Why does the ID of Google's OpenID implementation change?

Question

I'm trying to implement OpenId login for a web application. Whenever new user who logs in via OpenId I create a new user on the sustem, and among the data I store their openid URL, so that next time they login with that user.

I'm testing this with my Gmail OpenID, and the problem is that everytime I do this, Google sends a different openid URL, that is, https://www.google.com/accounts/o8/id?id=SomethingThatChangesFromTimeToTime

Of course I'm then not able to tell wheter this is or not a new user. I'm a bit puzzled: shouldn't the openid identifier always remain the same?

Answer 1

Google's OpenID identifier is more or less a hashed representation of multiple data including the host the request came from (more exactly the openid.realm parameter sent to the provider). So if your host changes from time to time (like the port and ip address changes), then the ID will change from time to time too. StackOverflow uses a workaround for this issue too. Check these posts:

• OpenID, One Year Later
• Google’s OpenIDs are Unique Per-Domain

Here is an FAQ excerpt from google:

Q: The OpenID spec says that the openid.realm is optional, and that if not provided, Google should use the openid.return_to URL instead. Will that work?

A: It will work in the sense that the protocol will complete successfully. But if your return_to URL is something like www.example.com/authenticate?style=openid-federated_login, you are asking us to prompt users to approve and trust a specific address at your site, which is not user-friendly. Also, if you omit the openid.realm parameter, you will never be able to change your return_to URL: It will also implicitly change the realm and the URL identifiers of your Google Account users.