tags:

views:

151

answers:

3

Following this tuto:

http://www.plaxo.com/api/openid_recipe

One of the steps is:

Need to look up whether the OpenID entered already belongs to an existing user on your site

My problem:

what's the OpenID like for a gmail account(I've no other OP account yet)? It seems to me that OpenID = https://www.google.com/accounts/o8/id for gmail, but how can I use that to look up since it's the same for all users?

+3  A: 

It's actually https://www.google.com/accounts/o8/id?id=XXXXXXXX for some unique string XXXXXXXX on the end that corresponds to the user.

From further down in the page you linked:

When the OpenID provider redirects to your return_to URL, they will add a bunch of additional query string parameters that contain the information needed to verify the user's authentication with this OpenID. Depending on the OpenID library you're using, you may need to gather these up into a data structure to pass in to the verification function, or it may do it for you.

One of those is that string. From the Google OpenID documentation:

A Google-supplied identifier, which has no relationship to the user's actual Google account name or password, is appended as the query parameter openid.claimed_id.

Amber
Does this hold: `xxxxx` = `[email protected]` ?
openid
No. It holds a hash string that doesn't correspond to any particular user information, the only guarantee is that the same user will have the same hash string.
Amber
Also, you may wish to look at google's own documentation: http://code.google.com/apis/accounts/docs/OpenID.html - relevant quote, "A Google-supplied identifier, which has no relationship to the user's actual Google account name or password, is appended as the query parameter openid.claimed_id."
Amber
I tried that hash string, but still have to go to gmail to sign in. Say,what's the benefit to append an additional `xxxxx` ?
openid
Is it because of SO didn't implement this feature?
openid
@Dav ...same user will have the same hash string for the same site - your hash strings for SO and meta.SO would be different. This is for improved privacy it seems.
Amarghosh
@openid: "I tried that hash string, but still have to go to gmail to sign in." - you will ALWAYS need to go to gmail to sign in; that's *how OpenID works*. The signin is done by the openid provider; the reason you do it is to prevent having to create a separate login username/password for each site.
Amber
@Amarghosh: correct, I didn't mention the site part but yes.
Amber
I thought the hash string is used for direct login,seems I'm wrong?
openid
No, the hash is part of the per-user identifier. OpenID does not support direct login (and supplying repeated-use login credentials via a URI would be rather insecure).
Amber
A: 

https://www.google.com/accounts/o8/id is what you use for login. Upon a successful login, the response from Google will contain the long unique url (with hash) in the openid.claimed_id variable; that is the one you should store in your db and compare to know if it is a new user or an existing one.

In other openid providers like myopenid, both (login url and the claimed_id) are same.

Amarghosh
But the tuto I posted seems to say that OpenID can be got before redirect to gmail?
openid
The page isn't accessible here; but yeah, as I said, in the case of other providers like myopenid etc, you can get the unique id before redirection: but how can you confirm that user is not lying - you can confirm the identity only based on the response from the openid provider, be it google or myopenid.
Amarghosh
That's exactly what I think!
openid
A: 

The key distinction here is that https://www.google.com/accounts/o8/id is not an OpenID identifier, not in the way that the tutorial means. Because, as you've noted, it's the same for all users. In the terminology of the specification, it is an "OP Identifier", it identifies the provider (Google), not a user.

This practice (entering the provider's identifier instead of the user's) wasn't common at the time A Recipe for OpenID-Enabling Your Site was written. When using this flow, you don't have an identifier for the user until the user is redirected back to your site from the provider with an id_res response.

As an aside, Google does offer more legible identifier URLs now. If you've set up your Google Profile, your profile page (http://www.google.com/profiles/myProfileName) is an OpenID too. Unlike the /accounts/o8/id identifiers, this one is stable across all the sites you use it with, no funky hash string involved.

keturn