OpenID itself is just an authentication protocol. It takes OpenID extensions to get more information about the user like their name or email address. In fact there are two popular extensions that can provide this kind of information: Simple Registration (sreg) and Attribute Exchange (AX). A web site that wants to accept OpenID logins (this site is called a relying party, or “RP”) and also gather the user’s email address at the same time may do so, but unfortunately it is quite complicated to get the best user experience.
OpenID Providers (aka “OP”) can support either or both of these extensions. And while the sreg extension is straightforward and consistently implemented, AX is divided. Let me explain. If you want an email of a user and you’re using the sreg extension, just ask for the value for “email”. Simple. But if you’re using AX, you have to ask for these three attributes:
- http://axschema.org/contact/email
- http://schema.openid.net/contact/email
- http://openid.net/schema/contact/email
Why on earth? Well, AX is extensible, so any attribute URI can be used to refer to some value that you want. Unfortunately, before AX was a finalized spec several popular OPs picked up support for it and made up different ways of describing the simple user’s email attribute. The very unfortunate thing is that once AX standardized on one Type URI form for the common attributes (#1 on my list above), many of these OPs didn’t bother to update their code to support the official attribute type URI.
What that means for RPs that can request authentication against arbitrary OPs is that they have to request all three of these attributes and then check for any of these three attributes to have values in the AX response. But that’s not all, of course…
Some OPs don’t support AX at all, so you also have to send an sreg extension request to fetch the email address, and an RP then has a total of four places in the response to check for an email address. Why not just use the unified sreg, you ask? Because Google doesn’t support sreg – only AX.
Oh, and Google will only give you an email address if the RP indicates that it is an AX “required” attribute. Google completely ignores attribute requests marked as “requested”.
And Yahoo! doesn’t support either sreg or AX extensions at all. They plan to, but as yet they don’t give out any user information to RPs.
So if you request email addresses via sreg and AX, and for AX you ask for the email in all three forms, and if you mark them as required, you have a pretty good chance of maybe getting a user’s email address.
OpenID is really cool. But retrieving attributes about a user is not. AX is a great spec, but very, very poorly adopted.