tags:

views:

180

answers:

2

Wich one should I use to index a user from a Openid auth proccess. "openid_identity" or "openid_claimed_id"? Im using Dope OpenId class and data returned is :

[openid_ns] => http://specs.openid.net/auth/2.0
[openid_mode] => id_res
[openid_return_to] => http://localhost/login/authenticate
[openid_claimed_id] => https://me.yahoo.com/a/wK7..MjM-#607
[openid_identity] => https://me.yahoo.com/a/wK7...MjM-
[openid_realm] => http://localhost/
[openid_assoc_handle] =>odm...j24yhwlT...2TOXQ9.sifIz3eLZoU.....jOoGM...9VPcMVavQkVgEQ--
[openid_response_nonce] => 2009-09-19T12:35:08Z95e...WtOYlQ--
[openid_signed] => assoc_handle,claimed_id,identity,mode,ns,op_endpoint,response_nonce,return_to,signed,ns.pape,pape.auth_level.ns.nist,pape.auth_level.nist,pape.auth_policies
[openid_op_endpoint] => https://open.login.yahooapis.com/openid/op/auth
[openid_ns_pape] => http://specs.openid.net/extensions/pape/1.0
[openid_pape_auth_level_ns_nist] => http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
[openid_pape_auth_level_nist] => 0
[openid_pape_auth_policies] => http://schemas.openid.net/pape/policies/2007/06/none
[openid_sig] => kO7......EitU=

Thanks

A: 

You should always store the canonical form of the OpenID the user provided as input because of OpenID delegation.

In your case it looks like claimed identity has a fragment identifier at the end which is irrelevant to the OpenID process.

stefanw
I did some search I found that should use openid_claimed_id, site like yahoo use the fragment in the openid_claimed_id and this is diff from every fragment example https://me.yahoo.com/a/wK7..MjM-#607 is diff from https://me.yahoo.com/a/wK7..MjM-#608 im not sure about the sources, they are old too.. Thanks for you answer. I still confuse wich one I should use :(
mozlima
The fragment is not sent to the server, only JavaScript can actually process it. It'd be pretty weird if it has a significance for the OpenID process.Like I said: use a canonical form of the user input as OpenID! Yahoo won't know about any OpenID delegations that happened before. But the user still knows best what OpenID he wants to use with your service!
stefanw
But if I use the user source input like index, maybe that URLs like http://openid.yahoo/username/ , https://openid.yahoo/username/ , http://openid.yahoo/username, http://openid.yahoo/username?blabla is the same proccess in the OP, but not in my db so I should use some ref from server, to try let with a small chance of errorsthanks for the answer.
mozlima
That's why I said "canonical form".
stefanw
The openid.claimed_id parameter is the correct one to store and use for lookup for the user. It's the equivalent of "username" in the traditional username/password philosophy.The fragment IS ABSOLUTELY IMPORTANT! Read the OpenID spec if you need to, but the entire openid.claimed_id is vitally important (scheme, host, path, query and fragment -- the whole thing!) and it should be treated as case sensitive as well.
Andrew Arnott
+2  A: 

Use the openid.claimed_id parameter as the logical primary key for users. Treat it as case sensitive, and use the entire value. Do not trim off the fragment or the scheme (protocol). Treat "http://" and "https://" protocols as entirely different, even if the rest of the URL is the same. In short, treat the openid.claimed_id as an opaque value that must entirely be stored for new users and entirely be matched for returning users.

The OpenID 2.0 specification explains further, but the short answer is above.

Andrew Arnott
By the way, I haven't heard of Dope OpenId before, but there are a few choices for PHP OpenID libraries out there. I suggest before you settle on using Dope OpenID, run it through the RP tests at http://test-id.org/ to make sure it's a secure implementation of OpenID. If it isn't, I suggest you try the Janrain PHP library at http://www.openidenabled.com/ which I expect passes the tests.
Andrew Arnott
How is this going to handle delegated OpenIDs? When I input mydomain.com which delegates to name.myopenid.com, is claimed_id = mydomain.com? If the consumer saves the delegated OpenID (name.myopenid.com), the whole sense of delegation goes to waste.
stefanw
You are correct. In the case of delegation from mydomain.com to name.myopenid.com, the openid.claimed_id is mydomain.com, allowing the delegated OP to change while maintaining the identity of the user since the openid.claimed_id doesn't change.
Andrew Arnott