OpenID: is the identifier URL unique? what are the differences between the identifiers
Asked Answered
F

3

14

In the OpenID specs, it says:

  • Identifier:

An Identifier is just a URL. The whole flow of the OpenID Authentication protocol is about proving that an End User is, owns, a URL.

  • Claimed Identifier:

An Identifier that the End User says they own, though that has not yet been verified by the Consumer.

  • Verified Identifier:

An Identifier that the End User has proven to a Consumer that they own.

  • Identity Provider:

Also called "IdP" or "Server". This is the OpenID Authentication server that a Consumer contacts for cryptographic proof that the End User owns the Claimed Identifier. How the End User authenticates to their Identity Provider is outside of the scope of OpenID Authenticaiton.

  • Is the identifier URL unique? What exactly is it?

  • If it is not unique, is there anything unique so that the consumer can differ between different users on the same OpenID endpoint URL?

  • What is the difference between the IdP and the identifier URL?

At other places, I have read the term "OpenID endpoint URL".

  • Is the OpenID endpoint URL the same as the IdP? So the IdP is also an URL?

Let's take Googles OpenID as an example. When some site asks me for an OpenID login, I use the OpenID URL https://www.google.com/accounts/o8/id. Is that the identifier URL? If so, it is clearly not unique. Often, when I check back in my account settings on that site about my OpenID login, it does not show that entered URL but it has extended it somehow like https://www.google.com/accounts/o8/id?id=AltOawk.... That URL now seems kind of unique.

  • What is now the purpose of https://www.google.com/accounts/o8/id? Is that the OpenID endpoint URL? Or is that the IdP URL (if that is something different)?

  • And what is the purpose of https://www.google.com/accounts/o8/id?id=AltOawk...? Is that really unique and always the same for my Google account? So that URL is what identifies me?

  • Why haven't they used https://www.google.com/accounts/o8/id?u={google-username} instead of this cryptic ...?id=AltOawk...?

  • What is the identifier URL in case of Google?

  • What is the OpenID endpoint URL? (What is the IdP URL?)

The reason I am asking is because I am trying to implement my own OpenID endpoint.

  • Is the OpenID endpoint URL the same as the identifier URL?

In my OpenID endpoint implementation, I have exactly that problem, that it cannot differ between different users. A consumer website just takes all users on that OpenID endpoint as the same. Of course it is always the same OpenID URL but that is also the case for Googles OpenID.

  • If the end user uses this "general" URL, how can I redirect/forward it in my OpenID endpoint implementation to the "concrete"/unique (identifier?) URL? Or how can I make it distinguish between different end users on the same OpenID URL?

In my current implementation, when I enable some debug tracing, the first request I get is the mode checkid_setup. In the specs, it says I am getting the Claimed Identifier here. Because of what I have entered on the consumer site (and my debug trace says the same), that is the "general" URL (the OpenID endpoint URL). I.e. that is not the unique URL.

  • Do I have to do the redirect at that point now? The specs doesn't say anything about it. Where do I tell the "concrete" URL? (In my case, that is the URL http://{endpoint-url}?u={endpoint-username}.)

There are also the terms "OpenID server" (URL) and "OpenID delegate" (URL).

  • How do these terms relate to the other terms above? All the same as OpenID endpoint URL?

  • What is the "OpenID identity"? The same as the OpenID identifier URL?


See also the related question: How does OpenID differ between different logins on the same OpenID endpoint?

(Meta question: Should I maybe split this up in a lot of independent SO questions? I'm afraid that I may not get answers for all my questions otherwise.)

Fillin answered 15/7, 2010 at 22:21 Comment(0)
F
5

Ok, as I just have fixed my SMF OpenID endpoint implementation (read details about some very related problems I had here) where I made a few assumptions on those relations. Of course that doesn't prove them right (so please correct me). Here they are:

  • Identifier URL = OpenID endpoint URL = IdP

  • The OpenID endpoint is not unique. It is the same for all end users of that endpoint.

  • Verified identifier URL = identity

  • Verified identifier URL is unique. It is associated to the endpoint user account.

  • https://www.google.com/accounts/o8/id is the Google OpenID endpoint URL.

  • https://www.google.com/accounts/o8/id?id=AltOawk... is the Google OpenID verified identifier URL.

  • The hash the Google OpenID identity URL contains is also related to the OpenID realm (the consumer domain namespace where this OpenID identifier stays valid). That is one of the reasons to not be just the username.

  • About how to provide the unique verified identifier URL, see here.

Still some things remain unclear to me:

  • What other reasons are there that Google uses for the hashed id; it could have also used id?u={username}&oidrealm={...}.

  • What is the reason to have such OpenID realm at all?

  • What exactly is the difference between identifier URL and claimed identifier URL?

Fillin answered 16/7, 2010 at 0:36 Comment(2)
Why not id?u={username}&oidrealm={...} but a "hash"? One reason could be that perhaps your email address can be derived from your username? (Gmail username?) And you might not want to give away your email to the Relying Party. Another reason could be that you don't even want to give away your username (even if it cannot be mapped to your email), because of privacy issues.Candlewick
Here I found an answer from Google (I think): We have chosen to make the identifiers realm-specific to provide a measure of privacy to our users. For instance, you can create a site that provides services to Google Accounts users, without having to learn their identities at GoogleCandlewick
C
2

Here is my understanding. I am actually just answering the last two questions in your own answer. Hope someone finds these useful.

What is the reason to have such OpenID realm at all?

The realm is used for security. Basically the return_url is checked against the realm, and OpenID specs say they MUST match. Google has taken this one step further, and provides unique verified identifiers for each realm. They might have done as you suggested, and put the realm back in their identifier, but then you could tell by looking at two verified identifiers whether they were the same end-user or not. I think they are trying to keep their identifiers free of identifying information. (ironic, no?)

What exactly is the difference between identifier URL and claimed identifier URL?

The claimed identifier is the one the end-user has specified. This is not their unique identifier. Yahoo is a good example of this. They allow you to specify yahoo.com as your identifier, log into your yahoo account, and return a unique identifier to the openid consumer. This just simplifies the process for the end-user. (And increases the likelihood that they'll use yahoo.com as their openid!)

Cellulitis answered 31/8, 2010 at 21:21 Comment(0)
V
2

And what is the purpose of https://www.google.com/accounts/o8/id?id=AltOawk...? Is that really unique and always the same for my Google account? So that URL is what identifies me?

If I've understood everything correctly, the answer is "Yes it is!"

Why haven't they used https://www.google.com/accounts/o8/id?u={google-username} instead of this cryptic ...?id=AltOawk...?

I guess they want to be safe for future changes to your account, if you for example (now or in the future) would be able to change your username, then you would probably like that to be reflected in your OpenId-claimed-identifier as well - but then you would be in trouble! all your registrations for your old claimed identifier would not be assessible. Read more here: http://wiki.openid.net/w/page/12995200/OpenID-Security-Best-Practices and here: http://blog.nerdbank.net/2008/07/case-for-case-sensitive-openid-url.html

Verde answered 18/5, 2011 at 21:43 Comment(1)
Concerning "Yes it is!": It varies by realm, actually. If you sign in with Gmail to example.com and to anotherdomain.com, you'd get different hashes. Why? It's also a privacy issue I suppose (in addition to the reason you mentioned). Since you don't get the same id=... "hash" when you visit different sites, so you can be very anonymous should you want to.Candlewick

© 2022 - 2024 — McMap. All rights reserved.