[OpenID] OpenID provider with gibberish identity URLs to avoidnickname change issues

Nat Sakimura n-sakimura at nri.co.jp
Tue May 29 18:19:03 UTC 2007 

Yes. 

Perhaps looking at the following dump would help you. (Note, I have changed
canonicalID to a bogus one. )

auth_openid_successresponse Object
(
    [status] => success
    [endpoint] => auth_openid_serviceendpoint Object
        (
            [identity_url] => =nat
            [server_url] => https://linksafe.ezibroker.net/server/
            [type_uris] => Array
                (
                    [0] => http://openid.net/signon/1.0
                )

            [delegate] => 
            [canonicalID] => xri://=!E18C.3B56.9999.9999
            [used_yadis] => 1
        )

    [identity_url] => =nat
    [signed_args] => Array
        (
            [openid.identity] => xri://=!E18C.3B56.9999.9999
            [openid.return_to] =>
http://www.sakimura.org:80/openid/examples/consumer/finish_auth.php?nonce=g5
U4Uv9b
            [openid.mode] => id_res
            [openid.sreg.nickname] => Nat
            [openid.sreg.email] => n-sakimura at nri.co.jp
        )

)

Nat 

> -----Original Message-----
> From: ydnar [mailto:ydnar at shaderlab.com] 
> Sent: Wednesday, May 30, 2007 3:09 AM
> To: 崎村 夏彦
> Cc: 'Chris Messina'; 'Stuart Bishop'; general at openid.net
> Subject: Re: [OpenID] OpenID provider with gibberish identity 
> URLs to avoidnickname change issues
> 
> Pardon if this is a naive question...
> 
> Can an OP return a different URL than the URL asserted by the 
> user in  
> the openid.identity field? For example:
> 
> User asserts: http://ydnar.vox.com/
> OP returns:   http://openid.vox.com/6pNNNNNNNNNNNN
> 
> Would the latter be stored in the client as the actual URL? 
> Would the  
> login fail if the OP returned a different URL? I saw this 
> earlier post:
> 
> <http://openid.net/pipermail/specs/2007-May/001644.html>
> 
> Randy
> 
> 
> 
> On May 29, 2007, at 10:39 AM, Nat Sakimura wrote:
> 
> > Well, I guess the issue here is "How to turn an existing 
> app with user
> > management capability to an OpenID provider. " Changeable nickname  
> > is common
> > in CMS such as Xoops so this is a problem worth contemplating...  
> > Actually,
> > having almost completed the OpenID consumer module for 
> Xoops now, I  
> > was
> > starting to think about it, too.
> >
> > IMHO, there is no easy solution, but I would be tempted to use  
> > something
> > like http://example.com/<nickname>.<uid>, where <uid> is 
> the system  
> > user ID,
> > which is usually a unique number.
> > The other solution is to user http://example.com/<uid> as 
> canonical  
> > ID, but
> > I was wondering if all RP are implemented to use canonical ID  
> > instead of
> > identity URL when available. If they are, the later is more  
> > preferable, I
> > think.
> >
> > Nat
> >
> >> -----Original Message-----
> >> From: general-bounces at openid.net
> >> [mailto:general-bounces at openid.net] On Behalf Of Chris Messina
> >> Sent: Wednesday, May 30, 2007 2:28 AM
> >> To: Stuart Bishop
> >> Cc: general at openid.net
> >> Subject: Re: [OpenID] OpenID provider with gibberish identity
> >> URLs to avoidnickname change issues
> >>
> >> I may be wrong, but it seems overly complex and redundant. What if
> >> someone set their nickname to one of the opaque keys? 
> While I applaud
> >> the notion of allowing for changeable nicknames, I'm not sure that
> >> it's necessary to bind the person's URL to their 
> respective nickname.
> >> Instead, it might just be better to accept that there is a limited
> >> number of nicknames on your system and that folks can do 
> what they do
> >> everywhere and simply find a nickname that's available, 
> knowing that
> >> their preferred nick might not be available.
> >>
> >> I'd say keep it simple -- as we've discussed before, the issue of
> >> passing on OpenIDs becomes an issue if people can recycle or claim
> >> previously used nicknames... I'm not sure what 
> ramifications exist  
> >> for
> >> redirects -- since that's technically not delegation -- and I'd be
> >> interested to hear what folks more familiar with the protocol says
> >> about this.
> >>
> >> Chris
> >>
> >> On 5/28/07, Stuart Bishop <stuart at stuartbishop.net> wrote:
> >>>
> >>> I am working on turning a webapp into an OpenID provider. 
> One if the
> >>> features of the webapp is that the user's nicknames are
> >> changable. We would
> >>> like nickname changes to not affect other applications we
> >> need to integrate
> >>> with, so wish to use an unchanging opaque identifier
> >> instead of the user's
> >>> nickname.
> >>>
> >>> So we are thinking of having
> >> https://openid.example.com/<nickname> issue a
> >>> temporary redirect to
> >> https://openid.example.com/<opaquekey>. This way users
> >>> can use the nicer, more memorable URL but name changes will
> >> not affect the
> >>> systems we are integrating with.
> >>>
> >>> Can anyone see problems with this approach? The only issue
> >> I'm aware of is
> >>> that the identity URL will look like gibberish on sites
> >> that choose to
> >>> display it.
> >>>
> >>> I am also toying with the idea of instead of having a
> >> single identity url,
> >>> instead generating a unique opaque identity URL for every
> >> trust root using a
> >>> hash. Combined with the above, users should be able to
> >> enter their memorable
> >>> identity, but every consumer would get a different opaque
> >> identity url
> >>> making it impossible to correlate data across sites.
> >>>
> >>> Does this sound like a sane idea?
> >>>
> >>> --
> >>> Stuart Bishop <stuart at stuartbishop.net>
> >>> http://www.stuartbishop.net/
> >>>
> >>>
> >>> _______________________________________________
> >>> general mailing list
> >>> general at openid.net
> >>> http://openid.net/mailman/listinfo/general
> >>>
> >>>
> >>>
> >>
> >>
> >> -- 
> >> Chris Messina
> >> Citizen Provocateur &
> >>   Open Source Advocate-at-Large
> >> Work: http://citizenagency.com
> >> Blog: http://factoryjoe.com/blog
> >> Cell: 412 225-1051
> >> Skype: factoryjoe
> >> This email is:   [ ] bloggable    [X] ask first   [ ] private
> >> _______________________________________________
> >> general mailing list
> >> general at openid.net
> >> http://openid.net/mailman/listinfo/general
> >>
> >
> > _______________________________________________
> > general mailing list
> > general at openid.net
> > http://openid.net/mailman/listinfo/general
>

More information about the general mailing list