In the OpenID specs, it says:
- Identifier:
An Identifier is just a URL. The whole flow of the OpenID Authentication protocol is about proving that an End User is, owns, a URL.
- Claimed Identifier:
An Identifier that the End User says they own, though that has not yet been verified by the Consumer.
- Verified Identifier:
An Identifier that the End User has proven to a Consumer that they own.
- Identity Provider:
Also called "IdP" or "Server". This is the OpenID Authentication server that a Consumer contacts for cryptographic proof that the End User owns the Claimed Identifier. How the End User authenticates to their Identity Provider is outside of the scope of OpenID Authenticaiton.
Is the identifier URL unique? What exactly is it?
If it is not unique, is there anything unique so that the consumer can differ between different users on the same OpenID endpoint URL?
What is the difference between the IdP and the identifier URL?
At other places, I have read the term "OpenID endpoint URL".
- Is the OpenID endpoint URL the same as the IdP? So the IdP is also an URL?
Let's take Googles OpenID as an example. When some site asks me for an OpenID login, I use the OpenID URL https://www.google.com/accounts/o8/id
. Is that the identifier URL? If so, it is clearly not unique. Often, when I check back in my account settings on that site about my OpenID login, it does not show that entered URL but it has extended it somehow like https://www.google.com/accounts/o8/id?id=AltOawk...
. That URL now seems kind of unique.
What is now the purpose of
https://www.google.com/accounts/o8/id
? Is that the OpenID endpoint URL? Or is that the IdP URL (if that is something different)?And what is the purpose of
https://www.google.com/accounts/o8/id?id=AltOawk...
? Is that really unique and always the same for my Google account? So that URL is what identifies me?Why haven't they used
https://www.google.com/accounts/o8/id?u={google-username}
instead of this cryptic...?id=AltOawk...
?What is the identifier URL in case of Google?
What is the OpenID endpoint URL? (What is the IdP URL?)
The reason I am asking is because I am trying to implement my own OpenID endpoint.
- Is the OpenID endpoint URL the same as the identifier URL?
In my OpenID endpoint implementation, I have exactly that problem, that it cannot differ between different users. A consumer website just takes all users on that OpenID endpoint as the same. Of course it is always the same OpenID URL but that is also the case for Googles OpenID.
- If the end user uses this "general" URL, how can I redirect/forward it in my OpenID endpoint implementation to the "concrete"/unique (identifier?) URL? Or how can I make it distinguish between different end users on the same OpenID URL?
In my current implementation, when I enable some debug tracing, the first request I get is the mode checkid_setup. In the specs, it says I am getting the Claimed Identifier here. Because of what I have entered on the consumer site (and my debug trace says the same), that is the "general" URL (the OpenID endpoint URL). I.e. that is not the unique URL.
- Do I have to do the redirect at that point now? The specs doesn't say anything about it. Where do I tell the "concrete" URL? (In my case, that is the URL
http://{endpoint-url}?u={endpoint-username}
.)
There are also the terms "OpenID server" (URL) and "OpenID delegate" (URL).
How do these terms relate to the other terms above? All the same as OpenID endpoint URL?
What is the "OpenID identity"? The same as the OpenID identifier URL?
See also the related question: How does OpenID differ between different logins on the same OpenID endpoint?
(Meta question: Should I maybe split this up in a lot of independent SO questions? I'm afraid that I may not get answers for all my questions otherwise.)
id?u={username}&oidrealm={...}
but a "hash"? One reason could be that perhaps your email address can be derived from your username? (Gmail username?) And you might not want to give away your email to the Relying Party. Another reason could be that you don't even want to give away your username (even if it cannot be mapped to your email), because of privacy issues. – Candlewick