OpenID:标识符 URL 是否唯一?标识符之间有什么区别
在OpenID规范中,它说:
- 标识符:
标识符只是一个 URL。 OpenID 身份验证协议的整个流程是为了证明最终用户拥有 URL。
- 声明的标识符:
最终用户声称自己拥有的标识符,尽管消费者尚未验证。
- 已验证的身份信息:
最终用户已向消费者证明他们拥有的标识符。
- 身份提供商:
也称为“IdP”或“服务器”。这是消费者联系的 OpenID 身份验证服务器,以获取最终用户拥有所声明标识符的加密证明。 最终用户如何向其身份提供商进行身份验证超出了 OpenID 身份验证的范围。
标识符 URL 是否唯一?到底是什么?
如果不是唯一的,是否有任何独特之处,以便消费者可以在同一 OpenID 端点 URL 上的不同用户之间进行区分?
IdP 和标识符 URL 之间有什么区别?
在其他地方,我读过术语“OpenID 端点 URL”。
- OpenID 端点 URL 与 IdP 相同吗?那么 IdP 也是一个 URL?
我们以Google的OpenID为例。当某些网站要求我进行 OpenID 登录时,我会使用 OpenID URL https://www.google.com/accounts/o8/id
。这是标识符 URL 吗?如果是这样,那么它显然不是唯一的。通常,当我在该网站上检查有关我的 OpenID 登录的帐户设置时,它不会显示输入的 URL,但它以某种方式扩展了它,例如 https://www.google.com/accounts/o8/id ?id=AltOawk...
。现在这个 URL 看起来有点独特。
https://www.google.com/accounts/o8/id
现在的用途是什么?这是 OpenID 端点 URL 吗?或者是 IdP URL(如果不同的话)?https://www.google.com/accounts/o8/id?id=AltOawk...
的目的是什么?对于我的 Google 帐户来说,这真的是独一无二的吗?那么这个 URL 就是我的身份?他们为什么不使用
https://www.google.com/accounts/o8/id?u={google-username}
而不是这个神秘的...? id=AltOawk...
?对于 Google,标识符 URL 是什么?
OpenID 端点 URL 是什么? (什么是 IdP URL?)
我问的原因是因为我正在尝试实现我自己的 OpenID 端点。
- OpenID 端点 URL 与标识符 URL 相同吗?
在我的 OpenID 端点实现中,我确实遇到了这个问题,即不同用户之间的端点不能有所不同。消费者网站只是将该 OpenID 端点上的所有用户视为相同。当然,它始终是相同的 OpenID URL,但 Google 的 OpenID 也是如此。
- 如果最终用户使用此“通用”URL,我如何在 OpenID 端点实现中将其重定向/转发到“具体”/唯一(标识符?)URL?或者如何才能区分同一 OpenID URL 上的不同最终用户?
在我当前的实现中,当我启用一些调试跟踪时,我收到的第一个请求是模式 checkid_setup。在规范中,它说我正在此处获取声明的标识符。由于我在消费者站点上输入的内容(并且我的调试跟踪也是如此),因此它是“常规”URL(OpenID 端点 URL)。即,这不是唯一的URL。
- 我现在必须进行重定向吗?规格没有说明任何相关内容。我在哪里告诉“具体”URL? (在我的例子中,即 URL
http://{endpoint-url}?u={endpoint-username}
。)
还有术语“OpenID 服务器”(URL) 和“OpenID代表”(URL)。
这些术语与上述其他术语有何关系?与 OpenID 端点 URL 相同吗?
什么是“OpenID 身份”?与 OpenID 标识符 URL 相同吗?
另请参阅相关问题:如何同一 OpenID 端点上的不同登录名之间的 OpenID 有所不同?
(元问题:我是否应该将其分成许多独立的 SO 问题?否则我担心我可能无法获得所有问题的答案。)
In the OpenID specs, it says:
- Identifier:
An Identifier is just a URL. The whole flow of the OpenID Authentication protocol is about proving that an End User is, owns, a URL.
- Claimed Identifier:
An Identifier that the End User says they own, though that has not yet been verified by the Consumer.
- Verified Identifier:
An Identifier that the End User has proven to a Consumer that they own.
- Identity Provider:
Also called "IdP" or "Server". This is the OpenID Authentication server that a Consumer contacts for cryptographic proof that the End User owns the Claimed Identifier.
How the End User authenticates to their Identity Provider is outside of the scope of OpenID Authenticaiton.
Is the identifier URL unique? What exactly is it?
If it is not unique, is there anything unique so that the consumer can differ between different users on the same OpenID endpoint URL?
What is the difference between the IdP and the identifier URL?
At other places, I have read the term "OpenID endpoint URL".
- Is the OpenID endpoint URL the same as the IdP? So the IdP is also an URL?
Let's take Googles OpenID as an example. When some site asks me for an OpenID login, I use the OpenID URL https://www.google.com/accounts/o8/id
. Is that the identifier URL? If so, it is clearly not unique. Often, when I check back in my account settings on that site about my OpenID login, it does not show that entered URL but it has extended it somehow like https://www.google.com/accounts/o8/id?id=AltOawk...
. That URL now seems kind of unique.
What is now the purpose of
https://www.google.com/accounts/o8/id
? Is that the OpenID endpoint URL? Or is that the IdP URL (if that is something different)?And what is the purpose of
https://www.google.com/accounts/o8/id?id=AltOawk...
? Is that really unique and always the same for my Google account? So that URL is what identifies me?Why haven't they used
https://www.google.com/accounts/o8/id?u={google-username}
instead of this cryptic...?id=AltOawk...
?What is the identifier URL in case of Google?
What is the OpenID endpoint URL? (What is the IdP URL?)
The reason I am asking is because I am trying to implement my own OpenID endpoint.
- Is the OpenID endpoint URL the same as the identifier URL?
In my OpenID endpoint implementation, I have exactly that problem, that it cannot differ between different users. A consumer website just takes all users on that OpenID endpoint as the same. Of course it is always the same OpenID URL but that is also the case for Googles OpenID.
- If the end user uses this "general" URL, how can I redirect/forward it in my OpenID endpoint implementation to the "concrete"/unique (identifier?) URL? Or how can I make it distinguish between different end users on the same OpenID URL?
In my current implementation, when I enable some debug tracing, the first request I get is the mode checkid_setup. In the specs, it says I am getting the Claimed Identifier here. Because of what I have entered on the consumer site (and my debug trace says the same), that is the "general" URL (the OpenID endpoint URL). I.e. that is not the unique URL.
- Do I have to do the redirect at that point now? The specs doesn't say anything about it. Where do I tell the "concrete" URL? (In my case, that is the URL
http://{endpoint-url}?u={endpoint-username}
.)
There are also the terms "OpenID server" (URL) and "OpenID delegate" (URL).
How do these terms relate to the other terms above? All the same as OpenID endpoint URL?
What is the "OpenID identity"? The same as the OpenID identifier URL?
See also the related question: How does OpenID differ between different logins on the same OpenID endpoint?
(Meta question: Should I maybe split this up in a lot of independent SO questions? I'm afraid that I may not get answers for all my questions otherwise.)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
好的,因为我刚刚修复了我的 SMF OpenID 端点实现(阅读有关一些非常重要的详细信息)我此处遇到的相关问题) 我对这些关系做了一些假设。当然这并不能证明他们是正确的(所以请纠正我)。它们是:
标识符 URL = OpenID 端点 URL = IdP
OpenID 端点不是唯一的。对于该端点的所有最终用户来说都是相同的。
已验证的标识符 URL = 身份
已验证的标识符 URL 是唯一的。它与端点用户帐户关联。
https://www.google.com/accounts/o8/id
是 Google OpenID 端点 URL。https://www.google.com/accounts/o8/id?id=AltOawk...
是 Google OpenID 验证的标识符网址。Google OpenID 身份 URL 包含的哈希值还与 OpenID 领域(此 OpenID 标识符保持有效的消费者域命名空间)相关。这是不仅仅是用户名的原因之一。
有关如何提供经过验证的唯一标识符 URL,请参阅 此处。
我仍然不清楚一些事情:
Google 使用哈希 ID 的其他原因是什么?它还可以使用
id?u={username}&oidrealm={...}
。拥有这样的 OpenID 领域的原因是什么?
标识符 URL 和已声明的标识符 URL 之间到底有什么区别?
Ok, as I just have fixed my SMF OpenID endpoint implementation (read details about some very related problems I had here) where I made a few assumptions on those relations. Of course that doesn't prove them right (so please correct me). Here they are:
Identifier URL = OpenID endpoint URL = IdP
The OpenID endpoint is not unique. It is the same for all end users of that endpoint.
Verified identifier URL = identity
Verified identifier URL is unique. It is associated to the endpoint user account.
https://www.google.com/accounts/o8/id
is the Google OpenID endpoint URL.https://www.google.com/accounts/o8/id?id=AltOawk...
is the Google OpenID verified identifier URL.The hash the Google OpenID identity URL contains is also related to the OpenID realm (the consumer domain namespace where this OpenID identifier stays valid). That is one of the reasons to not be just the username.
About how to provide the unique verified identifier URL, see here.
Still some things remain unclear to me:
What other reasons are there that Google uses for the hashed id; it could have also used
id?u={username}&oidrealm={...}
.What is the reason to have such OpenID realm at all?
What exactly is the difference between identifier URL and claimed identifier URL?
这是我的理解。我实际上只是回答你自己的答案中的最后两个问题。希望有人发现这些有用。
该领域用于安全。基本上,return_url 是根据领域进行检查的,并且 OpenID 规范规定它们必须匹配。 Google 更进一步,为每个领域提供了唯一经过验证的标识符。他们可能已按照您的建议进行操作,并将领域放回到其标识符中,但随后您可以通过查看两个经过验证的标识符来判断它们是否是同一最终用户。我认为他们正试图让他们的标识符不包含识别信息。 (讽刺,不是吗?)
所声明的标识符是最终用户指定的标识符。这不是他们的唯一标识符。雅虎就是一个很好的例子。它们允许您指定
yahoo.com
作为您的标识符,登录您的 yahoo 帐户,并向 openid 使用者返回唯一的标识符。这只是简化了最终用户的流程。 (并增加了他们使用yahoo.com
作为 openid 的可能性!)Here is my understanding. I am actually just answering the last two questions in your own answer. Hope someone finds these useful.
The realm is used for security. Basically the return_url is checked against the realm, and OpenID specs say they MUST match. Google has taken this one step further, and provides unique verified identifiers for each realm. They might have done as you suggested, and put the realm back in their identifier, but then you could tell by looking at two verified identifiers whether they were the same end-user or not. I think they are trying to keep their identifiers free of identifying information. (ironic, no?)
The claimed identifier is the one the end-user has specified. This is not their unique identifier. Yahoo is a good example of this. They allow you to specify
yahoo.com
as your identifier, log into your yahoo account, and return a unique identifier to the openid consumer. This just simplifies the process for the end-user. (And increases the likelihood that they'll useyahoo.com
as their openid!)如果我理解正确的话,答案是“是的!”
我想他们希望将来对您的帐户进行安全更改,例如,如果您(现在或将来)能够更改您的用户名,那么您可能希望将其反映在您的 OpenId 声明标识符中,如下所示好吧——但那样你就有麻烦了!您对旧的已声明标识符的所有注册都将无法访问。在这里阅读更多内容: http://wiki.openid.net/w /page/12995200/OpenID-Security-Best-Practices 和此处:http://blog.nerdbank.net/2008/07/case-for-case-sensitive-openid-url.html
If I've understood everything correctly, the answer is "Yes it is!"
I guess they want to be safe for future changes to your account, if you for example (now or in the future) would be able to change your username, then you would probably like that to be reflected in your OpenId-claimed-identifier as well - but then you would be in trouble! all your registrations for your old claimed identifier would not be assessible. Read more here: http://wiki.openid.net/w/page/12995200/OpenID-Security-Best-Practices and here: http://blog.nerdbank.net/2008/07/case-for-case-sensitive-openid-url.html