Open id authentication in the same page

Question

I have a requirement where the login page opens up the main page in a popup,

this is how I handled it in normal authentication:

<http>
...
<form-login login-page="/Login.html" authentication-failure-url="/LoginHandler.jsp" always-use-default-target="false" default-target-url="/LoginHandler.jsp"/>
...
</http>

Login page creates an ajax call (internally using GWT's Request Builder) and reads the response html page. so, if the LoginHandler.jsp contains "success", the login is a success, or if the LoginHandler.jsp contains "failure" the login has failed.

either case, Login.html is aware of authentication failure or success and opens a popup containing the main screen on success.

Now, I need to make my system support OpenID, if I understand well, the open id authentication works in the following manner, if it succeeds, it will open the success url (mostly LoginHandler.jsp in my case), However, if it fails.... It opens up the Target server's Login screen (eg google's login screen), how do I design my code to work in this senario ??

this is my config:

<openid-login authentication-failure-url="/LoginHandler.jsp" default-target-url="/LoginHandler.jsp" user-service-ref="openIdUserService"/>

here is how i am logging in using RequestBuilder:

// Encode values for sending as a post request.
String postData = "j_username=" + username 
     + "&j_password=" + password
     + ((isRemembered) ? "&_spring_security_remember_me=on" : "");
String serverUrl = URL.encode("j_spring_security_check");

/*
 * Authenticate the user using a request builder to send the request to the server.
 * <p>on successful authentication, open main screen in a pop up
 * */
try
{
    RequestBuilder requestBuilder = new RequestBuilder(RequestBuilder.POST, URL.encode(serverUrl));
    requestBuilder.setHeader("Content-Type", "application/x-www-form-urlencoded");
    requestBuilder.sendRequest(postData, new RequestCallback()
    {
    public void onError(Request request, Throwable exception)
    {
        //Do nothing
    }

    public void onResponseReceived(Request request, Response response)
    {
        String responseText = response.getText();
        int indexStart = responseText.indexOf(startMessageIndicator) + startMessageIndicator.length();
        int indexEnd = responseText.indexOf(endMessageIndicator);
        String text = responseText.substring(indexStart, indexEnd);

        //Login was a success
        if (text.contains(successMessageIndicator))
        {
     //Woophie !! code for success comes here.
        }
        else if (text.contains(errorMessageIndicator))
        {
     //Ooops ! get the error message encoded in the page
        }
    }
    });
}
catch (RequestException e)
{
    //Do nothing
}

Is there any way to use the same approach to do open id based authentication ?

Answer 1

OpenID doesn't work as you describe. The user enters their OpenID identifier on your site, and will always be redirected to the OpenID Provider's (OP's) site for verification. Once verified, the user will be redirected back to your site. They cannot enter both their OpenID identifier and the password expected by the OP on your site, like they can with traditional username/password form authentication. Hope that helps!

Answer 2

I'm not sure if the above answer is accurate because I log into SO with OpenID, and it never redirects me anywhere. I guess this is because it keeps my OpenID password in a cookie, and only redirects me if it doesn't work. I don't really know how all this works though.