{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Fickle 薄情 的问题《Is Google the only OpenID provider that requires “》','https://www.manongdao.com/q-486994.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am developing an OpenID consumer in PHP and am using the fantastic LightOpenID library (http://gitorious.org/lightopenid). Basing my code off of that found in the example client script I have successfully created a consumer. However, I've run across a snag: Google requires the openid.identity and openid.claimed_id to be set to "http://specs.openid.net/auth/2.0/identifier_select" (see here). If I do that it works but other providers (i.e. AOL) don't.
Here are my questions:
- Is Google a corner case –– is it the only OpenID provider where
identifier_selectis required, contrary to the OpenID specs? - Is there a shortcoming in the LightOpenID library?
- Is my understanding of how OpenID works incorrect?
- If Google is not the only provider that requires
identifier_selectare there a finite number of them which I'll just hardcode in, or is there someway to determine this through the OpenID spec?
I'm new to the internals of OpenID so I wouldn't be surprised if this is a dumb question. I haven't been able to find any info on this subject after scouring the Internet.
The LightOpenID author here.
Note that this answer is about the newest version of my library, which was pushed after this question was asked. For anyone still struggling with this problem, please download the newest version
Google isn't contradicting the spec. The OpenID 2.0 spec absolutely allows for identifier_select flows, which enable something called "directed identity", which Google is the only notable OP (that I know of) that actually exercises the ability to do.
And yes, a fully and correctly implemented OpenID RP library will automatically notice that Google (and any other OP like it) requires identifier_select as it's part of the identifier discovery step that picks up on this. Sorry about the library you're using, but it sounds like it's causing you grief due to perhaps being an incomplete implementation of OpenID.
And by the way, AOL does support identifier_select.
This is used to authenticate in OP Driven ID Selection mode. It's less common but not a corner case. Among all the OP providers I use, I noticed Google and Yahoo require this.
This is required to support Directed Identity in OpenID 2.0. Basically, you get a different OpenID for different website. There is a push to move to this model by privacy advocates so I think you have to support this soon or later.