Google的OpenID实现的ID为什么会更改? [英] Why does the ID of Google's OpenID implementation change?
问题描述
我正在尝试为Web应用程序实现OpenId登录.每当有新用户通过OpenId登录时,我都会在sustem上创建一个新用户,并在数据中存储他们的openid URL,以便下次他们使用该用户登录.
I'm trying to implement OpenId login for a web application. Whenever new user who logs in via OpenId I create a new user on the sustem, and among the data I store their openid URL, so that next time they login with that user.
我正在使用我的Gmail OpenID进行测试,问题是每次执行此操作时,Google都会发送一个不同的openid URL,即
I'm testing this with my Gmail OpenID, and the problem is that everytime I do this, Google sends a different openid URL, that is, https://www.google.com/accounts/o8/id?id=SomethingThatChangesFromTimeToTime
当然,我不知道这是不是新用户.我有点困惑:openid标识符不应该总是保持不变吗?
Of course I'm then not able to tell wheter this is or not a new user. I'm a bit puzzled: shouldn't the openid identifier always remain the same?
推荐答案
Google的OpenID标识符或多或少是包括请求所来自的主机在内的多个数据的哈希表示(更确切地说,是将openid.realm参数发送给提供者) .因此,如果您的主机不时更改(例如端口和IP地址更改),则ID也将不时更改. StackOverflow也针对此问题使用了一种解决方法.检查这些帖子:
Google's OpenID identifier is more or less a hashed representation of multiple data including the host the request came from (more exactly the openid.realm parameter sent to the provider). So if your host changes from time to time (like the port and ip address changes), then the ID will change from time to time too. StackOverflow uses a workaround for this issue too. Check these posts:
- OpenID, One Year Later
- Google’s OpenIDs are Unique Per-Domain
以下是Google的常见问题解答摘录:
Here is an FAQ excerpt from google:
问:OpenID规范说
openid.realm是可选的,如果未提供,则Google应该使用openid.return_toURL.那行得通吗?
Q: The OpenID spec says that the
openid.realmis optional, and that if not provided, Google should use theopenid.return_toURL instead. Will that work?
A:从协议可以成功完成的意义上讲,它将起作用.但是,如果您的return_to URL类似于www.example.com/authenticate?style=openid-federated_login,则要求我们提示用户批准并信任您站点上的特定地址,这对用户而言不友好.另外,如果省略openid.realm参数,则将永远无法更改return_to URL:它将隐式更改Google帐户用户的领域和URL标识符.
A: It will work in the sense that the protocol will complete successfully. But if your return_to URL is something like www.example.com/authenticate?style=openid-federated_login, you are asking us to prompt users to approve and trust a specific address at your site, which is not user-friendly. Also, if you omit the openid.realm parameter, you will never be able to change your return_to URL: It will also implicitly change the realm and the URL identifiers of your Google Account users.
这篇关于Google的OpenID实现的ID为什么会更改?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
