Google's OpenID identifier is different depending on the "consumer" domain name. How to avoid potent
Posted
by JohnnyO
on Stack Overflow
See other posts from Stack Overflow
or by JohnnyO
Published on 2010-04-05T06:58:11Z
Indexed on
2010/04/05
7:03 UTC
Read the original article
Hit count: 282
I'm currently testing an OpenID implementation, and I'm noticing that Google sends a different identifier for different consuming host name / domain name, even for the same user. For example, Google sends a different identifier when the requesting site is localhost, compared to the identifier they send when the requesting site is 127.0.0.1 for the same user.
Note: I haven't actually tested this using public domain names, but I can't see why the behavior would be any different.
My concern with Google's behavior is that if we ever choose to change our website domain name in the future, then users will no longer be able to log in to the website using Google's OpenId as the identity provider. This seems to be a big problem. Am I missing something, or are all OpenID consuming sites faced with this potential problem?
I've also tested this with MyOpenId, but the identifier that MyOpenId creates is fixed, so this wouldn't be a problem with them.
Thanks.
© Stack Overflow or respective owner