Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Max length of an openID

Tags:

openid

size

I'm planning to add openid support for a web application I'm building. I can't seem to find the maximum length of a valid openid so I can store it in my database. I've seen some vague references to 255 but I'd rather be sure.

In addition is it useful to use the openid as the username (recommendations)?

like image 749
Ruggs Avatar asked Apr 16 '09 02:04

Ruggs


People also ask

Is OpenID 2.0 deprecated?

The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2 .

What is OIDC code flow?

For OIDC, the authorization code flow returns an authorization code to the Relying Party, which can then directly exchange it for an ID token and access token. This mechanism provides the benefit of not exposing any tokens to the browser or end-user.

What is OpenID client?

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.


4 Answers

According to the specification for OpenId 1.1, the maximum limit for Identifier Urls is 255 bytes. See OpenId 1.1 Appendix D: Limits. Identity Provider and return_to Urls may be up to 2047 max bytes.

Note that this section on limits was removed from the OpenId 2.0 specification. So it's unclear what the maximum length is now.

like image 179
dthrasher Avatar answered Oct 21 '22 01:10

dthrasher


an OpenID is a URI, so you are limited by the maximum length of a URI. As far as I know there is no limit, but some browsers (such as Internet Explorer) have a limit.

Further reading:

http://openid.net/pipermail/general/2008-August/005305.html

like image 22
Nippysaurus Avatar answered Oct 21 '22 01:10

Nippysaurus


I would not use the OpenID directly as the username. Just have a look at the OpenID URLs that Yahoo provides to users, they're incomprehensible. Allow users to choose their own username, and ideally allow multiple OpenID URLs to be associated with one user account (like Stack Overflow does).

like image 20
Greg Hewgill Avatar answered Oct 21 '22 00:10

Greg Hewgill


There isn't an official length in version 2.0 of the spec.

You can hash the URL provided into something unique (md5, or some other repeatable hash) and store that in your DB as a much shorter string.

As for using it as a username, a big url is not pretty. You can extract a username from the responses (SO got my username directly from my OpenID)

like image 1
Darryl E. Clarke Avatar answered Oct 21 '22 00:10

Darryl E. Clarke