[OpenID] Claimed Identifiers and Query String Parameters
Peter Williams
pwilliams at rapattoni.com
Wed Sep 3 15:16:02 UTC 2008
Autofill services will learn any url, of course, and type it endlessly.
-----Original Message-----
From: Martin Atkins <mart at degeneration.co.uk>
Sent: Wednesday, September 03, 2008 12:22 AM
To: general at openid.net <general at openid.net>
Subject: Re: [OpenID] Claimed Identifiers and Query String Parameters
Joe Tele wrote:
> I'm looking for some insight regarding a relying party library I'm
> integrating. We are using the claimed identifier as a key in our
> database to identify credentials for a user. However, it seems that some
> sites have virtually infinite number of claimed identifiers for the same
> OP Local Id.
>
> For example, with verisign a user may enter myopenid.pip.versignlabs.com
> into our text box. This is resolved to
> http://myopenid.pip.verisignlabs.com/ as the claimed identifier and all
> is well. The user could also type in myopenid.pip.verisignlabs.com?a=1
> which resolves to the claimed identifier
> http://myopenid.pip.versignlabs.com?a=1 which corresponds to different
> credentials for our database. There is a very large number of urls
> which seem to correspnad to the the same verisign user but which we map
> to different users. What have we done wrong?
>
In this situation it's the responsibility of the OP to normalize the URL
using redirects, so the RP needs to take no special action. It could be
considered that PIP that is at fault here, though some might consider
this a feature in that the user can create many separate identifiers
with a single account.
In practice, presumably users don't routinely type URLs with query
strings by mistake.
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list