tags:

views:

180

answers:

2
+2  Q: 

OpenID : Wich one I should use to index a user "openid_identity" or "openid_claimed_id"?

Wich one should I use to index a user from a Openid auth proccess. "openid_identity" or "openid_claimed_id"? Im using Dope OpenId class and data returned is :

[openid_ns] => http://specs.openid.net/auth/2.0
[openid_mode] => id_res
[openid_return_to] => http://localhost/login/authenticate
[openid_claimed_id] => https://me.yahoo.com/a/wK7..MjM-#607
[openid_identity] => https://me.yahoo.com/a/wK7...MjM-
[openid_realm] => http://localhost/
[openid_assoc_handle] =>odm...j24yhwlT...2TOXQ9.sifIz3eLZoU.....jOoGM...9VPcMVavQkVgEQ--
[openid_response_nonce] => 2009-09-19T12:35:08Z95e...WtOYlQ--
[openid_signed] => assoc_handle,claimed_id,identity,mode,ns,op_endpoint,response_nonce,return_to,signed,ns.pape,pape.auth_level.ns.nist,pape.auth_level.nist,pape.auth_policies
[openid_op_endpoint] => https://open.login.yahooapis.com/openid/op/auth
[openid_ns_pape] => http://specs.openid.net/extensions/pape/1.0
[openid_pape_auth_level_ns_nist] => http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
[openid_pape_auth_level_nist] => 0
[openid_pape_auth_policies] => http://schemas.openid.net/pape/policies/2007/06/none
[openid_sig] => kO7......EitU=

Thanks

A: 

You should always store the canonical form of the OpenID the user provided as input because of OpenID delegation.

In your case it looks like claimed identity has a fragment identifier at the end which is irrelevant to the OpenID process.

stefanw  2009-09-19 14:12:13
I did some search I found that should use openid_claimed_id, site like yahoo use the fragment in the openid_claimed_id and this is diff from every fragment example https://me.yahoo.com/a/wK7..MjM-#607 is diff from https://me.yahoo.com/a/wK7..MjM-#608 im not sure about the sources, they are old too.. Thanks for you answer. I still confuse wich one I should use :(
mozlima  2009-09-19 15:24:03
The fragment is not sent to the server, only JavaScript can actually process it. It'd be pretty weird if it has a significance for the OpenID process.Like I said: use a canonical form of the user input as OpenID! Yahoo won't know about any OpenID delegations that happened before. But the user still knows best what OpenID he wants to use with your service!
stefanw  2009-09-19 15:31:58
But if I use the user source input like index, maybe that URLs like http://openid.yahoo/username/ , https://openid.yahoo/username/ , http://openid.yahoo/username, http://openid.yahoo/username?blabla is the same proccess in the OP, but not in my db so I should use some ref from server, to try let with a small chance of errorsthanks for the answer.
mozlima  2009-09-19 15:59:08
That's why I said "canonical form".
stefanw  2009-09-19 17:02:19
The openid.claimed_id parameter is the correct one to store and use for lookup for the user. It's the equivalent of "username" in the traditional username/password philosophy.The fragment IS ABSOLUTELY IMPORTANT! Read the OpenID spec if you need to, but the entire openid.claimed_id is vitally important (scheme, host, path, query and fragment -- the whole thing!) and it should be treated as case sensitive as well.
Andrew Arnott  2009-09-20 02:37:09
+2  A: 

Use the openid.claimed_id parameter as the logical primary key for users. Treat it as case sensitive, and use the entire value. Do not trim off the fragment or the scheme (protocol). Treat "http://" and "https://" protocols as entirely different, even if the rest of the URL is the same. In short, treat the openid.claimed_id as an opaque value that must entirely be stored for new users and entirely be matched for returning users.

The OpenID 2.0 specification explains further, but the short answer is above.

Andrew Arnott  2009-09-20 02:41:34
By the way, I haven't heard of Dope OpenId before, but there are a few choices for PHP OpenID libraries out there. I suggest before you settle on using Dope OpenID, run it through the RP tests at http://test-id.org/ to make sure it's a secure implementation of OpenID. If it isn't, I suggest you try the Janrain PHP library at http://www.openidenabled.com/ which I expect passes the tests.
Andrew Arnott  2009-09-20 02:46:39
How is this going to handle delegated OpenIDs? When I input mydomain.com which delegates to name.myopenid.com, is claimed_id = mydomain.com? If the consumer saves the delegated OpenID (name.myopenid.com), the whole sense of delegation goes to waste.
stefanw  2009-09-20 12:43:49
You are correct. In the case of delegation from mydomain.com to name.myopenid.com, the openid.claimed_id is mydomain.com, allowing the delegated OP to change while maintaining the identity of the user since the openid.claimed_id doesn't change.
Andrew Arnott  2009-09-20 15:19:39

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases