[OpenID] Claimed Identifiers and Query String Parameters

[Joe Tele]

--- On Wed, 9/3/08, SitG Admin <sysadmin at shadowsinthegarden.com> wrote:

>>We are using the claimed identifier as a key in our database to 
>>identify credentials for a user.

>Ouch. This will make things confusing (and potentially a security 
>risk) in the case of, for example, https://me.yahoo.com/ - I've been 
>worrying over the same problem recently, and recommend borrowing an 
>idea from MemCache: make a hash of each claimed ID *and* final ID 
>(since Yahoo will declare a different actual ID) for lookup. 

I don't undersand your distinction between claimed Id and final ID.  In the case of https://me.yahoo.com/ my understanding is that URL is not the claimed id.  The claimed id will be returned in the positive assertion.  I'm eager to get our implementation correct, so I appreciate any other help to set me straight.  I actually like the model where the OP selects the claimed id.

>>However, it seems that some sites have virtually infinite number of >
>claimed identifiers for the same OP Local Id.

>There was a thread last month (from the 3rd to the 5th) about "URI 
>normalization and capitalization", I recommend that you look in the 
>list archives and read that too.

Got it.  Our URLs are following the normalization rules.  

It seems that the OPs have a much greater obligation than they may realize to normalize their claimed identifiers.  It will be to their user's detriment if they do not.  I guess a power of OpenId is when the OPs which behave well to their users survive and the others whither.