Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://cosocial.ca/users/timbray/statuses/111835182292293668">Tim Bray (timbray@cosocial.ca)'s status on Monday, 29-Jan-2024 05:24:45 JST</a><a href="https://cosocial.ca/@timbray" title="timbray@cosocial.ca"><img src="https://gnusocial.jp/avatar/111562-48-20230506032705.webp" width="48" height="48" alt="Tim Bray" style="position: absolute; left: 0; top: 0;">Tim Bray</a><div><a href="https://cosocial.ca/@timbray/111830890148431201" rel="in-reply-to">in reply to</a><ul><li></ul></div></section><article><p><a href="https://fedi.simonwillison.net/@simon">@simon</a> But hmm, the more I think about this, the less comfortable I get. When you do an OpenID Connect “sign in with X”, the ID Token you get has both an "email" and a "sub" field, and the real unique key is the combination of the ID Provider and the "sub" value, which in the case of Google survives an email change.  Some details here: <a href="https://www.tbray.org/ongoing/When/201x/2013/04/04/ID-Tokens" rel="nofollow noreferrer">https://www.tbray.org/ongoing/When/201x/2013/04/04/ID-Tokens</a> from when I was in the Google ID group.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2646490#notice-5245419">In conversation</a><time datetime="2024-01-29T05:24:45+09:00" title="Monday, 29-Jan-2024 05:24:45 JST">about a year ago</time> <span>from <span><a href="https://cosocial.ca/@timbray/111835182292293668" rel="external" title="Sent from cosocial.ca via ActivityPub">cosocial.ca</a></span></span><a href="https://cosocial.ca/@timbray/111835182292293668">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: www.tbray.org</div><h5><a href="https://www.tbray.org/ongoing/When/201x/2013/04/04/ID-Tokens">On ID Tokens</a></h5><div></div></header><div></div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Tim Bray (timbray@cosocial.ca)'s status on Monday, 29-Jan-2024 05:24:45 JSTTim Bray
in reply to
- Simon Willison
@simon But hmm, the more I think about this, the less comfortable I get. When you do an OpenID Connect “sign in with X”, the ID Token you get has both an "email" and a "sub" field, and the real unique key is the combination of the ID Provider and the "sub" value, which in the case of Google survives an email change. Some details here: https://www.tbray.org/ongoing/When/201x/2013/04/04/ID-Tokens from when I was in the Google ID group.
In conversationabout a year ago from cosocial.capermalink
Attachments
1. Domain not in remote thumbnail source whitelist: www.tbray.org
  On ID Tokens

Public

Embed Notice

HTML Code

Corresponding Notice