OpenID:标识符URL是否唯一?标识符之间有什么区别 [英] OpenID: is the identifier URL unique? what are the differences between the identifiers
问题描述
在 OpenID规范中,它说:
- 标识符:
- Identifier:
标识符只是一个URL. OpenID身份验证协议的整个流程都是关于证明最终用户是一个URL.
An Identifier is just a URL. The whole flow of the OpenID Authentication protocol is about proving that an End User is, owns, a URL.
- 声明的标识符:
最终用户说自己拥有的标识符,尽管尚未由消费者验证.
An Identifier that the End User says they own, though that has not yet been verified by the Consumer.
- 已验证标识符:
最终用户已向其拥有的消费者证明的标识符.
An Identifier that the End User has proven to a Consumer that they own.
- 身份提供者:
也称为"IdP"或服务器".消费者与这台OpenID身份验证服务器联系,以获取最终用户拥有声明的标识符的加密证明. 最终用户如何向其身份提供者进行身份验证不在OpenID Authenticaiton的范围之内.
Also called "IdP" or "Server". This is the OpenID Authentication server that a Consumer contacts for cryptographic proof that the End User owns the Claimed Identifier. How the End User authenticates to their Identity Provider is outside of the scope of OpenID Authenticaiton.
-
标识符URL是否唯一?到底是什么?
Is the identifier URL unique? What exactly is it?
如果不是唯一的,那么有什么独特之处,以便使用者可以在同一OpenID终结点URL上的不同用户之间有所区别吗?
If it is not unique, is there anything unique so that the consumer can differ between different users on the same OpenID endpoint URL?
IdP和标识符URL有什么区别?
What is the difference between the IdP and the identifier URL?
在其他地方,我已经阅读了术语"OpenID端点URL".
At other places, I have read the term "OpenID endpoint URL".
- OpenID端点URL是否与IdP相同?那么,IdP也是URL吗?
让我们以Google的OpenID为例.当某个站点要求我提供OpenID登录名时,我将使用OpenID URL
https://www.google.com/accounts/o8/id
.那是标识符URL吗?如果是这样,那显然不是唯一的.通常,当我在该站点上查看有关我的OpenID登录名的帐户设置时,它不会显示所输入的URL,但会像https://www.google.com/accounts/o8/id?id=AltOawk...
那样对其进行扩展.该URL现在看起来有点独特.Let's take Googles OpenID as an example. When some site asks me for an OpenID login, I use the OpenID URL
https://www.google.com/accounts/o8/id
. Is that the identifier URL? If so, it is clearly not unique. Often, when I check back in my account settings on that site about my OpenID login, it does not show that entered URL but it has extended it somehow likehttps://www.google.com/accounts/o8/id?id=AltOawk...
. That URL now seems kind of unique.-
https://www.google.com/accounts/o8/id
的目的是什么?那是OpenID端点URL吗?还是IdP URL(如果不同)?
What is now the purpose of
https://www.google.com/accounts/o8/id
? Is that the OpenID endpoint URL? Or is that the IdP URL (if that is something different)?
https://www.google.com/accounts/o8/id?id=AltOawk...
的目的是什么?这对 my Google帐户来说真的是唯一的,并且总是一样吗?这样,URL就能识别我吗?And what is the purpose of
https://www.google.com/accounts/o8/id?id=AltOawk...
? Is that really unique and always the same for my Google account? So that URL is what identifies me?为什么他们不使用
https://www.google.com/accounts/o8/id?u={google-username}
而不是这个神秘的...?id=AltOawk...
?Why haven't they used
https://www.google.com/accounts/o8/id?u={google-username}
instead of this cryptic...?id=AltOawk...
?如果使用Google,标识符URL是什么?
What is the identifier URL in case of Google?
什么是OpenID终结点URL? (IdP URL是什么?)
What is the OpenID endpoint URL? (What is the IdP URL?)
我问的原因是因为我正在尝试实现自己的OpenID端点.
The reason I am asking is because I am trying to implement my own OpenID endpoint.
- OpenID终结点URL是否与标识符URL相同?
在我的OpenID端点实现中,我确实遇到了这个问题,即不同用户之间的区别不能相同.消费者网站只是将OpenID终结点上的所有用户都视为相同.当然,它始终是相同的OpenID URL,但Google的OpenID也是这种情况.
In my OpenID endpoint implementation, I have exactly that problem, that it cannot differ between different users. A consumer website just takes all users on that OpenID endpoint as the same. Of course it is always the same OpenID URL but that is also the case for Googles OpenID.
- 如果最终用户使用此通用" URL,如何在我的OpenID端点实现中将其重定向/转发到具体"/唯一(标识符?)URL?或者,如何区分同一OpenID URL上的不同最终用户?
在当前的实现中,当我启用一些调试跟踪时,我收到的第一个请求是模式checkid_setup.在规格中,它表示我在此处获取声明的标识符".由于我在使用者网站上输入的内容(调试跟踪也是如此),因此就是通用" URL(OpenID端点URL). IE. 不是唯一网址.
In my current implementation, when I enable some debug tracing, the first request I get is the mode checkid_setup. In the specs, it says I am getting the Claimed Identifier here. Because of what I have entered on the consumer site (and my debug trace says the same), that is the "general" URL (the OpenID endpoint URL). I.e. that is not the unique URL.
- 我现在必须进行重定向吗?规格没有说什么.我在哪里告诉具体" URL? (就我而言,这就是URL
http://{endpoint-url}?u={endpoint-username}
.)
还有术语"OpenID服务器"(URL)和"OpenID委托"(URL).
There are also the terms "OpenID server" (URL) and "OpenID delegate" (URL).
-
这些术语与以上其他术语有何关系?与OpenID端点URL都一样吗?
How do these terms relate to the other terms above? All the same as OpenID endpoint URL?
什么是"OpenID身份"?与OpenID标识符URL相同吗?
What is the "OpenID identity"? The same as the OpenID identifier URL?
另请参阅相关问题:同一OpenID端点上不同登录名之间的OpenID有何区别?
(元问题:我应该将其分解为许多独立的SO问题吗?恐怕否则我可能无法获得所有问题的答案.)
(Meta question: Should I maybe split this up in a lot of independent SO questions? I'm afraid that I may not get answers for all my questions otherwise.)
推荐答案
好,因为我已经修复了),在此我对这些关系做了一些假设.当然,这并不能证明它们是正确的(所以请纠正我).他们在这里:
Ok, as I just have fixed my SMF OpenID endpoint implementation (read details about some very related problems I had here) where I made a few assumptions on those relations. Of course that doesn't prove them right (so please correct me). Here they are:
-
标识符URL = OpenID端点URL = IdP
Identifier URL = OpenID endpoint URL = IdP
OpenID端点不是唯一.对于该终结点的所有最终用户来说都是相同的.
The OpenID endpoint is not unique. It is the same for all end users of that endpoint.
已验证的标识符URL =身份
Verified identifier URL = identity
已验证的标识符URL是唯一的.它与端点用户帐户关联.
Verified identifier URL is unique. It is associated to the endpoint user account.
https://www.google.com/accounts/o8/id
是Google OpenID端点URL.https://www.google.com/accounts/o8/id
is the Google OpenID endpoint URL.https://www.google.com/accounts/o8/id?id=AltOawk...
是Google OpenID验证的标识符URL.https://www.google.com/accounts/o8/id?id=AltOawk...
is the Google OpenID verified identifier URL.Google OpenID身份URL包含的哈希也与OpenID领域(此OpenID标识符保持有效的使用者域名称空间)有关.这是不仅仅是用户名的原因之一.
The hash the Google OpenID identity URL contains is also related to the OpenID realm (the consumer domain namespace where this OpenID identifier stays valid). That is one of the reasons to not be just the username.
About how to provide the unique verified identifier URL, see here.
我仍然不清楚某些事情:
Still some things remain unclear to me:
-
Google还有其他用于散列ID的原因;它也可能使用了
id?u={username}&oidrealm={...}
.
完全拥有这种OpenID领域的原因是什么?
What is the reason to have such OpenID realm at all?
标识符URL和声明的标识符URL到底有什么区别?
What exactly is the difference between identifier URL and claimed identifier URL?
这篇关于OpenID:标识符URL是否唯一?标识符之间有什么区别的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!