OpenID: is the identifier URL unique? what are the differences between the identifiers

Question

In the OpenID specs, it says:

• Identifier:

An Identifier is just a URL. The whole flow of the OpenID Authentication protocol is about prov

Answer 1

Here is my understanding. I am actually just answering the last two questions in your own answer. Hope someone finds these useful.

What is the reason to have such OpenID realm at all?

The realm is used for security. Basically the return_url is checked against the realm, and OpenID specs say they MUST match. Google has taken this one step further, and provides unique verified identifiers for each realm. They might have done as you suggested, and put the realm back in their identifier, but then you could tell by looking at two verified identifiers whether they were the same end-user or not. I think they are trying to keep their identifiers free of identifying information. (ironic, no?)

What exactly is the difference between identifier URL and claimed identifier URL?

The claimed identifier is the one the end-user has specified. This is not their unique identifier. Yahoo is a good example of this. They allow you to specify yahoo.com as your identifier, log into your yahoo account, and return a unique identifier to the openid consumer. This just simplifies the process for the end-user. (And increases the likelihood that they'll use yahoo.com as their openid!)

Answer 2

Ok, as I just have fixed my SMF OpenID endpoint implementation (read details about some very related problems I had here) where I made a few assumptions on those relations. Of course that doesn't prove them right (so please correct me). Here they are:

• Identifier URL = OpenID endpoint URL = IdP

• The OpenID endpoint is not unique. It is the same for all end users of that endpoint.

• Verified identifier URL = identity

• Verified identifier URL is unique. It is associated to the endpoint user account.

• https://www.google.com/accounts/o8/id is the Google OpenID endpoint URL.

• https://www.google.com/accounts/o8/id?id=AltOawk... is the Google OpenID verified identifier URL.

• The hash the Google OpenID identity URL contains is also related to the OpenID realm (the consumer domain namespace where this OpenID identifier stays valid). That is one of the reasons to not be just the username.

• About how to provide the unique verified identifier URL, see here.

Still some things remain unclear to me:

• What other reasons are there that Google uses for the hashed id; it could have also used id?u={username}&oidrealm={...}.

• What is the reason to have such OpenID realm at all?

• What exactly is the difference between identifier URL and claimed identifier URL?

Answer 3

And what is the purpose of https://www.google.com/accounts/o8/id?id=AltOawk...? Is that really unique and always the same for my Google account? So that URL is what identifies me?

If I've understood everything correctly, the answer is "Yes it is!"

Why haven't they used https://www.google.com/accounts/o8/id?u={google-username} instead of this cryptic ...?id=AltOawk...?

I guess they want to be safe for future changes to your account, if you for example (now or in the future) would be able to change your username, then you would probably like that to be reflected in your OpenId-claimed-identifier as well - but then you would be in trouble! all your registrations for your old claimed identifier would not be assessible. Read more here: http://wiki.openid.net/w/page/12995200/OpenID-Security-Best-Practices and here: http://blog.nerdbank.net/2008/07/case-for-case-sensitive-openid-url.html