[OpenID] Claimed Identifiers and Query String Parameters

[SitG Admin]

>We are using the claimed identifier as a key in our database to 
>identify credentials for a user.

Ouch. This will make things confusing (and potentially a security 
risk) in the case of, for example, https://me.yahoo.com/ - I've been 
worrying over the same problem recently, and recommend borrowing an 
idea from MemCache: make a hash of each claimed ID *and* final ID 
(since Yahoo will declare a different actual ID) for lookup. This 
won't matter for collisions because you're just using the hash to 
save time that would otherwise be spent searching all those long text 
fields; if you get 5 results, you just check 5 entries^1 (with two 
fields apiece) for the full text. You can put a check in regular 
maintenance for lots of users with the same claimed ID but different 
final ID to detect users who are doing that kind of system.

^1) If you get five HUNDRED results, it might be time to use a longer hash :)

>However, it seems that some sites have virtually infinite number of 
>claimed identifiers for the same OP Local Id.

I remember this headache. OpenID follows the URL standard, so the 
user can vary capitalization when they type in their URI, and since 
this *may* be a different page on the server hosting their Identity, 
it's important to preserve case-sensitivity in keeping track of their 
identifier!

I'm experimentally using this method for a sanity check: lower-case 
the claimed ID, lower-case the final ID, look for the claimed ID *in* 
the final ID, and if there's no match, worry. (The exact definition 
of "worry" is, in my case, is to complain and then promptly die - 
you'd probably want yours to be more sophisticated.)

There was a thread last month (from the 3rd to the 5th) about "URI 
normalization and capitalization", I recommend that you look in the 
list archives and read that too.

-Shade