How does Google generate its OpenID claimed_id tokens?
https://stackoverflow.com/questions/1872429
-
18-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm using the django_openid_auth module and have it configured to automatically create new user accounts for new OpenIDs. This makes the "sign up" process really trivial, but I'm a bit worried that because of the way that Google generates it's OpenID tokens it might accidentally create a new account for an existing user, giving them the impression the data in their original account has been lost.
As far as I can tell, Google will generate different claimed ID tokens for different domain names. That is www.site.com and site.com would create two distinct tokens and therefore two accounts in my system. I've fixed that by redirecting www.site.com to site.com.
Are there any other gotchas I need to be aware of? And can anyone point me in the direction of some details on what Google use to generate the ID?
Solution
openid.realm
Authenticated realm. Identifies the domain that the end user is being asked to trust. (Example: "http://*.myexamplesite.com") This value must be consistent with the domain defined in openid.return_to. If this parameter is not defined, Google will use the URL referenced in openid.return_to.
The value of realm is used on the Google Federated Login page to identify the requesting site to the user. It is also used to determine the value of the persistent user ID returned by Google.
OTHER TIPS
StackOverflow had the same problems with different hash OpenID tokens. They detail there problems and a possible solution (Google profiles) on StackOverflow blog.
http://blog.stackoverflow.com/2009/11/google-offers-named-openids/
