3

I recently implemented OpenID for a game I'm making (Google only at this time), and I'm using lightopenid. I'm asking for minimal information back from the user (on purpose), and when they successfully authenticate, I'm passed back a long URL that looks like this https://www.google.com/accounts/o8/ud (I think that's pretty close to what it looks like, I don't have access to the database right now) with a bunch of random characters after it. I'm using this URL as the document ID in my database for fast retrieval on log in.

I'm getting to the point where I'd like to add player profiles on the site, but to do that, I'd need to publicly expose this long URL to other players.

My question is, is the URL I get back from Google safe to show other users, or do I need to find another field to expose to the user?

Álvaro González
  • 142,137
  • 41
  • 261
  • 360
snollygolly
  • 1,858
  • 2
  • 17
  • 31
  • I don't know whether OpenID identifiers need to be kept secret (probably not, but that's a good question itself). What I know is that they tend to be long and ugly. If you already have a database, I suppose you already have a custom user table with a regular auto-generated ID. Using that is a sensible option. – Álvaro González Jan 22 '14 at 15:30
  • I'm using CouchDB for my database, and using the URL as the document ID, so there's not a regular auto-generated one. – snollygolly Jan 22 '14 at 16:19

1 Answers1

2

Knowing someone's OpenID identifier has mostly the same security implications as knowing their login. The only difference is that an OpenID identifier is a url that points to some server, so knowing it would theoretically allow a malicious user to attack the identity endpoint (i.e. that server) - but that's not a security issue for your site.

Publishing it should be mostly safe, but whether it's a good idea is another matter. A human readable string (for example, a pseudonym) might be a better choice for a user identifier.

That said, some sites consider their users' logins a secret - most don't, but that's a choice you have to make yourself.

Mewp
  • 4,715
  • 1
  • 21
  • 24
  • Thank you Mewp, I appreciate your answer. I'm storing a friendly name too, but I decided to let users change their friendly name at will, so the only consistent name I have (and the ID of the document) is their logon URL. – snollygolly Jan 23 '14 at 18:52
  • Or you could simply use their first friendly name as an identifier, or ask them for one. That strategy is also used by various websites. – Mewp Jan 23 '14 at 20:02