Why does the ID of Google's OpenID implementation change? - McMap

About

Why does the ID of Google's OpenID implementation change?

Asked 21/4, 2010 at 16:10 Answered 21/4, 2010 at 16:21

Solved openid google-openid

D

1

16

I'm trying to implement OpenId login for a web application. Whenever new user who logs in via OpenId I create a new user on the sustem, and among the data I store their openid URL, so that next time they login with that user.

I'm testing this with my Gmail OpenID, and the problem is that everytime I do this, Google sends a different openid URL, that is, https://www.google.com/accounts/o8/id?id=SomethingThatChangesFromTimeToTime

Of course I'm then not able to tell wheter this is or not a new user. I'm a bit puzzled: shouldn't the openid identifier always remain the same?

Divorcee answered 21/4, 2010 at 16:10 Comment(4)

Try to use more question marks and exclamation marks!?!? – Audient 21/4, 2010 at 16:12

I usually don't do that, but I was really bewildered at this behaviour. I expected the advantage of OpenId was to have a unique URL to identify yourself, rather than relying on a provider that assigns one for you every time. – Divorcee 21/4, 2010 at 17:6

even I had same issue, but on digging further I found out that the domain in my case sent for authentication request is same string, still its giving different values in different browsers. I tested it in FF and chrome. not sure what I am missing here. – Teleutospore 24/4, 2011 at 15:21

Has this been fixed by Google yet? This defeats the very purpose of openID. I don't understand the rationale behind this. – Crosier 5/9, 2013 at 15:1

S

19

Google's OpenID identifier is more or less a hashed representation of multiple data including the host the request came from (more exactly the openid.realm parameter sent to the provider). So if your host changes from time to time (like the port and ip address changes), then the ID will change from time to time too. StackOverflow uses a workaround for this issue too. Check these posts:

Here is an FAQ excerpt from google:

Q: The OpenID spec says that the openid.realm is optional, and that if not provided, Google should use the openid.return_to URL instead. Will that work?

A: It will work in the sense that the protocol will complete successfully. But if your return_to URL is something like www.example.com/authenticate?style=openid-federated_login, you are asking us to prompt users to approve and trust a specific address at your site, which is not user-friendly. Also, if you omit the openid.realm parameter, you will never be able to change your return_to URL: It will also implicitly change the realm and the URL identifiers of your Google Account users.

Scurrilous answered 21/4, 2010 at 16:21 Comment(3)

I'm just doing two authentications from the same (local) host, a few seconds away one from the other. So I guess nothing is changing; yet I obtain different identities (openid.identity). – Divorcee 21/4, 2010 at 17:16

log the communication between your app and google. Major oid frameworks support this. Check whether the request is the same for both of your queries or not. – Scurrilous 21/4, 2010 at 17:36

SztupY: "including the host the request came from" is not strictly true. The variable here is the openid.realm parameter, which is not tied to where the request came from but rather where the response will be sent to (which may be a very different thing, but often is the same thing). – Archibold 22/4, 2010 at 3:21

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.