tags:

views:

479

answers:

5
+9  Q: 

Max length of an openID

I'm planning to add openid support for a web application I'm building. I can't seem to find the maximum length of a valid openid so I can store it in my database. I've seen some vague references to 255 but I'd rather be sure.

In addition is it useful to use the openid as the username (recommendations)?

+5  A: 

an OpenID is a URI, so you are limited by the maximum length of a URI. As far as I know there is no limit, but some browsers (such as Internet Explorer) have a limit.

Further reading:

http://openid.net/pipermail/general/2008-August/005305.html

Nippysaurus  2009-04-16 02:47:50
Thanks that was useful.
Ruggs  2009-04-16 03:39:23
Your link indicates that the maximum length of an Identifier Uri in OpenId 2.0 is currently unspecified. The maximum length of a URL is also unspecified, but different browsers have different limits. Internet Explorer currently has the shortest limit, 2083 characters. http://support.microsoft.com/kb/208427
dthrasher  2009-12-23 15:14:51
+2  A: 

I would not use the OpenID directly as the username. Just have a look at the OpenID URLs that Yahoo provides to users, they're incomprehensible. Allow users to choose their own username, and ideally allow multiple OpenID URLs to be associated with one user account (like Stack Overflow does).

Greg Hewgill  2009-04-16 02:55:53
I will be storing the openid in a separate table from the user database so it will support multiple openids.
Ruggs  2009-04-16 03:37:53
+1  A: 

There isn't an official length in version 2.0 of the spec.

You can hash the URL provided into something unique (md5, or some other repeatable hash) and store that in your DB as a much shorter string.

As for using it as a username, a big url is not pretty. You can extract a username from the responses (SO got my username directly from my OpenID)

Darryl E. Clarke  2009-04-16 02:59:08
I never thought of storing it as a hash. That makes sense.
Ruggs  2009-04-16 03:40:11
REALLY bad idea. MD5 and SHA-1 have been broken, so I could hack into your RP as anyone I wished just by contriving a claimed id that hashed to the same value. You _could_ mitigate this by uniquely salting each hash, but it's by far bes to just store the whole thing.
Andrew Arnott  2009-04-17 03:02:52
So how would you send the md5/sha-1 hash from the provider? OpenID responses must come from the trusted provider to be valid in the first place.
Ruggs  2009-04-17 05:59:25
I'm not talking about sending the hash to or receiving it form the provider. I'm also not talking about the hash being shown anywhere to a front-end user. I'm merely talking about storing it as a means of using less DB storage, with a fixed, calculated size rather than an unknown length of any URL. The user will always have to provide a valid URL to login, my application would then validate using proper OpenID methods and then store a hash of the URL as a reference only.
Darryl E. Clarke  2009-04-17 15:20:47
It's still a bad idea. Yes, your application will still require the user to prove he owns an OpenID URL, but your application will still have to look in its local database to determine which local account that URL grants access to. If the database only stores hashes, any user who knows my OpenID can craft their own OpenID whose hash matches mine, and gain access to my account.
Forest  2010-05-18 19:57:17
+1  A: 

You should not accept any OpenID URL that is longer than 255. While it is possible, many can use this as an attack vector to pull off things like SQL Injection. Take a look at the OWASP AntiSAMY APIs as an additional protection.

jm04469  2009-04-19 11:50:11
+3  A: 

According to the specification for OpenId 1.1, the maximum limit for Identifier Urls is 255 bytes. See OpenId 1.1 Appendix D: Limits. Identity Provider and return_to Urls may be up to 2047 max bytes.

Note that this section on limits was removed from the OpenId 2.0 specification. So it's unclear what the maximum length is now.

dthrasher  2009-12-23 15:08:18

related questions

wcf max message size
ASP FileUpload file size issue
Can you set a permanent size for a JPanel inside of a JFrame?
What is the best way to stop a user from resizing the top-level window of an application written in WPF?
Dynamic Size in RDLC Report Files
How big are various CLR runtimes?
Get Drive Size in Java 5
How do I find the length (size) of a binary blob in sqlite
How can I get a file's size in C?
Where can I look up the definition of size_type for vectors in the C++ STL?
Get Application exe size easily
Is there any way of reducing the dump file size of a Sybase database?
How to find out size of session in ASP.NET from web application?
Stack Size for Kernel Development
Bad Database Design - Is my table too large?
What tools are available for providing a breakdown of the diskspace used by an SQL Server database
Size-coding competitions
How to efficiently count the number of keys/properties of an object in JavaScript?
How do I find out the size of a canvas item in Python/Tkinter?
How to get all datatype sizes and function stack footprint sizes in a C/C++ project?
How do I store the window size between sessions in Qt?
Max Table size you have seen in a MySQL DB
How do I strip the fluff out of a third party library?
Reduce ASP.NET menu control size (without 3rd party libraries)
Process size on UNIX