phpc++openidopenid-providersimple-machines-forum

how does OpenID differ between different logins on the same OpenID endpoint


I am trying to implement an own OpenID endpoint based on SMF user accounts. I based my code on phpMyOpenID and some SMF authorization code.

It works fine so far. I can use the endpoint to login/register on any site. If I am not logged in on the SMF, it will ask for my login and if that SMF login is successful, it accepts it.

However, it seems that it doesn't differ between different SMF logins. I.e. another user reported that he tried to use the endpoint on site X, logged in with his SMF account and landed on my user account on site X (I have registered the OpenID endpoint earlier on that site).

I guess I must send somehow the SMF login or make it somehow unique per SMF login. As it is probably trivial what I have to do, I thought I'd ask here on SO -- maybe there are also more things I need to fix.

The code (just PHP), if you want to take a look, is here: http://github.com/albertz/smf-openid-server

Or maybe just describe what I need to do to make it unique for each SMF login.

Another project I am planning is an OpenID client in a multiplayer C++ game. The hoster will have the option to allow only logins from people who can authenticate via OpenID. Also I want to make it possible to allow only certain people to login. What is a common way to get a unique string based on an OpenID login? In this case, I thought of something like http://{smf-openid-endpoint}/{smf-user} or http://www.google.de/profiles/{google-user}. What is a canonical way to get such a string?

I think this other question may be related to my main question, that is why I am putting it also here.


See also the related question: Is the identifier URL unique? What are the different terms?


Solution

  • It seems the first request from the end user I am getting is checkid_setup. On that response, I can specify a unique URL (what I call the unique string in my question) in the openid.identity field.

    I have done that in my code now and it seems to work. I.e. I can enter the general OpenID endpoint URL (for example on SourceForge) and it will extend it automatically in the way I have suggested in my question.

    To answer my second question: It seems that the verified identifier URL itself is unique, so this could be used. Whereby this can sometimes look cryptic (for example in case of Google, it is just some hash). So this can be used internally to differ between different users. For the graphical representation, I can show the real username or the mail address which I also should get from the OpenID authentication.