[OpenID] Claimed Identifiers and Query String Parameters

Wed Sep 3 20:32:39 UTC 2008

Joe Tele wrote:
> 
> --- On Wed, 9/3/08, SitG Admin <sysadmin at shadowsinthegarden.com> wrote:
> 
>>> We are using the claimed identifier as a key in our database to 
>>> identify credentials for a user.
> 
>> Ouch. This will make things confusing (and potentially a security 
>> risk) in the case of, for example, https://me.yahoo.com/ - I've been 
>> worrying over the same problem recently, and recommend borrowing an 
>> idea from MemCache: make a hash of each claimed ID *and* final ID 
>> (since Yahoo will declare a different actual ID) for lookup. 
> 
> I don't undersand your distinction between claimed Id and final ID.  In the case of https://me.yahoo.com/ my understanding is that URL is not the claimed id.  The claimed id will be returned in the positive assertion.  I'm eager to get our implementation correct, so I appreciate any other help to set me straight.  I actually like the model where the OP selects the claimed id.

I think your understanding is correct. The specification distinguishes 
between an OpenID Identifier and an "OP Identifier"; 
http://me.yahoo.com/ is the latter. As the spec describes, when the user 
enters an OP identifier the user's identifier temporarily becomes a 
magic value given in the spec and is later set to be the identifier 
provided by the OP in the positive assertion.

>>> However, it seems that some sites have virtually infinite number of >
>> claimed identifiers for the same OP Local Id.
> 
>> There was a thread last month (from the 3rd to the 5th) about "URI 
>> normalization and capitalization", I recommend that you look in the 
>> list archives and read that too.
> 
> Got it.  Our URLs are following the normalization rules.  
> 
> It seems that the OPs have a much greater obligation than they may realize to normalize their claimed identifiers.  It will be to their user's detriment if they do not.  I guess a power of OpenId is when the OPs which behave well to their users survive and the others whither.
> 

It is true that many OPs are currently not doing much if any 
normalization on identifiers. However, since it is the OP that is 
responsible for parsing the identifier or otherwise mapping it onto a 
user account it seems to me to be most correct for the OP to be 
responsible for normalizing it too.

This can cause some pain if the OP doesn't do it from the start; when 
LiveJournal.com initially implemented OpenID its users all had two or 
three different identifiers that were all distinct as per the OpenID 
specification. LiveJournal later switched to normalizing to a particular 
URL scheme, which caused pain for users that had already used the 
"wrong" URL scheme and were no longer able to access their accounts at RPs.

This would be a good topic to address in a hypothetical "OP best 
practices" document. Hopefully it's being included in the OpenID book(s) 
that are currently being written.