DotNetOpenId ClaimedIdentifier - Is it safe to hard-code this?

Question

Hi all,

I'm trying to make use of OpenID to allow me to login to my website via Google. Eventually it'll be used by visitors, but for now it's simply hard-coded as Google to verify my own login only.

My code looks like this:

var openId = new OpenIdRelyingParty();

// If we have no response, start
if (openId.Response == null)
{
    // Create a request and send the user off
    openId.CreateRequest("https://www.google.com/accounts/o8/id").RedirectToProvider();
}
else
{
    // We got a response - check it's valid
    if (openId.Response.Status == AuthenticationStatus.Authenticated
     && openId.Response.ClaimedIdentifier == "blah_blah")
    {
    }
}

Now, I have a some questions:

1. Is it safe to run this once, capture ClaimedIdentifier and put it in there. Will it always be the same?

2. Is it safe to hard-code it there (Is it secret? If a user did see it, would that comprimise anything? Can a user forge this? Can only Google cause ClaimedIdentifiers starting with their url?)

I've tried the docs, but they're a little sparse and I'm having trouble finding answers to these questions.

**Edit: ** I may have answered my own question. I used a meta-tag on my website (openid.delegate) so that I could use my blog url instead of a nasty Google url for logging in. When I login via Google, it returns ClaimedIdentifier as my blog url. This makes me think anybody could go to my login page, login as their own Google account and it would return them to my blog with my own ClaimedIdentifier.

1. How am I supposed to validate a user when ClaimedIdentifier seems so easily forged?

Answer 1

After much messing around (and having a friend try to login as me), I think I have the answer...

The tag in my website includes my Google username, and if I try to login as a different user for a request using my blog url, it appears to fail (in Google not sending me back to the website I was logging into, rather than it sending me back as failed).

This makes me think that returning my own url as the ClaimedIdentity is secure, cannot be faked, etc. etc.

Answer 2

Hi Danny,

Yes, storing the Claimed Identifier is safe, and that value is not secret, so it is not a security compromise if that code with the claimed_id value in there was leaked.

Yes, it must always be the same or else users could not regain access to accounts they've created. That being said, Google is unique in that if the Realm URL were to ever change for your web site, Google would start sending all new claimed_id's to your site. So as long as the realm remains constant, so will the claimed_id. Since you're using DotNetOpenId, the default realm is just your web site root URL, so it will presumably remain constant unless you change the URL your site is hosted at.

As you've determined, the claimed_id cannot be so easily forged. If it were, then OpenID is truly useless.