Martin Atkins: Yahoo!'s OP and now it seems Microsoft’s OP both ignore the value of openid.identity provided to them, and just return an assertion for whatever user’s logged in.
I may ultimately need to black-list such ids.
Looking at live.com instructions:
At any Web site that supports OpenID 2.0, type
openid.live-INT.comin the OpenID login box to sign in to that site by means of your Windows Live ID OpenID alias.
If everybody uses the same URI, I can’t tell them apart. That doesn’t concern me much, but do find it a bit distressing that that’s the recommended usage.
What concerns me is that people may use such a URI for delegation. If Jorgen, for example, were to add such a generic URI as his
openid.delegate link, then anybody who has a windows live id could authenticate using his blog URI.
What concerns me more is if somebody follows these instructions for delegation. Then anybody with a Windows Live id could authenticate using his blog.
I note that Jorgen left a comment on Martin’s blog using http://openid.live-int.com/jt. As long as that URI is uniquely his, and can’t be used by anybody else, that’s fine.