5

I've been toying with the JanRain OpenID PHP Library, mostly following along with a tutorial I found on ZendZone.

How does one distinguish between users - especially Google users, who all end up using the same OpenID URL, https://www.google.com/accounts/o8/id ?

Basically, I'm at the point where I can detect that they have an OpenID account... that they've successfully authenticated... but my app still doesn't know who they are; only that they authenticated.

To distinguish users, the tutorial uses a "Simple Registration request" to request the user's email of the OpenID provider - and then use email address to see if this is a returning user.

It wasn't working for me, and apparently won't work with some providers so I was excited when I stumbled upon a function getDisplayIdentifier.

require_once "Auth/OpenID/Consumer.php";
require_once "Auth/OpenID/FileStore.php";
// create file storage area for OpenID data
$store = new Auth_OpenID_FileStore('/wtv');
$consumer = new Auth_OpenID_Consumer($store);
$oid_response = $consumer->complete("http://example.com/oir_return");
if ($oid_response->status == Auth_OpenID_SUCCESS) {
    $hopefullyUniqueUserID = $oid_response->getDisplayIdentifier(); // I assumed this would be a relatively permanent way to identify the user...
                                           // I was wrong.
}

Unfortunately, after a couple of hours the value returned by getDisplayIdentifier changes.

Community
  • 1
  • 1
Richard JP Le Guen
  • 28,364
  • 7
  • 89
  • 119
  • Please read the specification carefully. `https://www.google.com/accounts/o8/id` is the user supplied identifier, the user doesn't necessarily claims he owns it, its purpose may just be guiding the user to select an identifier, as is the case with Google. – Artefacto Jul 03 '10 at 11:25

4 Answers4

5

Skimming the code, I think it's $oid_response->identity_url that you want. For me (albeit in DotNetOpenAuth not php-openid) that comes back as

https://www.google.com/accounts/o8/id?id=AItOawmqjknrgk6f9cNdPIVxW43GewJPa1ZW4GE

from Google, where the ID part is reproducible and hopefully unique to me. However I haven't left it a few hours to see if this changes, so apologies if this is what you already had from getDisplayIdentifier - but skimming the source it looks like it'd just use the first part, but then I'm no PHP expert.

Rup
  • 33,765
  • 9
  • 83
  • 112
  • That's identical to what `$oid_response->getDisplayIdentifier()` gave me... and I did leave it a few hours and it changed :'( Nonetheless, I'll try it. – Richard JP Le Guen Jul 01 '10 at 17:37
  • I'm awarding this answer the bounty, but waiting to accept it; I don't know why `getDisplayIdentifier()` (and `identity_url`) changed on me before as it seems to not be happening anymore. – Richard JP Le Guen Jul 03 '10 at 15:25
  • Cheers. Sorry, I don't have a good answer for that. For OpenID 2 I'm confident these are the correct values to use ( http://openid.net/specs/openid-authentication-2_0.html#positive_assertions http://openid.net/specs/openid-authentication-2_0.html#identifying ) and that it's called something similar in 1 ( http://openid.net/specs/openid-authentication-1_1.html#rfc.section.4.2.2.3 ). Skimming the JanRain code I had thought there was a separate 'display url' return as well, which is where I'd thought the confusion was coming from, but that's not actually in the spec after all. – Rup Jul 03 '10 at 15:56
  • Sorry Rup, but I figured out the problem, so I've unaccepted this one and accepted my own answer. – Richard JP Le Guen Jul 25 '10 at 13:43
  • No problem - I didn't know that about Google OpenIDs, happy to learn something! – Rup Jul 26 '10 at 08:34
2

The problem was that Google's OpenIDs are Unique Per-Domain; I had been absent mindedly alternating between http://www.mysite.com and http://mysite.com, which caused the OpenID identity url to change!

Community
  • 1
  • 1
Richard JP Le Guen
  • 28,364
  • 7
  • 89
  • 119
1

According to the last paragraph below, you should definitely use the identity_url attribute of the response object (granted, this is in reference to the Python library, but the implementations are very similar):

The display identifier is related to the Claimed Identifier, but the two are not always identical. The display identifier is something the user should recognize as what they entered, whereas the response's claimed identifier (in the L{identity_url} attribute) may have extra information for better persistence.

URLs will be stripped of their fragments for display. XRIs will display the human-readable identifier (i-name) instead of the persistent identifier (i-number).

Use the display identifier in your user interface. Use L{identity_url} for querying your database or authorization server.

From the python-openid docs.

Dolph
  • 49,714
  • 13
  • 63
  • 88
1

Why not simply use the OpenID URL to identify users? Consider it unique like an email address.

Richard JP Le Guen
  • 28,364
  • 7
  • 89
  • 119
Echo says Reinstate Monica
  • 3,877
  • 6
  • 36
  • 39
  • I thought that's how it worked too, but he says he's seeing all Google users from the same OpenID URL. – Rup Jul 01 '10 at 15:51
  • As did I, but Google accounts always have `https://www.google.com/accounts/o8/id ` as their URL. – Richard JP Le Guen Jul 01 '10 at 16:01
  • stackoverflow somehow gets a `?id=....` at the end of the url. Not sure how though. Maybe the full url with the `?id=..` is given to you by google?? Does `$oid_response` have have a url attribute? – Echo says Reinstate Monica Jul 01 '10 at 16:28
  • Oops, hadn't seen your last comment before I posted. Yes, I think it's the OpenID 'claimed_id' that you want, which appears to include the ?id=, which I think is `$oid_response->identity_url`. – Rup Jul 01 '10 at 16:43