When authenticating to any site (including stackoverflow) with an AOL OpenID, it appears that you can specify any fake username in the form, then enter a valid AOL username/password on the AOL OpenID site, and the target web site (e.g. stackoverflow) will be told that authentication succeeded, but with the FAKE username.
My question is, is this the way OpenID is supposed to work, or is AOL doing something wrong, or am I just misunderstanding what's going on?
I came across this on my own project, and after hours of debugging, decided to see if I could reproduce it on a well established site.
I went to stackoverflow, clicked "log in", clicked the AOL logo, and entered "asdf" as the username. It took me to the AOL OpenID site, where I entered my true AOL username/password. I was then returned to stackoverflow, which said:
Confirm OpenID
This OpenID does not have an account on Stack Overflow yet:
http://openid.aol.com/asdf
Create New Account
I clicked "Create" and there's now an "http://openid.aol.com/asdf" account on stackoverflow (sorry! I tried to delete it but don't see how).
This doesn't seem right... and in my app, it means that the identifier I'm using for my users may not be accurate/valid... it might even be possible for someone unscrupulous to come along, enter someone elses AOL OpenID username/URL into a login box, authenticate with a valid AOL username/password, and then gain access to the other account on the target web site?
On OpenID provider sites that return a unique identifier, like Google or Yahoo, this doesn't seem to be an issue.
Thanks for any suggestions... this is driving me crazy on my development effort...