How to distinguish/identify users with OpenID without requesting SReg fields?

Question

I've been toying with the JanRain OpenID PHP Library, mostly following along with a tutorial I found on ZendZone.

How does one distinguish between users - especially Google users, who all end up using the same OpenID URL, https://www.google.com/accounts/o8/id ?

Basically, I'm at the point where I can detect that they have an OpenID account... that they've successfully authenticated... but my app still doesn't know who they are; only that they authenticated.

To distinguish users, the tutorial uses a "Simple Registration request" to request the user's email of the OpenID provider - and then use email address to see if this is a returning user.

It wasn't working for me, and apparently won't work with some providers so I was excited when I stumbled upon a function getDisplayIdentifier.

require_once "Auth/OpenID/Consumer.php";
require_once "Auth/OpenID/FileStore.php";
// create file storage area for OpenID data
$store = new Auth_OpenID_FileStore('/wtv');
$consumer = new Auth_OpenID_Consumer($store);
$oid_response = $consumer->complete("http://example.com/oir_return");
if ($oid_response->status == Auth_OpenID_SUCCESS) {
    $hopefullyUniqueUserID = $oid_response->getDisplayIdentifier(); // I assumed this would be a relatively permanent way to identify the user...
                                           // I was wrong.
}

Unfortunately, after a couple of hours the value returned by getDisplayIdentifier changes.

Answer 1

Skimming the code, I think it's $oid_response->identity_url that you want. For me (albeit in DotNetOpenAuth not php-openid) that comes back as

https://www.google.com/accounts/o8/id?id=AItOawmqjknrgk6f9cNdPIVxW43GewJPa1ZW4GE

from Google, where the ID part is reproducible and hopefully unique to me. However I haven't left it a few hours to see if this changes, so apologies if this is what you already had from getDisplayIdentifier - but skimming the source it looks like it'd just use the first part, but then I'm no PHP expert.

Answer 2

The problem was that Google's OpenIDs are Unique Per-Domain; I had been absent mindedly alternating between http://www.mysite.com and http://mysite.com, which caused the OpenID identity url to change!

Answer 3

Why not simply use the OpenID URL to identify users? Consider it unique like an email address.

Answer 4

According to the last paragraph below, you should definitely use the identity_url attribute of the response object (granted, this is in reference to the Python library, but the implementations are very similar):

The display identifier is related to the Claimed Identifier, but the two are not always identical. The display identifier is something the user should recognize as what they entered, whereas the response's claimed identifier (in the L{identity_url} attribute) may have extra information for better persistence.

URLs will be stripped of their fragments for display. XRIs will display the human-readable identifier (i-name) instead of the persistent identifier (i-number).

Use the display identifier in your user interface. Use L{identity_url} for querying your database or authorization server.

From the python-openid docs.