2 comments

[ 3.2 ms ] story [ 15.3 ms ] thread
TL;DR: Be conscious of who you trust. OpenID AX attributes may give you an email address, but this creates two potential issues:

* Can you be sure that the attribute has not been tampered with in transit? Check the signature (or make sure your library is checking the signature).

* Can you trust the OpenID provider to give you a correct and verified email address? Maybe if that provider is Google. Anyone else, probably not.

I prefer Mozilla Persona's approach to this problem; your identity effectively is an email address. It's also trivial to integrate.

You're exactly right stickfigure.

* You have to make sure the attributes are properly signed by the OpenID provider which is what the security advisories by Google and OpenID foundation were about.

* You can't trust any OpenID provider to give you a correct and verified email address. For the specific case of Google single sign-on, you can trust the Google OpenID provider.