Home/ Questions/Q 6584047
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-25T16:29:17+00:00

When authenticating with OpenID I am afaict supposed to use the claimed identifier as

  • 0

When authenticating with OpenID I am afaict supposed to use the claimed identifier as a key to uniquely identify a specific user. The problem I am having with this is either two independent bugs or a misunderstanding of the spec :).

When using node openid I would expect these two URLs to result in the same claimed_id:

However, those URLs result in two different claimed_ids:

both being the URLs mentioned. To verify this behaviour I decided to check out a different OpenID library, Python OpenID. Using the same two URLs I still get two claimed_ids, but in this case they’re different, now I get:

So, I guess my questions is, am I right in assuming the claimed_ids should be used as identifiers and that the above URLs should result in the same claimed_id?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    There’s no reason they should result in the same claimed id and in fact you offer nothing in support of that expectation.

    However, it should be noted that the first library uses a wrong value for the claimed id (emphasis mine):

    7.2. Normalization

    The end user’s input MUST be normalized into an Identifier, as follows :

    (…)

     4. URL Identifiers MUST then be further normalized by (…) following redirects when retrieving their content (…).

    And for the second URL you have this response (some headers removed):

    > GET /xrds?username=cataphract.myopenid.com HTTP/1.1
> Host: www.myopenid.com
> Accept: application/xrds+xml
>
< HTTP/1.1 301 Moved Permanently
< Location: http://cataphract.myopenid.com/xrds

    Therefore http://{username}.myopenid.com/xrds should be used.

    • 0