[OpenID] Claimed Identifiers and Query String Parameters

Joe Tele pnwtele at yahoo.com
Wed Sep 3 17:14:21 UTC 2008 

Ok.  All these rules are being followed to obtain the Claimed Identifier.
Our user input their Identifier a suffixed a query string.  We normalized
it and performed discovery.  The resulting identifier included the query string and was sent in the claimed_id field of the authentication request.  In Verisign's case, they echo back the identifier including any
query parameters in the claimed_id field of their authentication 
response.  It just looked to me like this provided a somewhat odd mechanism
to create a very large (and possibly unintended) set of claimed 
identifiers for a single Verisign user.  

This, combined with capitalization in the path seems to put an onus
on OPs that may not be realized to clean up their claimed identifiers
either through redirects or through their response's claimed_id.  It looks 
to be up to the users of the providers to decide if the behavior suits
them or not and pick up and move to a different provider if they don't get
what they are looking for.


--- On Wed, 9/3/08, Drummond Reed <drummond.reed at cordance.net> wrote:

> From: Drummond Reed <drummond.reed at cordance.net>
> Subject: Re: [OpenID] Claimed Identifiers and Query String Parameters
> To: "'Andrew Arnott'" <andrewarnott at gmail.com>, "'SitG Admin'" <sysadmin at shadowsinthegarden.com>
> Cc: general at openid.net
> Date: Wednesday, September 3, 2008, 9:28 AM
> +1 to RPs using the normalized Claimed Identifier returned
> by the OP as
> their persistent key. As SitG says, this is the only way to
> realistically
> deal with the OpenID recycling problem - for the Claimed
> Identifier to have
> a fragment if it's a URL or for it to be an i-number if
> its an XRI.
> 
>  
> 
> =Drummond 
> 
>  
> 
>   _____  
> 
> From: general-bounces at openid.net
> [mailto:general-bounces at openid.net] On
> Behalf Of Andrew Arnott
> Sent: Wednesday, September 03, 2008 8:53 AM
> To: SitG Admin
> Cc: general at openid.net
> Subject: Re: [OpenID] Claimed Identifiers and Query String
> Parameters
> 
>  
> 
> SitG said: make a hash of each claimed ID *and* final ID
> (since Yahoo will
> declare a different actual ID) for lookup.
> 
> SitG, I'm concerned about your terminology here.  The
> Claimed Identifier is
> the canonical identifier, and the only ID that Yahoo! or
> any other OP
> asserts/declares.  I don't know what this final ID is
> that you're talking
> about, or what this "different actual ID" is
> either.  But there are a few
> IDs defined in the OpenID spec:
> 
> *	User-supplied identifier: the actual string entered by
> the user,
> which may just be "yahoo.com"
> *	Normalized identifier (7.2): applying some set rules to
> the
> user-supplied identifier, including adding scheme and
> following redirects,
> this may be: "http://www.yahoo.com"
> *	Claimed Identifier: This is typically the normalized
> identifier if
> it is a URI.  But the OP may add a #fragment to it in the
> assertion in which
> case that is the Claimed Identifier.  And in the case of an
> XRI, the
> i-number is the claimedId.
> 
>  
> 
> On Wed, Sep 3, 2008 at 8:28 AM, SitG Admin
> <sysadmin at shadowsinthegarden.com>
> wrote:
> 
> >We are using the claimed identifier as a key in our
> database to
> >identify credentials for a user.
> 
> Ouch. This will make things confusing (and potentially a
> security
> risk) in the case of, for example, https://me.yahoo.com/ -
> I've been
> worrying over the same problem recently, and recommend
> borrowing an
> idea from MemCache: make a hash of each claimed ID *and*
> final ID
> (since Yahoo will declare a different actual ID) for
> lookup. This
> won't matter for collisions because you're just
> using the hash to
> save time that would otherwise be spent searching all those
> long text
> fields; if you get 5 results, you just check 5 entries^1
> (with two
> fields apiece) for the full text. You can put a check in
> regular
> maintenance for lots of users with the same claimed ID but
> different
> final ID to detect users who are doing that kind of system.
> 
> ^1) If you get five HUNDRED results, it might be time to
> use a longer hash
> :)
> 
> 
> >However, it seems that some sites have virtually
> infinite number of
> >claimed identifiers for the same OP Local Id.
> 
> I remember this headache. OpenID follows the URL standard,
> so the
> user can vary capitalization when they type in their URI,
> and since
> this *may* be a different page on the server hosting their
> Identity,
> it's important to preserve case-sensitivity in keeping
> track of their
> identifier!
> 
> I'm experimentally using this method for a sanity
> check: lower-case
> the claimed ID, lower-case the final ID, look for the
> claimed ID *in*
> the final ID, and if there's no match, worry. (The
> exact definition
> of "worry" is, in my case, is to complain and
> then promptly die -
> you'd probably want yours to be more sophisticated.)
> 
> There was a thread last month (from the 3rd to the 5th)
> about "URI
> normalization and capitalization", I recommend that
> you look in the
> list archives and read that too.
> 
> -Shade
> 
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
> 
>  
> 
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list