I've been toying with the JanRain OpenID PHP Library, mostly following along with a tutorial I found on ZendZone.
How does one distinguish between users - especially Google users, who all end up using the same OpenID URL, https://www.google.com/accounts/o8/id ?
Basically, I'm at the point where I can detect that they have an OpenID account... that they've successfully authenticated... but my app still doesn't know who they are; only that they authenticated.
To distinguish users, the tutorial uses a "Simple Registration request" to request the user's email of the OpenID provider - and then use email address to see if this is a returning user.
It wasn't working for me, and apparently won't work with some providers so I was excited when I stumbled upon a function getDisplayIdentifier
.
require_once "Auth/OpenID/Consumer.php";
require_once "Auth/OpenID/FileStore.php";
// create file storage area for OpenID data
$store = new Auth_OpenID_FileStore('/wtv');
$consumer = new Auth_OpenID_Consumer($store);
$oid_response = $consumer->complete("http://example.com/oir_return");
if ($oid_response->status == Auth_OpenID_SUCCESS) {
$hopefullyUniqueUserID = $oid_response->getDisplayIdentifier(); // I assumed this would be a relatively permanent way to identify the user...
// I was wrong.
}
Unfortunately, after a couple of hours the value returned by getDisplayIdentifier
changes.
Skimming the code, I think it's $oid_response->identity_url
that you want. For me (albeit in DotNetOpenAuth not php-openid) that comes back as
https://www.google.com/accounts/o8/id?id=AItOawmqjknrgk6f9cNdPIVxW43GewJPa1ZW4GE
from Google, where the ID part is reproducible and hopefully unique to me. However I haven't left it a few hours to see if this changes, so apologies if this is what you already had from getDisplayIdentifier - but skimming the source it looks like it'd just use the first part, but then I'm no PHP expert.
The problem was that Google's OpenIDs are Unique Per-Domain; I had been absent mindedly alternating between http://www.mysite.com
and http://mysite.com
, which caused the OpenID identity url to change!
Why not simply use the OpenID URL to identify users? Consider it unique like an email address.
According to the last paragraph below, you should definitely use the identity_url
attribute of the response object (granted, this is in reference to the Python library, but the implementations are very similar):
The display identifier is related to the Claimed Identifier, but the two are not always identical. The display identifier is something the user should recognize as what they entered, whereas the response's claimed identifier (in the L{identity_url} attribute) may have extra information for better persistence.
URLs will be stripped of their fragments for display. XRIs will display the human-readable identifier (i-name) instead of the persistent identifier (i-number).
Use the display identifier in your user interface. Use L{identity_url} for querying your database or authorization server.
From the python-openid docs.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With