4

I'm using open id for authentication to my application. And i'm using client's open id uri to identify them. But i figured out that open id uris change over time. Is it usual or is it about open id configuration of providers?

Çağdaş
  • 993
  • 1
  • 12
  • 33

2 Answers2

4

Well, there are three kinds of OpenIDs that you might be dealing with: OpenID with delegated identity. In this case, the user has some URL which they are using as an OpenID, but it itself is not an OpenID endpoint. It just points to an endpoint. This allows them to use their own identifier as their OpenID, and to change OpenID providers at will. In this sense, the OpenID will change, but not what the user uses to identify themselves.

The second is a normal OpenID endpoint. These are constant and should not be changing at all.

The third is what is known as a directed identity. In this case, the user does not supply you an OpenID end point, but simply tells you who their OpenID provider is. Their provider will then generate an OpenID endpoint for the user that is specific to your site. When the user goes onto different sites, the provider will be giving them a different identifier. This is to make it so their internet use cannot be tracked across sites just by looking at who is signing in with what identifiers.

It is this third type which is probably giving you problems. If all these users suddenly have new OpenID urls, it is because their provider thinks they are connecting to a different site. So, if your URLs have changed, so to will the URLs of these PPIDs generated by the provider.

Jacob Bellamy
  • 76
  • 1
  • Thanks for a brief explanation.But i'm little confused. Users may connect different sites. OpenId auth requests are created in run time and may have several realms to return. If openId providers think(?) that my URL has changed, they must store logs about authentication request of current user. Am i right? Ant that brings us to a security concern about providers to protect their clients. But while open id authentication provider display an info message about "this site wants some informations about your account". – Çağdaş May 18 '11 at 13:33
  • => So you can accept or decline. How do providers decide to protect me with changing my URI? I don't think it is about changing application URL. – Çağdaş May 18 '11 at 13:34
  • I think you might be confused. The return_to in an auth_request will refer to a single realm, not multiple. The auth requests are sent via the user by the RP sticking the request into the post payload while redirecting the user. – Jacob Bellamy May 19 '11 at 03:58
  • Secondly, the protection that is given by using PPIDs is not to hide what sites the user is visiting from the provider. The provider has to store all the sites the user is authenticating with for usability reasons anyway. But it does protect you from being identified cross site by people simply looking at your identifier and saying "Oh hey, this is the same guy with this ebay account!" – Jacob Bellamy May 19 '11 at 04:01
  • Thanks for your help that was a good explanation for this subject.And besides, I found a formal document for this subject for people may experience this problem. Available [here](http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.tivoli.fim.doc_6.2.1/concept/OpenIDPlanIdentityURL.html) – Çağdaş May 19 '11 at 06:30
0

Normally an OpenID URL will be constant over time. If it's changing then that's something that your OpenID provider is choosing to do.

I use PureID myself (and host it myself) and I don't change my OpenID URL at all, although I may choose to do so in the future it will be my choice.

karora
  • 1,223
  • 14
  • 31
  • Thanks for response. I think open id providers changes client's uris over time because of security. But it would be better to if open id uri was a constant like your identity number in real life. – Çağdaş May 13 '11 at 07:39