Consumer site requesting OpenID auth isn't identified

[jcflack]

I configured an OpenID based on IndieAuth just as described in the 15 September 2013 announcement, and then I tested it by logging into stackoverflow.com (also just as the announcement suggested). It worked, but IndieAuth's provider-selection page didn't tell me I was signing in to stackoverflow.com - it said "Sign in to /openid/complete" at the top. Down at the bottom that also appeared, as in "You will be redirected to /openid/complete to finish logging in to the site."

I later tried it with my own web site that I was setting up to accept OpenID logins, and when I try to log in there, I get the same IndieAuth page and the same "Sign in to /openid/complete" and "You will be redirected to /openid/complete...."

In other words, what's showing up here is a constant string from somewhere, it is no use to the person authenticating to find out what site is asking for the authentication.

(Of a little more concern, it also makes all requesting sites look the same; I haven't delved into the protocol deeply enough to see what mischief could be made of that.)

Obviously, the real redirect URL to the requesting site is available in the code somewhere, since the visitor eventually gets redirected successfully back there after being authenticated. It just seems as if what is being displayed on the select-a-provider page is the wrong thing.

I can't be sure whether this is related to #14, which wanted the requesting site to be identified and was closed saying identification will now be shown if the requesting site sends a client_id in the request. Maybe that's good? But if that's what that meant, then clearly there are still OpenID consumers out there that do not send a client_id, and I would still rather see at least the real redirect URL to identify them, rather than a constant string.