Is Google the only OpenID provider that requires "identifier_select"?

Y

3

13

I am developing an OpenID consumer in PHP and am using the fantastic LightOpenID library (http://gitorious.org/lightopenid). Basing my code off of that found in the example client script I have successfully created a consumer. However, I've run across a snag: Google requires the openid.identity and openid.claimed_id to be set to "http://specs.openid.net/auth/2.0/identifier_select" (see here). If I do that it works but other providers (i.e. AOL) don't.

Here are my questions:

Is Google a corner case –– is it the only OpenID provider where identifier_select is required, contrary to the OpenID specs?
Is there a shortcoming in the LightOpenID library?
Is my understanding of how OpenID works incorrect?
If Google is not the only provider that requires identifier_select are there a finite number of them which I'll just hardcode in, or is there someway to determine this through the OpenID spec?

I'm new to the internals of OpenID so I wouldn't be surprised if this is a dumb question. I haven't been able to find any info on this subject after scouring the Internet.

Yorgo answered 10/6, 2010 at 15:17 Comment(1)

Certainly not a dumb question (if they exist), you even provided ample information, relevant links, well-formulated questions and a note that you actually looked for this yourself! – Careerist 10/6, 2010 at 23:16

M

6

Google isn't contradicting the spec. The OpenID 2.0 spec absolutely allows for identifier_select flows, which enable something called "directed identity", which Google is the only notable OP (that I know of) that actually exercises the ability to do.

And yes, a fully and correctly implemented OpenID RP library will automatically notice that Google (and any other OP like it) requires identifier_select as it's part of the identifier discovery step that picks up on this. Sorry about the library you're using, but it sounds like it's causing you grief due to perhaps being an incomplete implementation of OpenID.

And by the way, AOL does support identifier_select.

Merrymaking answered 11/6, 2010 at 3:50 Comment(3)

Looks like I'll just have to extend the library (LightOpenID). The two popular PHP OpenID libraries (the Zend component and JanRain's PHP-OpenID) offer more flexibility than I need and don't have as nice of an interface as LightOpenID does. Wish me luck! – Yorgo 11/6, 2010 at 13:53

I think the majority support directed identity, including myopenid and yahoo. – Topography 13/6, 2010 at 13:6

Artefacto, I think you're confusing directed identity with identifier_select, which are different things. Identifier_select is the OP Identifier-initiated OpenID experience where the user doesn't have to know his own identifier. "Directed identity" is where the OP provides a pairwise unique identifier for each RP the user logs into. Yahoo for example supports identifier_select, but not directed identity. – Merrymaking 13/6, 2010 at 14:49

H

7

The LightOpenID author here.

The spec allows it, so it probably isn't the only one (other answers mention Yahoo)
No, there isn't – LightOpenID supports this. (see example-google.php in the library).
You still need to know a discovery url, so you need to know the provider. Or tell users to enter https://www.google.com/accounts/o8/id as their identity.

Note that this answer is about the newest version of my library, which was pushed after this question was asked. For anyone still struggling with this problem, please download the newest version

Heartwhole answered 15/6, 2010 at 19:25 Comment(3)

Mewp, thanks for the update to your library that you pushed only a couple days ago. Now the use of "identifier_select" is automatic (i.e. built into the discovery process) which means use of LightOpenID will function the same way for all providers. Thanks again, keep up the great work. I love your library, such clean (read 'readable') code is rare. – Yorgo 22/6, 2010 at 18:34

I've just fallen into the OpenID seduction, I just wanted to say that I absolutely love your class. I'm still pretty green to the OpenID concept I've spent all night reading about it but I can't still quite understand the AXs and SREGs - but tomorrow is another day! Also, would you mind if I tried to fork your code and release it as part of my OSS project (sf.net/projects/phunction), also MIT licensed? – Kloof 14/7, 2010 at 7:8

@Alix Axel: Since your project is MIT licensed, you surely know that the license allows it. In other words: of course you can, as long as you don't claim you wrote it. Also, you don't have to understand in depth how SREG/AX works. It's just a method of fetching additional information about an user, and you can mark it as otional or required. The only thing you need to know is AX field names, which can be found at axschema.org/types. If you have any additional questions, just message me. – Heartwhole 15/7, 2010 at 22:11

M

6

Google isn't contradicting the spec. The OpenID 2.0 spec absolutely allows for identifier_select flows, which enable something called "directed identity", which Google is the only notable OP (that I know of) that actually exercises the ability to do.

And yes, a fully and correctly implemented OpenID RP library will automatically notice that Google (and any other OP like it) requires identifier_select as it's part of the identifier discovery step that picks up on this. Sorry about the library you're using, but it sounds like it's causing you grief due to perhaps being an incomplete implementation of OpenID.

And by the way, AOL does support identifier_select.

Merrymaking answered 11/6, 2010 at 3:50 Comment(3)

Looks like I'll just have to extend the library (LightOpenID). The two popular PHP OpenID libraries (the Zend component and JanRain's PHP-OpenID) offer more flexibility than I need and don't have as nice of an interface as LightOpenID does. Wish me luck! – Yorgo 11/6, 2010 at 13:53

I think the majority support directed identity, including myopenid and yahoo. – Topography 13/6, 2010 at 13:6

Artefacto, I think you're confusing directed identity with identifier_select, which are different things. Identifier_select is the OP Identifier-initiated OpenID experience where the user doesn't have to know his own identifier. "Directed identity" is where the OP provides a pairwise unique identifier for each RP the user logs into. Yahoo for example supports identifier_select, but not directed identity. – Merrymaking 13/6, 2010 at 14:49

B

0

This is used to authenticate in OP Driven ID Selection mode. It's less common but not a corner case. Among all the OP providers I use, I noticed Google and Yahoo require this.

This is required to support Directed Identity in OpenID 2.0. Basically, you get a different OpenID for different website. There is a push to move to this model by privacy advocates so I think you have to support this soon or later.

Berga answered 10/6, 2010 at 19:31 Comment(2)

Is there any way to detect that the provider requires Directed Identity before redirecting the user? I can hardcode support for Yahoo and Google but I've still got my hopes up looking for a more flexible solution. There's probably something in the OpenID specs that I'm missing, something obvious. – Yorgo 10/6, 2010 at 21:57

Unlike OpenID 1.0, you have to do some provisioning work for OpenID 2.0 provider. For example, you need to plaster your site with NASCAR logos because you can't expect users know what's that OpenID 2.0 URL is. You can just add a flag to your site configuration for this. – Berga 10/6, 2010 at 23:15

Recommended topics

Hot tags