Max length of an openID

Question

I'm planning to add openid support for a web application I'm building. I can't seem to find the maximum length of a valid openid so I can store it in my database. I've seen some vague references to 255 but I'd rather be sure.

In addition is it useful to use the openid as the username (recommendations)?

Answer 1

According to the specification for OpenId 1.1, the maximum limit for Identifier Urls is 255 bytes. See OpenId 1.1 Appendix D: Limits. Identity Provider and return_to Urls may be up to 2047 max bytes.

Note that this section on limits was removed from the OpenId 2.0 specification. So it's unclear what the maximum length is now.

Answer 2

You should not accept any OpenID URL that is longer than 255. While it is possible, many can use this as an attack vector to pull off things like SQL Injection. Take a look at the OWASP AntiSAMY APIs as an additional protection.

Answer 3

an OpenID is a URI, so you are limited by the maximum length of a URI. As far as I know there is no limit, but some browsers (such as Internet Explorer) have a limit.

Further reading:

http://openid.net/pipermail/general/2008-August/005305.html

Answer 4

There isn't an official length in version 2.0 of the spec.

You can hash the URL provided into something unique (md5, or some other repeatable hash) and store that in your DB as a much shorter string.

As for using it as a username, a big url is not pretty. You can extract a username from the responses (SO got my username directly from my OpenID)

Answer 5

I would not use the OpenID directly as the username. Just have a look at the OpenID URLs that Yahoo provides to users, they're incomprehensible. Allow users to choose their own username, and ideally allow multiple OpenID URLs to be associated with one user account (like Stack Overflow does).