When authenticating to any site (including stackoverflow) with AOL OpenID, you can specify any fake username on the form, and then enter a valid AOL username / password on the AOL OpenID site and the target website (e.g. stackoverflow) will say that authentication Successful, but with username FAKE.
My question is, should OpenID work, or is AOL doing something wrong, or am I just not understanding what is going on?
I came across this in my own project and after several hours of debugging I decided to see if I can reproduce it on a well-established site.
I went to stackoverflow, hit enter, clicked on the AOL logo, and entered the name asdf as the username. This led me to the AOL OpenID website, where I entered my true AOL username / password. Then I returned to stackoverflow, which said:
Confirm OpenID This OpenID does not have an account on Qaru yet: http://openid.aol.com/asdf Create New Account
I clicked "Create" and now you have " http://openid.aol.com/asdf " in stackoverflow (sorry! I tried to delete it, but see how).
This is not true ... and in my application, it means that the identifier that I use for my users may be inaccurate / valid ... maybe even someone unscrupulous to come in, enter the username / url AOL OpenID AOL in the login field, authenticate using the AOL username / password and then access another account on the target website?
On OpenID vendor sites that return a unique identifier such as Google or Yahoo, this does not seem to be a problem.
Thanks for any suggestions ... it drives me crazy from my development efforts ...