[OpenID] Impact of changing realm at openid.net

Manger, James H James.H.Manger at team.telstra.com
Mon Dec 8 00:20:39 UTC 2008


The "openid.realm" for logging in to openid.net has changed from
  https://openid.net/foundation/members/
to
  https://*.openid.net/

The new realm is a better choice, but the change will have affected some logins. For instance, the OpenID identifier for one candidate in the current board election is
  www.google.com/accounts/o8/id?id=AItOawnx6pLu7zmyzpia...M1C2L-00

I assume this candidate can no longer login to openid.net. The Google OP issues a different identifier for a user for each different realm value.

This specific change probably only adversely affects a handful of people (it sounds like the OpenID Foundation has a small number of members and the Google OP has been running for a short time). This issue will be really serious for other RPs, however, as OpenID grows.


I suspect the initial realm was probably chosen accidentally, with the software using whichever URL it was deployed at.

Prominent advice on choosing a realm value that will be stable over time would be a helpful. This could be a work item for OpenID 2.1 <http://wiki.openid.net/Working_Groups:Auth_2.1>.

Checking/changing/documenting how OpenID libraries chose the realm would help.

Any data from current OPs on the sort of realms being used in practise (so we can judge how stable they are likely to be) would be interesting.


James Manger
James.H.Manger at team.telstra.com
Identity and security team — Chief Technology Office — Telstra


More information about the general mailing list