[OpenID] Google+ and Unique Identifiers -- different again?

[Johannes Ernst]

It seems Google has changed their unique identifiers for people again.

Apparently I'm now:
https://plus.google.com/104555285104903729468
as opposed to
http://profiles.google.com/Johannes.Ernst
and so many other variations over the years.

My relying party implementation does not recognize me any more although I use the same URL as identifier. Which means I can't access my account!

Is it me who is doing something wrong here? What's the official Google migration path?

Thanks,

Johannes.

_______________________________________________
general mailing list
gen...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general

[Allen Tom]

Email addresss were and are the one true identifier!

All kidding aside (well, maybe I'm not really really kidding) - there
will be a migration path in OpenID connect, so if Google Plus
supports OpenID Connect, perhaps both the new G+ identifier and the
existing OpenID 2.0 identifier will be returned in the assertion.

Allen

On Friday, July 1, 2011, Johannes Ernst <jernst+o...@netmesh.us> wrote:
&gt; It seems Google has changed their unique identifiers for people again.
&gt;
&gt; Apparently I'm now:
&gt;        https://plus.google.com/104555285104903729468
&gt; as opposed to
&gt;        http://profiles.google.com/Johannes.Ernst
&gt; and so many other variations over the years.
&gt;
&gt; My relying party implementation does not recognize me any more

although I use the same URL as identifier. Which means I can't access
my account!

&gt;
&gt; Is it me who is doing something wrong here? What's the official
Google migration path?
&gt;
&gt; Thanks,
&gt;
&gt;
&gt;
&gt; Johannes.
&gt;
&gt; _______________________________________________
&gt; general mailing list
&gt; gen...@lists.openid.net
&gt; http://lists.openid.net/mailman/listinfo/openid-general
&gt;

[Arthur Goldberg]

email addresses are the only practical identifier now

--
Senior Research Scientist
Computational Biology
Memorial Sloan-Kettering Cancer Center
cBio Cancer Genomics Portal

[Melvin Carvalho]

On 2 July 2011 07:12, Allen Tom <allent...@gmail.com> wrote:
> Email addresss were and are the one true identifier!
>
> All kidding aside (well, maybe I'm not really really kidding) - there
> will be a migration path in OpenID connect, so  if Google Plus
> supports OpenID Connect, perhaps both the new G+ identifier and the
> existing OpenID 2.0 identifier will be returned in the assertion.

Not sure about that

facebook give you 2 ids the facebook.com/foo and f...@facebook.com

best of both worlds

in a generic system, it should be possible to link 2 ids together,
something like owl : sameAs

[Peter Watkins]

On Fri, Jul 01, 2011 at 08:48:29PM -0700, Johannes Ernst wrote:
> It seems Google has changed their unique identifiers for people again.
>
> Apparently I'm now:
> https://plus.google.com/104555285104903729468
> as opposed to
> http://profiles.google.com/Johannes.Ernst
> and so many other variations over the years.

Someone from Google, please chime in!

I run an RP site and Google is the most popular OP for the the
users who choose to use OpenID instead of setting up "local" accounts,
so this could be a significant problem for us. Most of our Google
users get those ugly random per-RP identifiers, but a fair number
have "profiles" identifiers. So even if this only affects "profiles"
identifiers, a change like this is going to deny Google users access
to the resources to which they are entitled.

-Peter

[Andrew Arnott]

I'm amazed that Google did this, but would be shocked if they did it deliberately.  Here's what I got from a test RP when trying to log in using my http://profiles.google.com/andrewarnott identifier:

The OpenID Provider issued an assertion for an Identifier whose discovery information did not match.  
Assertion endpoint info: 
ClaimedIdentifier: https://profiles.google.com/114635397638720587251
ProviderLocalIdentifier: https://profiles.google.com/114635397638720587251
ProviderEndpoint: https://www.google.com/accounts/o8/ud?source=profiles
OpenID version: 2.0
Service Type URIs:
Discovered endpoint info:
[{
	ClaimedIdentifier: https://plus.google.com/114635397638720587251
	ProviderLocalIdentifier: https://plus.google.com/114635397638720587251
	ProviderEndpoint: https://www.google.com/accounts/o8/ud?source=profiles
	OpenID version: 2.0
	Service Type URIs:
		http://specs.openid.net/auth/2.0/signon
		http://openid.net/srv/ax/1.0
		http://specs.openid.net/extensions/ui/1.0/mode/popup
		http://specs.openid.net/extensions/ui/1.0/icon
		http://specs.openid.net/extensions/pape/1.0
},]

So Google has some messed up server/user config as it is -- let's just hope when they fix it, they make both the old and the new world work.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre

[Melvin Carvalho]

On 2 July 2011 05:48, Johannes Ernst <jernst+o...@netmesh.us> wrote:
> It seems Google has changed their unique identifiers for people again.
>
> Apparently I'm now:
>        https://plus.google.com/104555285104903729468
> as opposed to
>        http://profiles.google.com/Johannes.Ernst
> and so many other variations over the years.
>
> My relying party implementation does not recognize me any more although I use the same URL as identifier. Which means I can't access my account!
>
> Is it me who is doing something wrong here? What's the official Google migration path?

I've just realized facebook have 5-6 IDs all tied together

1. Original email address
2. facebook.com/foo
3. facebook.com/UID
4. f...@facebook.com
5. graph.facebook.com/foo
6. graph.facebook.com/UID

This is very clever stuff, imho. I think the FB graph is extremely
well organized, and possibly gives them a competitive advantage.
TimBL always says, 'give everything a URI and let them link to each
other'. Facebook have done exactly that, and I think it's the design
model to follow.

[Steven Livingstone Pérez]

Probably make some sense for them to have a "Normalize()" graph api call ... i have often been worried about this in storing identifiers as keys etc in a local data store.

I do think it it the responsibility of the account provider to provide the mapping rather than us trying to prejudge the next migration choice.

/steven

> Date: Sun, 3 Jul 2011 13:58:43 +0200
> From: melvinc...@gmail.com
> To: jernst+o...@netmesh.us
> CC: openid-...@lists.openid.net
> Subject: Re: [OpenID] Google+ and Unique Identifiers -- different again?

[Henry Story]

On 3 Jul 2011, at 14:17, Steven Livingstone Pérez wrote:

Probably make some sense for them to have a "Normalize()" graph api call ... i have often been worried about this in storing identifiers as keys etc in a local data store.

I do think it it the responsibility of the account provider to provide the mapping rather than us trying to prejudge the next migration choice.

You can't escapte the fact that in an open world the same thing will be named with more than one name.

That's why the semantic web was developed.

Henry

Social Web Architect
http://bblfish.net/

[Steven Livingstone Pérez]

Totally agree, though i well remember the amount of effort in that went into element and attribute normalization [1] in defining algorithms that meant everyone "saw" the same value.

When those algorithms (loosely defined as in this case - as many - the algorithm is something in a closed environment that just knows what the mapping is) are hard to define i can't see how else, in simple terms, consumers of the service or api,  are expected to make queries on behalf of a users account, other than by having a way of asking if two things are alike via a service provided api.

/steven

[1] http://www.w3.org/TR/REC-xml/#AVNormalize

---

Subject: Re: [OpenID] Google+ and Unique Identifiers -- different again?

From: henry...@bblfish.net
Date: Sun, 3 Jul 2011 14:25:09 +0200
CC: melvinc...@gmail.com; jernst+o...@netmesh.us; openid-...@lists.openid.net
To: web...@hotmail.com

[Johannes Ernst]

On the first login, I specify

http://profiles.google.com/Johannes.Ernst

which logs me in after having been automagically transformed into

https://plus.google.com/104555285104903729468

per previous message.

Then, the next day, (because my session cookie is expired), I try to re-login with the apparently canonical identifier

https://plus.google.com/104555285104903729468

which leads me to a Google page at

https://accounts.google.com/o/openid2/ProfileCreation

that says

<relying party URL> is asking for your Google profile, but you don't have one yet

and only gives me the option to cancel or "create a Google profile now". Trouble is, I already have a Google profile, and even adding to it does not let me proceed from that page.

So I cancel that attempt, and try again with

http://profiles.google.com/Johannes.Ernst

which works like a charm -- except that I'm 

https://plus.google.com/104555285104903729468

again.

[Arthur Goldberg]

Good catch Johannes
I wish I could get free, high quality QA of my code like Google gets of theirs! :-)

[Andrew Arnott]

It seems to me that any RP that accepts Google Profiles logins right now has significant security flaws because they are not validating that the asserting OP Endpoint has authority to assert for the claimed_id.

Sent from my Windows Phone

---

From: Johannes Ernst
Sent: Sunday, July 03, 2011 11:31 AM
To: openid-...@lists.openid.net
Subject: [OpenID] More G+ weird behavior. Was: Google+ and Unique Identifiers -- different again?

[Andrew Arnott]

Here is the relevant RP test, by the way:
http://www.test-id.org/RP/VerifyAssertionDiscovery.aspx

On 7/3/11, Andrew Arnott <andrew...@gmail.com> wrote:
> It seems to me that any RP that accepts Google Profiles logins right now
> has significant security flaws because they are not validating that the
> asserting OP Endpoint has authority to assert for the claimed_id.
>
> Sent from my Windows Phone

> ------------------------------

--

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre

[Johannes Ernst]

Any word from any Googler if / when any of this will be fixed?