tags:

views:

220

answers:

1
+1  Q: 

Why does the ID of Google's OpenID implementation change?

I'm trying to implement OpenId login for a web application. Whenever new user who logs in via OpenId I create a new user on the sustem, and among the data I store their openid URL, so that next time they login with that user.

I'm testing this with my Gmail OpenID, and the problem is that everytime I do this, Google sends a different openid URL, that is, https://www.google.com/accounts/o8/id?id=SomethingThatChangesFromTimeToTime

Of course I'm then not able to tell wheter this is or not a new user. I'm a bit puzzled: shouldn't the openid identifier always remain the same?

+7  A: 

Google's OpenID identifier is more or less a hashed representation of multiple data including the host the request came from (more exactly the openid.realm parameter sent to the provider). So if your host changes from time to time (like the port and ip address changes), then the ID will change from time to time too. StackOverflow uses a workaround for this issue too. Check these posts:

Here is an FAQ excerpt from google:

Q: The OpenID spec says that the openid.realm is optional, and that if not provided, Google should use the openid.return_to URL instead. Will that work?

A: It will work in the sense that the protocol will complete successfully. But if your return_to URL is something like www.example.com/authenticate?style=openid-federated_login, you are asking us to prompt users to approve and trust a specific address at your site, which is not user-friendly. Also, if you omit the openid.realm parameter, you will never be able to change your return_to URL: It will also implicitly change the realm and the URL identifiers of your Google Account users.

More details can be found in this Google Groups post

SztupY  2010-04-21 16:21:47
I'm just doing two authentications from the same (local) host, a few seconds away one from the other. So I guess nothing is changing; yet I obtain different identities (openid.identity).
Andrea  2010-04-21 17:16:16
log the communication between your app and google. Major oid frameworks support this. Check whether the request is the same for both of your queries or not.
SztupY  2010-04-21 17:36:39
SztupY: "including the host the request came from" is not strictly true. The variable here is the openid.realm parameter, which is not tied to where the request came from but rather where the response will be sent to (which may be a very different thing, but often is the same thing).
Andrew Arnott  2010-04-22 03:21:26
Oh, forgot to change that after I read the FAQ at google
SztupY  2010-04-22 09:42:24

related questions

Web framework programming mindset
ASP.NET - asp:xxx Controls versus standard HTML
From Desktop to Web browser considerations
Which PHP Framework will get me to a usable UI the fastest?
Best practice for integrating TDD with web application development?
How to Manage Web Development?
When is a file just a file?
Recommendations for browser add-on tools to help with development
REALLY Simple Website--How Basic Can You Go?
Convince Firefox to send an If-Modified-Since header over HTTPS
What do the getUTC* methods on the date object do?
Planning and Building a mobile enabled site for your main site.
Firebug for IE
Javascript and PHP - Login Script with hidden buttons
Firebug won't display console feeds for some of my sites
Displaying ad content from Respose.WriteFile()/ Response.ContentType
How can I detect if a browser is blocking an popup?
How to Test Web Code?
What PHP framework would you choose for a new application and why?
How do you disable browser Autocomplete on web form field / input tag?
What is Progressive Enhancement?
In HTML, how to word-break on a dash?
The Definitive Guide To Website Authentication
How do you test layout design across multiple browsers/OSs?
How much of the Web build process do you/should you automate?