Does my open id change over time?

Question

I'm using open id for authentication to my application. And i'm using client's open id uri to identify them. But i figured out that open id uris change over time. Is it usual or is it about open id configuration of providers?

Answer 1

Well, there are three kinds of OpenIDs that you might be dealing with: OpenID with delegated identity. In this case, the user has some URL which they are using as an OpenID, but it itself is not an OpenID endpoint. It just points to an endpoint. This allows them to use their own identifier as their OpenID, and to change OpenID providers at will. In this sense, the OpenID will change, but not what the user uses to identify themselves.

The second is a normal OpenID endpoint. These are constant and should not be changing at all.

The third is what is known as a directed identity. In this case, the user does not supply you an OpenID end point, but simply tells you who their OpenID provider is. Their provider will then generate an OpenID endpoint for the user that is specific to your site. When the user goes onto different sites, the provider will be giving them a different identifier. This is to make it so their internet use cannot be tracked across sites just by looking at who is signing in with what identifiers.

It is this third type which is probably giving you problems. If all these users suddenly have new OpenID urls, it is because their provider thinks they are connecting to a different site. So, if your URLs have changed, so to will the URLs of these PPIDs generated by the provider.

Answer 2

Normally an OpenID URL will be constant over time. If it's changing then that's something that your OpenID provider is choosing to do.

I use PureID myself (and host it myself) and I don't change my OpenID URL at all, although I may choose to do so in the future it will be my choice.