Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Max length of an openID

Tags:

openid

size

I'm planning to add openid support for a web application I'm building. I can't seem to find the maximum length of a valid openid so I can store it in my database. I've seen some vague references to 255 but I'd rather be sure.

In addition is it useful to use the openid as the username (recommendations)?

like image 749
Ruggs Avatar asked Apr 16 '09 02:04

Ruggs

People also ask

Is OpenID 2.0 deprecated?

The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2 .

What is OIDC code flow?

For OIDC, the authorization code flow returns an authorization code to the Relying Party, which can then directly exchange it for an ID token and access token. This mechanism provides the benefit of not exposing any tokens to the browser or end-user.

What is OpenID client?

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.

4 Answers

According to the specification for OpenId 1.1, the maximum limit for Identifier Urls is 255 bytes. See OpenId 1.1 Appendix D: Limits. Identity Provider and return_to Urls may be up to 2047 max bytes.

Note that this section on limits was removed from the OpenId 2.0 specification. So it's unclear what the maximum length is now.

like image 179
dthrasher Avatar answered Oct 21 '22 01:10

dthrasher

an OpenID is a URI, so you are limited by the maximum length of a URI. As far as I know there is no limit, but some browsers (such as Internet Explorer) have a limit.

Further reading:

http://openid.net/pipermail/general/2008-August/005305.html

like image 22
Nippysaurus Avatar answered Oct 21 '22 01:10

Nippysaurus

I would not use the OpenID directly as the username. Just have a look at the OpenID URLs that Yahoo provides to users, they're incomprehensible. Allow users to choose their own username, and ideally allow multiple OpenID URLs to be associated with one user account (like Stack Overflow does).

like image 20
Greg Hewgill Avatar answered Oct 21 '22 00:10

Greg Hewgill

There isn't an official length in version 2.0 of the spec.

You can hash the URL provided into something unique (md5, or some other repeatable hash) and store that in your DB as a much shorter string.

As for using it as a username, a big url is not pretty. You can extract a username from the responses (SO got my username directly from my OpenID)

like image 1
Darryl E. Clarke Avatar answered Oct 21 '22 00:10

Darryl E. Clarke
Sign in to Comment

Related questions

How to detect if an email is a Google Account?
What is a good openid selector control?
How to flashing a message with link using Flask flash?
MediaWiki Extension:GoogleAppsAuthentification Multiple Domains
What is the future of OpenID, OpenID2, Open Connect? Is it worth implementing a provider? [closed]
Web Service Authentication using OpenID
Why does the ID of Google's OpenID implementation change?
Integrating openID and oauth as website login, signin and authentication system
OpenID authentication and API access
Skip IdentityServer3 login screen
OpenID providers - what stops malicious providers?
Is a user's email address confirmed in Facebook Graph API? [duplicate]
OpenId for gmail [closed]
dotnetopenauth with asp.net mvc proving too frustrating to use
Login system just like stackoverflow's, written in php
Open ID - What happens when you decide you don't like your existing provider?
Active Directory as OpenID provider?
Compliance test for OpenID providers

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!