Problems with OpenID?
FactoryJoe.com has a great article about Problems with OpenID on Highrise that outlines some of the major issues with how OpenID can be implemented. There are quite a few straightforward issues, such as assuming the person registering owns the provided OpenID URL even without authenticating it, or not giving user friendly feedback that can save a lot of headaches when they should have the knowledge about the error to do so. For a company that wrote the book on user interfaces (no really, Defensive Design for the Web: How to improve error messages, help, forms, and other crisis points was by 37 Signals) I’d expect a little more refinement in the errors. OpenID is new ground though, and if their product is feature ready might as well launch now and clean up the details later. Hopefully though some of the problems listed in FactoryJoe’s article are still in need of solutions.
For instance, if I sign on to a site with my OpenID as “adamfortuna.com”, chances are that site translates that into “http://adamfortuna.com” or even “http://adamfortuna.com/”. Those are all about the same, although they are different URIs. This is the approach the current ColdFusion OpenID library uses, and seems to work out. The user at all three of those addresses is treated the same, but I always wonder if there’s some weird case when the trailing slash is the difference between users and because of it someone could be granted access to the wrong account.
If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.
Comments
Hmm it wouldn’t even have to be the provider though unfortunately. It would be the server doing the delegating, so on my site I could technically control what happens to those two URLs, and make one point to an OpenID server, while the other doesn’t. This is really an edge case, but changing URLs that are entered by the user just seems wrong somehow. I wonder if it’d be better to have a form like:
http:// [input text box here] /
To make it absolutely clear to the user what’s going on. If they still mess things up at least it’s at their own choosing.
Of course on cases when there’s no trailing slash, which i suppose could be made clickable to show/hide it. Seems like overkill though, probably just overthinking things. 
[...] was going through my feeds this morning on Tallyhoh and I came across Adam Fortuna’s post on Problems with OpenID?. He was discussing a post done over at Factory City a site I hadn’t seen before. His article, [...]
I don’t think the trailing slash difference will cause problems when there is no path. When normalizing a URL it is assumed that if the path is missing (eg http://example.com) is is by default “/”.
The problem alot of implementation have is they assume http://www.example.com/user and http://www.example.com/user/ are the same, when the RFC says those are completely different URIs.
If the OpenID consumer treats two URLs the same, but the provider treats them as different and allows two users to sign up at each URL, then I wonder if that would open things up for abuse?