Is it safe to expose OpenID links to other users?

Question

I recently implemented OpenID for a game I'm making (Google only at this time), and I'm using lightopenid. I'm asking for minimal information back from the user (on purpose), and when they successfully authenticate, I'm passed back a long URL that looks like this https://www.google.com/accounts/o8/ud (I think that's pretty close to what it looks like, I don't have access to the database right now) with a bunch of random characters after it. I'm using this URL as the document ID in my database for fast retrieval on log in.

I'm getting to the point where I'd like to add player profiles on the site, but to do that, I'd need to publicly expose this long URL to other players.

My question is, is the URL I get back from Google safe to show other users, or do I need to find another field to expose to the user?

Answer 1

Knowing someone's OpenID identifier has mostly the same security implications as knowing their login. The only difference is that an OpenID identifier is a url that points to some server, so knowing it would theoretically allow a malicious user to attack the identity endpoint (i.e. that server) - but that's not a security issue for your site.

Publishing it should be mostly safe, but whether it's a good idea is another matter. A human readable string (for example, a pseudonym) might be a better choice for a user identifier.

That said, some sites consider their users' logins a secret - most don't, but that's a choice you have to make yourself.