<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">You are correct. The user is using two separate OP. They return different identifiers.<div><br></div><div>The confusion is that all of the OP happen to be controlled by Google. </div><div><br></div><div>It is a deployment choice by Google, not a design flaw in the protocol. They do have other options, though trying to merge the Blogger openID with the Google ones creates other issues.</div><div><br></div><div>John B.<br><div><div>On 2011-02-03, at 1:39 PM, Kleber - Corujito wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">Thanks for the reply.<div><br></div><div>- Let's imagine an individual RP.</div><div>- user uses a Google button to authenticate (OP identifier)</div><div>here Google will return an identifier like <span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; "><a href="https://www.google.com/accounts/o8/id?id=blablablablabla" target="_blank" style="color: rgb(0, 0, 204); ">https://www.google.com/accounts/o8/id?id=blablablablabla</a></span></div>
<meta http-equiv="content-type" content="text/html; charset=utf-8"><div><br></div><div>- another day the same user try to authenticate using a URL (not a Google button) <span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; "><a href="http://google.com/profiles/LOGIN" target="_blank" style="color: rgb(0, 0, 204); ">http://google.com/profiles/LOGIN</a></span></div>
<meta http-equiv="content-type" content="text/html; charset=utf-8"><div>here Google will return an identifier different from the first to the same RP (return <span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; "><a href="http://google.com/profiles/LOGIN" target="_blank" style="color: rgb(0, 0, 204); ">http://google.com/profiles/LOGIN</a></span>).</div>
<div><br></div><div>In this case would return different identifiers for the same user and same RP.</div><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta http-equiv="content-type" content="text/html; charset=utf-8"><div>
Am I wrong?</div><div><br><div class="gmail_quote">On Thu, Feb 3, 2011 at 12:48 PM, Andrew Arnott <span dir="ltr"><<a href="mailto:andrewarnott@gmail.com">andrewarnott@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="gmail_quote"><div class="im">On Thu, Feb 3, 2011 at 5:07 AM, Kleber - Corujito <span dir="ltr"><<a href="mailto:corujito@gmail.com" target="_blank">corujito@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi everyone! I'm new here and I have some doubts.<div><br></div><div>OP returns something that identifiers users uniquely.</div><div><br></div><div>Must (or should) OP return always the same identifier for an user?</div>
<div>if not, that is bad to RPs, isn't?<br clear="all"></div></blockquote></div><div>Generally yes. However, "directed identity" allows an OP to always send the same claimed identifier to an individual RP, but each individual RP gets a unique claimed id for the same user. Thus each RP sees the same id, but across multiple RPs the identifier varies, so that RPs can't correlate user data. Google is the only (large) OP that I know of that leverages this capability.</div>
<div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im"><div><br></div><div>I noticed that I have different ways to use my Google openid and each one may return something different (or RPs are doing something wrong).</div>
<div>
ex:</div></div><div>1. <a href="https://www.google.com/accounts/o8/id" target="_blank">https://www.google.com/accounts/o8/id</a> (OP identifier)</div><div>2. <a href="http://google.com/profiles/LOGIN" target="_blank">http://google.com/profiles/LOGIN</a></div>
<div>
3. <a href="http://www.google.com/profiles/1234567890" target="_blank">http://www.google.com/profiles/1234567890</a></div>
<div>4. <a href="https://www.google.com/accounts/o8/id?id=blablablablabla" target="_blank">https://www.google.com/accounts/o8/id?id=blablablablabla</a></div><div><br></div></blockquote><div><br></div><div>Google has 3 distinct OPs. Their primary one which uses directed identity, and accounts for #4 (claimed id) and #1 (OP identifier) on your list. Then Google Profiles has an OP that does <i>not</i> use directed identity, which is #2/#3 on your list (people can choose whether the identifier is your login name or not). </div>
<div>Their third OP isn't on your list -- it's the OpenID 1.1 OP that is behind their Blogger service. As the version number implies, it's been long in need of an update, or <a href="http://blog.nerdbank.net/2010/03/how-to-upgrade-your-blogger-openid-to.html" target="_blank">a replacement</a>. </div>
</div>
</blockquote></div><br><br clear="all"><br>-- <br>Kleber Manoel Infante (Corujito)<br>
</div>
_______________________________________________<br>general mailing list<br><a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br>http://lists.openid.net/mailman/listinfo/openid-general<br></blockquote></div><br></div></body></html>