Ok, as I just have fixed my SMF OpenID endpoint implementation (read details about some very related problems I had here) where I made a few assumptions on those relations. Of course that doesn't prove them right (so please correct me). Here they are:
Identifier URL = OpenID endpoint URL = IdP
The OpenID endpoint is not unique. It is the same for all end users of that endpoint.
Verified identifier URL = identity
Verified identifier URL is unique. It is associated to the endpoint user account.
https://www.google.com/accounts/o8/idis the Google OpenID endpoint URL.https://www.google.com/accounts/o8/id?id=AltOawk...is the Google OpenID verified identifier URL.The hash the Google OpenID identity URL contains is also related to the OpenID realm (the consumer domain namespace where this OpenID identifier stays valid). That is one of the reasons to not be just the username.
About how to provide the unique verified identifier URL, see here.
Still some things remain unclear to me:
What other reasons are there that Google uses for the hashed id; it could have also used
id?u={username}&oidrealm={...}.What is the reason to have such OpenID realm at all?
What exactly is the difference between identifier URL and claimed identifier URL?
Ok, as I just have fixed my SMF OpenID endpoint implementation (read details about some very related problems I had here) where I made a few assumptions on those relations. Of course that doesn't prove them right (so please correct me). Here they are:
Identifier URL = OpenID endpoint URL = IdP
The OpenID endpoint is not unique. It is the same for all end users of that endpoint.
Verified identifier URL = identity
Verified identifier URL is unique. It is associated to the endpoint user account.
https://www.google.com/accounts/o8/idis the Google OpenID endpoint URL.https://www.google.com/accounts/o8/id?id=AltOawk...is the Google OpenID verified identifier URL.The hash the Google OpenID identity URL contains is also related to the OpenID realm (the consumer domain namespace where this OpenID identifier stays valid). That is one of the reasons to not be just the username.
About how to provide the unique verified identifier URL, see here.
Still some things remain unclear to me:
What other reasons are there that Google uses for the hashed id; it could have also used
id?u={username}&oidrealm={...}.What is the reason to have such OpenID realm at all?
What exactly is the difference between identifier URL and claimed identifier URL?
Here is my understanding. I am actually just answering the last two questions in your own answer. Hope someone finds these useful.
What is the reason to have such OpenID realm at all?
The realm is used for security. Basically the return_url is checked against the realm, and OpenID specs say they MUST match. Google has taken this one step further, and provides unique verified identifiers for each realm. They might have done as you suggested, and put the realm back in their identifier, but then you could tell by looking at two verified identifiers whether they were the same end-user or not. I think they are trying to keep their identifiers free of identifying information. (ironic, no?)
What exactly is the difference between identifier URL and claimed identifier URL?
The claimed identifier is the one the end-user has specified. This is not their unique identifier. Yahoo is a good example of this. They allow you to specify yahoo.com as your identifier, log into your yahoo account, and return a unique identifier to the openid consumer. This just simplifies the process for the end-user. (And increases the likelihood that they'll use yahoo.com as their openid!)
According to apple docs
The identifier you supply with your scheme distinguishes your app from others that declare support for the same scheme.
Although using a reverse DNS string is a best practice, it does not prevent other apps from registering the same scheme and handling the associated links. Use universal links instead of custom URL schemes to define links that are uniquely associated with your website.
So to answer your question adding a url identifier doesn't change much,but its best to include it,as it is specified by apple.
The URL Identifier is the reversed domain address which is should be the same as your Bundle Identifier e.g. com.companyname.appname
The URL Schemes is the start of the URL e.g 'appname'. When you call this as a URL it targets the bundle identifier which launches the app.
Reference : URL Identifier and URL Schemes
Generally with web-sites you're trying to make them easy to crawl and get access to all the information so that you can get good search rankings and drive traffic to your site. Good web developers design their HTML with search engines in mind, and often also provide things like RSS feeds and site maps to make it easier to crawl content. So if you're trying to make crawling more difficult by not using sequential identifiers then (a) you aren't making it more difficult, because crawlers work by following links, not by guessing URLs, and (b) you're trying to make something more difficult that you also spend time trying to make easier, which makes no sense.
If you need security then use actual security. Use checks of the principal to authorize or deny access to resources. Obfuscating URLs is no security at all.
So I don't see any problem with using numeric identifiers, or any value in trying to obfuscate them.
Using a hash like MD5 or SHA on the ID is not a good idea:
- there is always the possibility of collisions. That is, two different IDs hash to the same value.
- How are you going to unhash it back to the actual ID?
A better approach if you're set on avoiding incrementing IDs would be to use a GUID, or just a random value when you create the ID.
That said, if your application security relies on people not guessing an ID, that shows some flaws elsewhere in the system. My advice: stick to the plain and easy auto-incrementing ID and apply some proper access control.