You have the option to not send a full name, but the Claimed ID reveals it anyway
Bug #1034339 reported by
Stefano Palazzo
This bug affects 2 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Canonical SSO provider |
New
|
Undecided
|
Unassigned | ||
Bug Description
If a user doesn't choose to provide the "Full Name" field, that name won't be sent to the relying party. However, I can still get the name by just doing an HTTP GET on the claimed ID. It'll say "OpenID Identity URL for Stefano Palazzo".
The UI implies that your name is not available to the relying party.
If you agree with my opinion, that this is a privacy bug, I can think of a few possible solutions:
- Add a little note, like (* your full name is not kept private)
- Disable the Checkbox
- If both are requested, add radio buttons to choose between full name and username.
| summary: |
- You have to option to not send a user name, full name, but the Claimed - ID URL reveals it anyway + You have the option to not send a full name, but the Claimed ID reveals + it anyway |
To post a comment you must log in.
