is openid.claimed_id static?

Question

I'm reading about Federated Login for Google Account Users to figure out how I can have a user log in to a web application using their Google Account.

So towards the end of the process, Google returns a Google supplied identifier which is appended as 'openid.claimed_id'. This means the web application uses this identifier to recognize the user and allow access to application features and data. My question is, is this identifier static? meaning can I use this identifier to repeatedly id the same user?

Thanks, Hristo

Answer 1

Yes. Consider the openid.claimed_id value to be the username. Especially with Google, but this is true for any OpenID Provider that truly implements 'directed identity', don't consider this username to be correlatible with other web sites. Any other relying party besides your own web site will get a different claimed_id value for the same Google user, by design.

Also, be sure to treat this claimed_id as case sensitive.

Answer 2

The specific answer to your question is found in Googles OpenID API documentation: http://code.google.com/apis/accounts/docs/OpenID.html

"The Google-supplied identifier, which has no connection to the user's actual Google account name or password, is a persistent value; it remains constant even if the user changes their Google user name and/or email address. This identifier is also a "directed identity", that is, Google returns a different value to each relying party. Google uses the request parameter openid.realm to recognize the relying party, so if the third-party application decides to change this value, all user identifiers will change."