

Account Association Security Threats for Google Single Sign-On - mikesun
http://blog.idonethis.com/post/31859424118/openid-security

======
stickfigure
TL;DR: Be conscious of who you trust. OpenID AX attributes may give you an
email address, but this creates two potential issues:

* Can you be sure that the attribute has not been tampered with in transit? Check the signature (or make sure your library is checking the signature).

* Can you trust the OpenID provider to give you a correct and verified email address? Maybe if that provider is Google. Anyone else, probably not.

I prefer Mozilla Persona's approach to this problem; your identity effectively
_is_ an email address. It's also trivial to integrate.

~~~
mikesun
You're exactly right stickfigure.

* You have to make sure the attributes are properly signed by the OpenID provider which is what the security advisories by Google and OpenID foundation were about.

* You can't trust any OpenID provider to give you a correct and verified email address. For the specific case of Google single sign-on, you can trust the Google OpenID provider.

