I am trying to implement an own OpenID endpoint based on SMF user accounts. I based my code on phpMyOpenID and some SMF authorization code.
It works fine so far. I can use the endpoint to login/register on any site. If I am not logged in on the SMF, it will ask for my login and if that SMF login is successful, it accepts it.
However, it seems that it doesn't differ between different SMF logins. I.e. another user reported that he tried to use the endpoint on site X, logged in with his SMF account and landed on my user account on site X (I have registered the OpenID endpoint earlier on that site).
I guess I must send somehow the SMF login or make it somehow unique per SMF login. As it is probably trivial what I have to do, I thought I'd ask here on SO -- maybe there are also more things I need to fix.
The code (just PHP), if you want to take a look, is here: http://github.com/albertz/smf-openid-server
Or maybe just describe what I need to do to make it unique for each SMF login.
Another project I am planning is an OpenID client in a multiplayer C++ game. The hoster will have the option to allow only logins from people who can authenticate via OpenID. Also I want to make it possible to allow only certain people to login. What is a common way to get a unique string based on an OpenID login? In this case, I thought of something like http://{smf-openid-endpoint}/{smf-user}
or http://www.google.de/profiles/{google-user}
. What is a canonical way to get such a string?
I think this other question may be related to my main question, that is why I am putting it also here.
See also the related question: Is the identifier URL unique? What are the different terms?