I'm planning to add openid support for a web application I'm building. I can't seem to find the maximum length of a valid openid so I can store it in my database. I've seen some vague references to 255 but I'd rather be sure.
In addition is it useful to use the openid as the username (recommendations)?
The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2 .
For OIDC, the authorization code flow returns an authorization code to the Relying Party, which can then directly exchange it for an ID token and access token. This mechanism provides the benefit of not exposing any tokens to the browser or end-user.
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
According to the specification for OpenId 1.1, the maximum limit for Identifier Urls is 255 bytes. See OpenId 1.1 Appendix D: Limits. Identity Provider and return_to Urls may be up to 2047 max bytes.
Note that this section on limits was removed from the OpenId 2.0 specification. So it's unclear what the maximum length is now.
an OpenID is a URI, so you are limited by the maximum length of a URI. As far as I know there is no limit, but some browsers (such as Internet Explorer) have a limit.
Further reading:
http://openid.net/pipermail/general/2008-August/005305.html
I would not use the OpenID directly as the username. Just have a look at the OpenID URLs that Yahoo provides to users, they're incomprehensible. Allow users to choose their own username, and ideally allow multiple OpenID URLs to be associated with one user account (like Stack Overflow does).
There isn't an official length in version 2.0 of the spec.
You can hash the URL provided into something unique (md5, or some other repeatable hash) and store that in your DB as a much shorter string.
As for using it as a username, a big url is not pretty. You can extract a username from the responses (SO got my username directly from my OpenID)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With