OpenID provider to give you a correct and verified email address. For the specific case of Google single sign-on, you can trust the Google OpenID provider.