[OpenID] Claimed Identifiers and Query String Parameters
Martin Atkins
mart at degeneration.co.uk
Wed Sep 3 07:22:15 UTC 2008
Joe Tele wrote:
> I'm looking for some insight regarding a relying party library I'm
> integrating. We are using the claimed identifier as a key in our
> database to identify credentials for a user. However, it seems that some
> sites have virtually infinite number of claimed identifiers for the same
> OP Local Id.
>
> For example, with verisign a user may enter myopenid.pip.versignlabs.com
> into our text box. This is resolved to
> http://myopenid.pip.verisignlabs.com/ as the claimed identifier and all
> is well. The user could also type in myopenid.pip.verisignlabs.com?a=1
> which resolves to the claimed identifier
> http://myopenid.pip.versignlabs.com?a=1 which corresponds to different
> credentials for our database. There is a very large number of urls
> which seem to correspnad to the the same verisign user but which we map
> to different users. What have we done wrong?
>
In this situation it's the responsibility of the OP to normalize the URL
using redirects, so the RP needs to take no special action. It could be
considered that PIP that is at fault here, though some might consider
this a feature in that the user can create many separate identifiers
with a single account.
In practice, presumably users don't routinely type URLs with query
strings by mistake.
More information about the general
mailing list