CODEWITHSUNDEEP
openiddotnetopenauth
chobo2
chobo2

Reputation: 85775

Do I store all of the ClaimedIdentifier?

I am using dotnetopenauth and I am wondering what should I be storing from claimedIdentifier. I thought it would be just an id but it seems to have a url too.

When I do something like

Identifier claimedIdentifier = openIdRelayingParty.ClaimedIdentifier;

I get

//yahoo

https://me.yahoo.com/a/2RCv_bQ7341PA3v4irf5tzu_9K_fF1414afa414

// google

https://www.google.com/accounts/o8/id?id=AItOawmMvmoomT7lOO5jwEaAd1414dfafaf241VUI

So do I store this whole thing or just the long string? If I should store the the long string then how to I extract it out? It seems like each provider formatting is a bit different.

Upvotes: 1

Views: 383

Answers (1)

Andrew Arnott
Andrew Arnott

Reputation: 81801

You should store the entire URL, including the fragment part. The fragment part is the #fragment at the end of some URLs. For example, I think every Yahoo ClaimedIdentifier actually includes a fragment like this:

https://me.yahoo.com/a/2RCv_bQ7341PA3v4irf5tzu_9K_fF1414afa414#aHd88

It is vitally important that the entire ClaimedIdentifier be stored, and later used to identify the same person. Also, be sure your identity check is case sensitive. Do not use the System.Uri.Equals method to verify that two ClaimedIds are equivalent. It would return true in cases where only the #fragment is different, which is not correct. You should use Identifier.Equals or the simple String.Equals(string, string, StringComparison.Ordinal) method.

Or if you're looking up the user from your users table in a database, be certain that your users table is configured to be case sensitive for the ClaimedId column.

Upvotes: 3

Related Questions