Forum: Ruby on Rails Attributing delegated OpenID identifiers to the "real" ident

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Fe1d541594bcc6c043729f3a3fd0f036?d=identicon&s=25 John Young (tikaro)
on 2007-02-28 13:41
(Received via mailing list)
Hi group!  I'm playing with the ruby-openid gem, and was able to get
to a "hello world" state pretty easily, thanks to some of the recipes
out there.  I'm able to display a page, have the user enter their
identifier, shoot off  to their identity provider, and return, at
which time their openID identifier (and other profile extension data)
is included.

So if it were the case that every user had exactly one openID
identifier, I'd be totally happy.

But here's the thing -- I notice that some users have more than one
openID identifier, even though they may be delegates of each other.
For example, anything at "pieisgood.org/[username]" will
programatically delegate to "[username].myopenid.com".  So if I
thought the "pieisgood" page was a nifty hack (which I do), and my
normal myopenid.com username was "imaginaryuser", it's concievable
that I could arrive at my own consumer application EITHER with the
identifier "imaginaryuser.myopenid.com", or the identifier
"pieisgood.com/imaginaryuser".  But they'd both be me.

Now, I know that if I went and created a whole new OpenID identifier
out of whole cloth (claimid.com/someotheruser), there's no way that
my consumer application would or should recognize me as "me".  The
thing I'm going for is to recognize users that use identities that
are delegates to other identities, even though the identity returned
upon OpenID completion will be different.  IF that's making any sense.

I notice that jyte does this; I've logged in to jyte BOTH as
[username].myopenid.com, piesisgood.com/[username], and using a hand-
rolled page on my own blog that delegates to [username].myopenid.com,
and each time Jyte recognized that it was me, and simply added the
new identifiers to a list of "known identifiers" on my profile page.
So they've got this one licked.

Okay, here's the question part (sorry to be so wordy):  I know
CONCEPTUALLY how I would go about doing this, I think: in the part of
the library responsible for retrieving the OpenID identifier URL, I
would make note that the identity retrieved delegates to another, and
then I would have to store that relationship locally -- including
BOTH the identity entered AND the eventual, delegated-to identifier,
so that when the user eventually returns with the approval for the
identity entered, I'd know to "attribute" that login to the delegated-
to identifier.  "oh, you've authenticated as piesigood.com/
imaginaryuser, have you?  Well, when I was fetching your identity, I
remember that that was ACTALLY a delegate to myopenid.com/
imaginaryuser, so I'll show you logged in as "pieisgood.com/
imaginaryuser", but I'm actually going to access the profile that I
associate with "myopenid.com/imaginaryuser".

I can also think of some exception cases that I would have to handle:
what if the "pieisgood" author decided that they don't like me, and
decided to delegate "pieisgood.org/imaginaryuser" to
"nefarioususer.myopenid.com"-- how would I go about making sure that
I didn't "trust" the delegation links from session to session?  What
other things am I overlooking?  Whew!

It's possible that the ruby-openid library already gives me the tools
to do this, but I'm afraid I'm in a bit over my head here.  Is there
a description out there of how this is done, or (even better) a
working code sample that I could poke at to do this?  I also haven't
had much luck finding a "ruby-openid" group that I could pester with
this question.  Can anyone steer me in the right direction?

Grateful regards,
John Young
http://www.tikaro.com
This topic is locked and can not be replied to.