OpenID login uses Given Identity instead of Claimed Identity

Long ago, in a month now far far away...

I logged in using my OpenID in order to check out IntenseDebate. After a long time, I've returned (due in thanks to all the news that Automattic took over) and realized this issue.

When logging in, I log in as vxjasonxv.com . This is a delegated Identity and I leverage vxjasonxv.myopenid.com ( and thus, MyOpenID ) for all the the verification and magic that I don't care to host for myself.

If ever I decide that I no longer wish to continue using MyOpenID, and delegate my identity elsewhere, I will be locked out, because vxjasonxv.com will no longer delegate to vxjasonxv.myopenid.com

I've thought about changing my openid in my profile to vxjasonxv.com , but I fear that I would lock myself out, and I'd rather someone know what's going on first :), and make sure if I change something, I don't disappear for a long time.

At any rate... vxjasonxv.myopenid.com should have no relevance to my profile whatsoever, it is used for verification (I am who I claim I am). My OpenID is the one I claimed, that I filled into the login form, and that is vxjasonxv.com

As an aside, fixing this would also be a perfect time to implement multiple identity support ;).

I’m concerned, but not panicing

Inappropriate?

Reply to this problem

2 people have this problem

I have this problem, too! Tell me when someone solves it.
The more people who report this problem, the more it gets noticed.

Create a customer community for your own organization

Plans starting at $19/month

EMPLOYEE

Remove Inappropriate?
Delete or Edit

Michael Koenig, Official Rep, replied on October 13, 2008 22:24

I apologize for the delay. You can change your OpenID in your account profile at http://IntenseDebate.com with no issues. To access this page please select the "edit profile" tab after logging in.

Please let me know if you run into any issues doing this and I'm more than happy to help.

Again, I apologize for the delay and appreciate your patience.

Michael

this solves the problem

2 Comments Add a comment This solves the problem Mark as a company solution
Remove
Jason commented on October 14, 2008 00:16

And, that's exactly what I afraid of... I changed my OpenID and, now I can't log in!

I changed my OpenID from http://vxjasonxv.myopenid.com to http://vxjasonxv.com

In order to test, I logged out, and logged back in using OpenID, entered vxjasonxv.com , and what happens?

"Oops
It seems you don't have an account yet. You need to signup first.
Go to the home page"

Please don't take this offensively, but please re-read what I said. It had nothing to do with my OpenID being entered incorrectly, and it had everything to do with ID's non-compliance of the OpenID spec. See Sections 3.1 and 3.2

There's probably more in the 4's somewhere, but this is a spec problem.
Remove
Michael Koenig, (Official Rep), commented on October 15, 2008 02:38

Jason, this redirects properly for me. Where are you trying to login from?
Remove Inappropriate?
Delete or Edit

Jason replied on November 13, 2008 19:02

I tend to chastise people who file a bug report and never follow up with it. Especially if it's with a technology they use often, or talk about often.
And now look at me, not practicing what I preach. *sigh*

I'm not entire sure of how to treat your last answer Michael, so I'm going to do my best to be as detailed as possible with the problem again.

My actual OpenID, the one I actually log in with, mine, is vxjasonxv.com
That is my domain, that is my OpenID.
I don't host my own OpenID services, I believe whole heartedly in the portability of OpenID. Thus I use MyOpenID's Identity Provider services.

So, vxjasonxv.com is delegated to vxjasonxv.myopenid.com

What this means in the spec is that I claim vxjasonxv.com as my identity (I *LOG IN USING* vxjasonxv.com, e.g. to IntenseDebate).
When your OpenID login script does it work, it looks at vxjasonxv.com and determines that I delegate it out to vxjasonxv.myopenid.com

So, your library asks www.myopenid.com/server if I actually do own vxjasonxv.myopenid.com

MyOpenID talks to me via my browser, and I engage in my secret packet handshake with the server. Then, MyOpenID tells you (/ your login script) that I am who I say I am.

Your login script should then log me in using vxjasonxv.com

Now let's cycle back to what the problem was before.
Previously, I would login to your site as vxjasonxv.com , and that would work. But when I would look at my profile, my OpenID was listed as "vxjasonxv.myopenid.com".
This is WRONG.
vxjasonxv.myopenid.com has nothing to do with me, except for the fact that you use it to authenticate me using it. At that time you should be done with that ID, never using it until I go log in again.

At your suggestion, your first response to my question, I changed that ID in my profile from vxjasonxv.myopenid.com to vxjasonxv.com

And now I can't log in using vxjasonxv.com

I probably have a password, I don't know what it is. I could "recover my password", but I'm not going to. My point in all this is that you're NOT following OpenID specifications. And that is a problem, and the reason why I reported this problem in the first place.

This is a development problem, and it really should be fixed in my opinion if you intend to support OpenID. (And I really hope you will continue to do so.)

That's about how detailed I can make it.
This isn't a "something is wrong with my account" problem. This is a "things are not programmed properly and should probably be fixed" problem.

I’m tired of repeating myself.

this solves the problem

Add a comment This solves the problem
Remove Inappropriate?
Delete or Edit

Patrickometry replied on December 06, 2008 15:18

I am having this same problem. I delegated my OpenID and changed my Intense Debate profile to reflect that. Now i can't Log In. Ugh. This is so frustrating.

I’m frustrated

this solves the problem

Add a comment This solves the problem