5

I'm implementing OpenID authentication for a website and I want to get the email address of the user. All email addresses from our users are veryfied through the usual hash link mail.

Now, generally email addresses returned by OpenID providers through SimpleRegistration or AttributeExchange are not "trustworthy" because anyone can run a provider and add an identity with any email address he likes. But can you be sure, the addresses returned by the Google or Yahoo providers (or maybe other big ones) only return already verified gmail.com/yahoo.com addresses, such I can skip the to-activate-click-the-hash-link procedure for these providers?

hupf
  • 604
  • 1
  • 6
  • 10
  • Why do you need to verify the email beyond what the OpenID provider is sending you? Since the user's login is tied to the provider you shouldn't need to verify it too harshly. If you are concerned you could always ask the user to confirm that address visually when they link the ID. – Frazell Thomas Apr 12 '11 at 17:47
  • 1
    I want to be sure that a user _owns_ the email address connected to his OpenID identity. Normaly every website does this by sending a mail and the user clicks on the contained link with a hash. With OpenID I can not be sure the addresses are verified this way, since anyone can run a provider and create identities that use any email address (e.g. yours)... many providers do verify the user's email, the question is which ones? If I could skip the verification procedure at least for the most important providers, that would be nice... – hupf Apr 12 '11 at 22:27

1 Answers1

2

Yes, in both cases the email addresses corresopnde to the verified addresses by Yahoo and Google. Here are the sources confirming it.

Jj.
  • 3,160
  • 25
  • 31
  • I think those sources are a bit vague. Quoting Yahoo: *"Sites that require verified email addresses can use Yahoo! OpenID to quickly authenticate Yahoo! users and verify their email addresses, without having to force users through the clunky manual email verification process"*, which doesn't explicitly confirm that email addresses are verified? And as of today, year 2013, I didn't find any mentioning of email addresses being verified on the Google page. – KajMagnus Dec 18 '13 at 23:22