views:

70

answers:

2

In the OpenID specs, it says:

  • Identifier:

An Identifier is just a URL. The whole flow of the OpenID Authentication protocol is about proving that an End User is, owns, a URL.

  • Claimed Identifier:

An Identifier that the End User says they own, though that has not yet been verified by the Consumer.

  • Verified Identifier:

An Identifier that the End User has proven to a Consumer that they own.

  • Identity Provider:

Also called "IdP" or "Server". This is the OpenID Authentication server that a Consumer contacts for cryptographic proof that the End User owns the Claimed Identifier. How the End User authenticates to their Identity Provider is outside of the scope of OpenID Authenticaiton.

  • Is the identifier URL unique? What exactly is it?

  • If it is not unique, is there anything unique so that the consumer can differ between different users on the same OpenID endpoint URL?

  • What is the difference between the IdP and the identifier URL?

At other places, I have read the term "OpenID endpoint URL".

  • Is the OpenID endpoint URL the same as the IdP? So the IdP is also an URL?

Let's take Googles OpenID as an example. When some site asks me for an OpenID login, I use the OpenID URL https://www.google.com/accounts/o8/id. Is that the identifier URL? If so, it is clearly not unique. Often, when I check back in my account settings on that site about my OpenID login, it does not show that entered URL but it has extended it somehow like https://www.google.com/accounts/o8/id?id=AltOawk.... That URL now seems kind of unique.

  • What is now the purpose of https://www.google.com/accounts/o8/id? Is that the OpenID endpoint URL? Or is that the IdP URL (if that is something different)?

  • And what is the purpose of https://www.google.com/accounts/o8/id?id=AltOawk...? Is that really unique and always the same for my Google account? So that URL is what identifies me?

  • Why haven't they used https://www.google.com/accounts/o8/id?u={google-username} instead of this cryptic ...?id=AltOawk...?

  • What is the identifier URL in case of Google?

  • What is the OpenID endpoint URL? (What is the IdP URL?)

The reason I am asking is because I am trying to implement my own OpenID endpoint.

  • Is the OpenID endpoint URL the same as the identifier URL?

In my OpenID endpoint implementation, I have exactly that problem, that it cannot differ between different users. A consumer website just takes all users on that OpenID endpoint as the same. Of course it is always the same OpenID URL but that is also the case for Googles OpenID.

  • If the end user uses this "general" URL, how can I redirect/forward it in my OpenID endpoint implementation to the "concrete"/unique (identifier?) URL? Or how can I make it distinguish between different end users on the same OpenID URL?

In my current implementation, when I enable some debug tracing, the first request I get is the mode checkid_setup. In the specs, it says I am getting the Claimed Identifier here. Because of what I have entered on the consumer site (and my debug trace says the same), that is the "general" URL (the OpenID endpoint URL). I.e. that is not the unique URL.

  • Do I have to do the redirect at that point now? The specs doesn't say anything about it. Where do I tell the "concrete" URL? (In my case, that is the URL http://{endpoint-url}?u={endpoint-username}.)

There are also the terms "OpenID server" (URL) and "OpenID delegate" (URL).

  • How do these terms relate to the other terms above? All the same as OpenID endpoint URL?

  • What is the "OpenID identity"? The same as the OpenID identifier URL?


See also the related question: How does OpenID differ between different logins on the same OpenID endpoint?

(Meta question: Should I maybe split this up in a lot of independent SO questions? I'm afraid that I may not get answers for all my questions otherwise.)

A: 

Ok, as I just have fixed my SMF OpenID endpoint implementation (read details about some very related problems I had here) where I made a few assumptions on those relations. Of course that doesn't prove them right (so please correct me). Here they are:

  • Identifier URL = OpenID endpoint URL = IdP

  • The OpenID endpoint is not unique. It is the same for all end users of that endpoint.

  • Verified identifier URL = identity

  • Verified identifier URL is unique. It is associated to the endpoint user account.

  • https://www.google.com/accounts/o8/id is the Google OpenID endpoint URL.

  • https://www.google.com/accounts/o8/id?id=AltOawk... is the Google OpenID verified identifier URL.

  • The hash the Google OpenID identity URL contains is also related to the OpenID realm (the consumer domain namespace where this OpenID identifier stays valid). That is one of the reasons to not be just the username.

  • About how to provide the unique verified identifier URL, see here.

Still some things remain unclear to me:

  • What other reasons are there that Google uses for the hashed id; it could have also used id?u={username}&oidrealm={...}.

  • What is the reason to have such OpenID realm at all?

  • What exactly is the difference between identifier URL and claimed identifier URL?

Albert
A: 

Here is my understanding. I am actually just answering the last two questions in your own answer. Hope someone finds these useful.

What is the reason to have such OpenID realm at all?

The realm is used for security. Basically the return_url is checked against the realm, and OpenID specs say they MUST match. Google has taken this one step further, and provides unique verified identifiers for each realm. They might have done as you suggested, and put the realm back in their identifier, but then you could tell by looking at two verified identifiers whether they were the same end-user or not. I think they are trying to keep their identifiers free of identifying information. (ironic, no?)

What exactly is the difference between identifier URL and claimed identifier URL?

The claimed identifier is the one the end-user has specified. This is not their unique identifier. Yahoo is a good example of this. They allow you to specify yahoo.com as your identifier, log into your yahoo account, and return a unique identifier to the openid consumer. This just simplifies the process for the end-user. (And increases the likelihood that they'll use yahoo.com as their openid!)

livingtech