OpenID: is the identifier URL unique? what are the differences between the identifiers

Question

In the OpenID specs, it says:

• Identifier:

An Identifier is just a URL. The whole flow of the OpenID Authentication protocol is about prov

Answer 1

Ok, as I just have fixed my SMF OpenID endpoint implementation (read details about some very related problems I had here) where I made a few assumptions on those relations. Of course that doesn't prove them right (so please correct me). Here they are:

• Identifier URL = OpenID endpoint URL = IdP

• The OpenID endpoint is not unique. It is the same for all end users of that endpoint.

• Verified identifier URL = identity

• Verified identifier URL is unique. It is associated to the endpoint user account.

• https://www.google.com/accounts/o8/id is the Google OpenID endpoint URL.

• https://www.google.com/accounts/o8/id?id=AltOawk... is the Google OpenID verified identifier URL.

• The hash the Google OpenID identity URL contains is also related to the OpenID realm (the consumer domain namespace where this OpenID identifier stays valid). That is one of the reasons to not be just the username.

• About how to provide the unique verified identifier URL, see here.

Still some things remain unclear to me:

• What other reasons are there that Google uses for the hashed id; it could have also used id?u={username}&oidrealm={...}.

• What is the reason to have such OpenID realm at all?

• What exactly is the difference between identifier URL and claimed identifier URL?