I'm using openid 2.0 in my application. I need to save the openid identifier value in DB to verify user. I can save email too but saving claimedidentifier also seems like a good approach.
Why is it safe to use ClaimedIdentifier and not FriendlyIdentifier for storing in DB? What difference would it make?
I get both the values in my application, but many posts say the avoid using FriendlyIdentifier due to security issues. What security issues can ClaimedIdentifier overcome which FriendlyIdentifier cannot?
Figured this one out too- Truncating the openid friendly identifier and saving a random string in db might cause some scripting issues if someone has replicated the intuit openid url format and passed some scripting values. It is better to save the full unique claimed identifier value(https) and then fetch and truncate it to match the user.