How do I identify OpenID username when identifier has no username in it?

Question

I am trying to implement openID on my site and read through like Plaxo and questions on SO. I am currently able to authenticate my users using the libraries. But I notice that some providers like

• Google : https://www.google.com/accounts/o8/id
• Yahoo : https://me.yahoo.com

I am trying to implement a system similar to Plaxo, where I will have many-to-one relationship for account. But how do I distinguish users using openID urls like the above? I see even SO having google and google profile seperately. So, how do they identify the user in the case where user don't provide his username or I should say unique openID?

Answer 1

OpenID isn't designed to expose the user's 'username' on the provider. You're provided with a verified URL that serves as their identity, but that URL should be treated as an opaque string.

If you need that, then you need to manually prompt the user or use attribute exchange (neither of which is secure, BTW).

Answer 2

When you get the openid reply back, there will be a parameter "openid.identity" which is unique for each account. It is a very long semi random string, so it is not useful for displaying:

https://www.google.com/accounts/o8/id?id=AItOawnlHWwIas84v37...

You can try to generate a nice displayable username bases on the "nickname" field or the local part of the email address, if those attributes are provided. And as last possibility ask the user.