Question about Google openid.claimed_id

Question

I am using openid authentication in my web application. I have two tables, one for storing multiple openid_url for any user_id and with openid as primary key.

There is another table with user details with user_id as primary key.

my authentication works and after that I check if the url returned is available in my openid table, if its not there, I redirect to a create user form, while if the url is there, user is redirected to page where he was. But I am facing a strange issue where in the url returned for my email id after google authentication does not match with the value stored in db a day before or so.

I am not sure if I am missing something or do I have to use some thing else in openid 2.0.

Any clue at this point is highly appreciated.

Edit:

I got one more thread which deals with information I am looking for. Why does the ID of Google's OpenID implementation change?

what modules are you using for openid authentication? or if none, show your code? — ysth, Apr 24 '11 at 10:12
I am using Catalyst::Authentication::Credential::OpenID module from cpan. I have referred [link](http://www.plaxo.com/api/openid_recipe). — awake416, Apr 24 '11 at 10:25
Here is my catalyst app config for open id realm ` openid => { ua_class => "LWPx::ParanoidAgent", ua_args => { whitelisted_hosts => [qw/ 127.0.0.1 localhost /], }, credential => { class => "OpenID", }, store => { class => 'Null' }, } ` — awake416, Apr 24 '11 at 10:29

score 3 · Accepted Answer · answered Apr 24 '11 at 13:03

3

Google uses unique identifiers for every service provider (relaying party).

Please verify that your side using a consistent openid.realm. That is the protocol and domain name of your side. For example: https://stackauth.com

If you mix using of a "www." prefix or not using it or mixing http or https, Google will see you as distinct service providers and provide different ids for the same user.

answered Apr 24 '11 at 13:03

Hendrik Brummermann

8,242
3
31
55

The module being used isn't providing a way to configure the openid.realm; it's using `$c->uri_for($c->req->uri->path)`. – ysth Apr 24 '11 at 13:06
and is $c->req->uri->path consistent? – Hendrik Brummermann Apr 24 '11 at 13:26
yeh path is consistent as for now there is only one login action. – awake416 Apr 25 '11 at 07:58
1

The end of the path is ignored. It's only protocol and domain name that is used. So if your website is reachable at http://example.com and http://www.example.com or via http://example.com and https://example.com than that's an issue. – Hendrik Brummermann Apr 25 '11 at 08:55

score 0 · Answer 2 · answered Apr 25 '11 at 07:59

0

I have gone thorough a number of documents and I am going to use email as user identifier only in case of google. This is one attribute which is uniq for any site any domain.

answered Apr 25 '11 at 07:59

awake416

301
1
3
12

Hotmail E-Mail addresses expire after 6 month of not being logged in. The twitter which exposed internal management documents was done that way: http://techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/ – Hendrik Brummermann Apr 25 '11 at 08:53
thanks nhnb, but I ment that I shall be using gmail only for google for not not for any other open id provider. what you say? – awake416 Apr 25 '11 at 19:11
my google account has a third party email address associated. I don't have an gmail account, but I can use my google account for openid authentication. – Hendrik Brummermann Apr 25 '11 at 19:37

Question about Google openid.claimed_id

Edit:

2 Answers2