[OpenID] Doubt about identifier
Andrew Arnott
andrewarnott at gmail.com
Thu Feb 3 14:48:53 UTC 2011
On Thu, Feb 3, 2011 at 5:07 AM, Kleber - Corujito <corujito at gmail.com>wrote:
> Hi everyone! I'm new here and I have some doubts.
>
> OP returns something that identifiers users uniquely.
>
> Must (or should) OP return always the same identifier for an user?
> if not, that is bad to RPs, isn't?
>
Generally yes. However, "directed identity" allows an OP to always send the
same claimed identifier to an individual RP, but each individual RP gets a
unique claimed id for the same user. Thus each RP sees the same id, but
across multiple RPs the identifier varies, so that RPs can't correlate user
data. Google is the only (large) OP that I know of that leverages this
capability.
> I noticed that I have different ways to use my Google openid and each one
> may return something different (or RPs are doing something wrong).
> ex:
> 1. https://www.google.com/accounts/o8/id (OP identifier)
> 2. http://google.com/profiles/LOGIN
> 3. http://www.google.com/profiles/1234567890
> 4. https://www.google.com/accounts/o8/id?id=blablablablabla
>
>
Google has 3 distinct OPs. Their primary one which uses directed identity,
and accounts for #4 (claimed id) and #1 (OP identifier) on your list. Then
Google Profiles has an OP that does *not* use directed identity, which is
#2/#3 on your list (people can choose whether the identifier is your login
name or not).
Their third OP isn't on your list -- it's the OpenID 1.1 OP that is behind
their Blogger service. As the version number implies, it's been long in
need of an update, or a
replacement<http://blog.nerdbank.net/2010/03/how-to-upgrade-your-blogger-openid-to.html>
.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20110203/5562972d/attachment.html>
More information about the general
mailing list