tags:

views:

38

answers:

1
+1  Q: 

can I change my open ID URL change?

I wanted to know if I can change my open ID url from say:

www.abc.com/username

to

www.pqr.com/username

while the relying party still thinks I am the same user?

or even say:

www.abc.com/something/username

to

www.abc.com/somethingelse/username

I intuitively think that this is not possible since if it were, then it is possible for anyone to spoof anyone else's identity.

Also, does Open ID specify which fields the relying party should use to ensure secure determination of the user's identity? For example, I would expect it to club the URL provided with the username/email address sent back by the Open ID server.

A: 

This answer assumes that you are trying to login using two different URLs that have redirects to the same OpenID page.

I do not know if it is possible to use two different URLs for the same login because I am not sure what uniquely identifiable information OpenID relays. Stack Overflow does not currently allow this: different URLs pointing to the same OpenID portal will authenticate differently.

Assuming OpenID sends unique information for each account and not just each URL, it should be possible to swap the URLs without losing any security.

This would not pose a security risk because the same OpenID portal would still perform the authentication, requiring the correct user to login. The OpenID delegation you would use on these pages just redirects to the proper OpenID authentication portal:

<link rel="openid.server" href="http://www.myopenid.com/server" /> 
<link rel="openid.delegate" href="http://YOUROPENID.myopenid.com/" />

Obviously all security is lost if you identify your account using an OpenID URL for a page that you do not have complete control over.

Trey  2010-05-26 06:15:42
"I do not know if it is possible to use two different URLs for the same login because I am not sure what uniquely identifiable information OpenID relays. Stack Overflow does not currently allow this: different URLs pointing to the same OpenID portal will authenticate differently."Yes, this is what I am talking about. Does the specification mention anything about which URLs the relaying party should store? (if it does)?
dhruvbird  2010-05-26 10:29:55

related questions

how to get login credentials by openId?
OpenID Migration
PHP Tutorial for OpenId and OAuth
OpenID login workflow?
OpenID support for Ruby on Rails application
Using OpenID for both .NET/Windows and PHP/Linux/Apache web sites
What is the benefit of using ONLY OpenID authentication on a site?
Problems with migrating Cardspace cards between computers
secure way to authenticate administrator in ASP.NET site using OpenID with DotNetOpenID
How do I enable open id on a Java Webapp?
What would it take to make OpenID mainstream?
What's the best .NET library for OpenID and ASP.NET MVC?
Useful browser plugins for openid authentication?
How do I implement an OpenID server in Rails?
How do I implement OpenID in my web application?
Why is HTML form redirection used in OpenID 2?
How do you set up an OpenID provider (server) in Ubuntu?
OpenID as a Single Sign On option??
Should my website abandon username/password authentication in favor of OpenID?
OpenID authentication in ASP.NET?
Open ID - What happens when you decide you don't like your existing provider?
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
How do I use more than one OpenID?