Hacker News new | ask | show | jobs
by user5994461 2900 days ago
Because otherwise anyone could make an authentication provider that's authenticating as you@gmail.com and assume your identity.

Remember that the goal is to delegate authentication, user profile and/or user creation. It's implicitly trusting everything coming from the third party. For instance when supporting google login, it's expected that google only validate user accounts that really exist and are hosted by google.
1 comments
icebraining 2900 days ago
Well, no, it would only accept IDs of the format *@yoursite.com for the provider yoursite.com (or the provider yoursite.com has delegated to).
link
user5994461 2900 days ago
Authentication cannot be bound to any email or format.

For instance when using google authentication, the user and the email can be anything, because google apps support custom domains for paying customers.

If you want to rely on emails, just use emails.

link
icebraining 2899 days ago
For instance when using google authentication, the user and the email can be anything, because google apps support custom domains for paying customers.

That's what delegation is for.

link