问题
I am developing an OpenID consumer in PHP and am using the fantastic LightOpenID library (http://gitorious.org/lightopenid). Basing my code off of that found in the example client script I have successfully created a consumer. However, I've run across a snag: Google requires the openid.identity and openid.claimed_id to be set to "http://specs.openid.net/auth/2.0/identifier_select" (see here). If I do that it works but other providers (i.e. AOL) don't.
Here are my questions:
- Is Google a corner case –– is it the only OpenID provider where
identifier_selectis required, contrary to the OpenID specs? - Is there a shortcoming in the LightOpenID library?
- Is my understanding of how OpenID works incorrect?
- If Google is not the only provider that requires
identifier_selectare there a finite number of them which I'll just hardcode in, or is there someway to determine this through the OpenID spec?
I'm new to the internals of OpenID so I wouldn't be surprised if this is a dumb question. I haven't been able to find any info on this subject after scouring the Internet.
回答1:
Google isn't contradicting the spec. The OpenID 2.0 spec absolutely allows for identifier_select flows, which enable something called "directed identity", which Google is the only notable OP (that I know of) that actually exercises the ability to do.
And yes, a fully and correctly implemented OpenID RP library will automatically notice that Google (and any other OP like it) requires identifier_select as it's part of the identifier discovery step that picks up on this. Sorry about the library you're using, but it sounds like it's causing you grief due to perhaps being an incomplete implementation of OpenID.
And by the way, AOL does support identifier_select.
回答2:
The LightOpenID author here.
- The spec allows it, so it probably isn't the only one (other answers mention Yahoo)
- No, there isn't – LightOpenID supports this. (see example-google.php in the library).
- You still need to know a discovery url, so you need to know the provider. Or tell users to enter https://www.google.com/accounts/o8/id as their identity.
Note that this answer is about the newest version of my library, which was pushed after this question was asked. For anyone still struggling with this problem, please download the newest version
回答3:
This is used to authenticate in OP Driven ID Selection mode. It's less common but not a corner case. Among all the OP providers I use, I noticed Google and Yahoo require this.
This is required to support Directed Identity in OpenID 2.0. Basically, you get a different OpenID for different website. There is a push to move to this model by privacy advocates so I think you have to support this soon or later.
来源:https://stackoverflow.com/questions/3015765/is-google-the-only-openid-provider-that-requires-identifier-select