Bug in NUS OpenID

Update (Jul 16): This bug has been patched by Wai Peng.

While integrating Feedbaker with NUS OpenID, I ran into some problems with mapping the OpenID identity to a unique user in the app’s user database. I found out that NUS OpenID accepts the NUSNET id both with and without the network domain, and depending on whether the domain is entered, the system returns a different OpenID identity.

For example, if I were to log in with “a0123456” as my NUSNET id, my OpenID identity would rightly be “https://openid.nus.edu.sg/a0123456“.

However, if I log in using “nusstu\a0123456” as my NUSNET id, I end up getting a different identity.

You are logged in as https://openid.nus.edu.sg/nusstu\a0123456.

When this happens, 3rd party applications that make use of NUS as an OpenID provider would identity this user as another different unique user.

After sending in a bug report to the NUS OpenID Developers group, I got a reply from Wai Peng, systems engineer from NUS SoC.

Thanks for finding this. It is _not_ desirable behaviour. I should probably code some checks into this. Will update when I fix it.

Meanwhile, as a temporary fix for the Feedbaker app, I decided to just replace out the domain portion of the identity.

openid = identifier.replace(/\/[^\/]*\\/, '/');