I am developing an OpenID consumer in PHP and am using the fantastic LightOpenID library (http://gitorious.org/lightopenid). Basing my code off of that found in the example client script I have successfully created a consumer. However, I’ve run across a snag: Google requires the openid.identity and openid.claimed_id to be set to "http://specs.openid.net/auth/2.0/identifier_select" (see here). If I do that it works but other providers (i.e. AOL) don’t.
Here are my questions:
- Is Google a corner case –– is it the only OpenID provider where
identifier_selectis required, contrary to the OpenID specs? - Is there a shortcoming in the LightOpenID library?
- Is my understanding of how OpenID works incorrect?
- If Google is not the only provider that requires
identifier_selectare there a finite number of them which I’ll just hardcode in, or is there someway to determine this through the OpenID spec?
I’m new to the internals of OpenID so I wouldn’t be surprised if this is a dumb question. I haven’t been able to find any info on this subject after scouring the Internet.
Google isn’t contradicting the spec. The OpenID 2.0 spec absolutely allows for identifier_select flows, which enable something called “directed identity”, which Google is the only notable OP (that I know of) that actually exercises the ability to do.
And yes, a fully and correctly implemented OpenID RP library will automatically notice that Google (and any other OP like it) requires identifier_select as it’s part of the identifier discovery step that picks up on this. Sorry about the library you’re using, but it sounds like it’s causing you grief due to perhaps being an incomplete implementation of OpenID.
And by the way, AOL does support identifier_select.