Why does my OpenID app receive different Google OpenIDs from different client machines for the same user?

Question

I'm adding OpenID login to a small web app using Spring Security 2.0.5. I want to be able to identify users within my application based on the OpenID identifier with which they logged in. This works fine when using Verisign as the provider; each identifier is a user-specific URI like http://jbloggs.pip.verisignlabs.com/, which is easily looked up in my user database to find "Joe Bloggs".

However when a user enters the standard Google OpenID identifier (www.google.com/accounts/o8/id), the identifier sent by Google upon successful authentication (something like https://www.google.com/accounts/o8/id?id=AItOawnKrvwaGk9YU0q9STQGj9G7XIRlNmsjuiI) varies from machine to machine for the same user. This makes it impossible (or at least impractical) to identify that user by looking up their identifier in my user database.

How can I get Google to always send the same identifier for the same Google user?

FWIW, the app runs in JBoss 3.2.7 with embedded Tomcat 5.0.28.

Answer 1

Google uses a feature of OpenID called directed identity, which means that Google makes up a new, unique and uncorrelatable identifier for every RP (OpenID-accepting web site) the user logs into. This isn't an option -- it's the only way Google works. The key by which Google discerns between RPs is the openid.realm parameter, so as long as that is the same, you'll get the same identifiers for your users. But if you ever change the realm, all your users' identities will be lost, since Google will send a new site of identifiers for your existing users.

What can you do about it? Two options:

1. keep openid.realm constant so the identifiers don't change
2. use AX to 'require' the users' email address when the Provider is Google, and then you can do correlation between Google identifiers based on email address. (tricky though: lots of security ramifications when juggling between openid and email identifiers).