tags:

views:

151

answers:

3
+1  Q: 

Implementing OpenID

Following this tuto:

http://www.plaxo.com/api/openid_recipe

One of the steps is:

Need to look up whether the OpenID entered already belongs to an existing user on your site

My problem:

what's the OpenID like for a gmail account(I've no other OP account yet)? It seems to me that OpenID = https://www.google.com/accounts/o8/id for gmail, but how can I use that to look up since it's the same for all users?

+3  A: 

It's actually https://www.google.com/accounts/o8/id?id=XXXXXXXX for some unique string XXXXXXXX on the end that corresponds to the user.

From further down in the page you linked:

When the OpenID provider redirects to your return_to URL, they will add a bunch of additional query string parameters that contain the information needed to verify the user's authentication with this OpenID. Depending on the OpenID library you're using, you may need to gather these up into a data structure to pass in to the verification function, or it may do it for you.

One of those is that string. From the Google OpenID documentation:

A Google-supplied identifier, which has no relationship to the user's actual Google account name or password, is appended as the query parameter openid.claimed_id.

Amber  2010-04-28 05:48:22
Does this hold: `xxxxx` = `[email protected]` ?
openid  2010-04-28 05:53:25
No. It holds a hash string that doesn't correspond to any particular user information, the only guarantee is that the same user will have the same hash string.
Amber  2010-04-28 05:54:10
Also, you may wish to look at google's own documentation: http://code.google.com/apis/accounts/docs/OpenID.html - relevant quote, "A Google-supplied identifier, which has no relationship to the user's actual Google account name or password, is appended as the query parameter openid.claimed_id."
Amber  2010-04-28 05:55:06
I tried that hash string, but still have to go to gmail to sign in. Say,what's the benefit to append an additional `xxxxx` ?
openid  2010-04-28 06:00:22
Is it because of SO didn't implement this feature?
openid  2010-04-28 06:06:11
@Dav ...same user will have the same hash string for the same site - your hash strings for SO and meta.SO would be different. This is for improved privacy it seems.
Amarghosh  2010-04-28 06:11:00
@openid: "I tried that hash string, but still have to go to gmail to sign in." - you will ALWAYS need to go to gmail to sign in; that's *how OpenID works*. The signin is done by the openid provider; the reason you do it is to prevent having to create a separate login username/password for each site.
Amber  2010-04-28 06:14:11
@Amarghosh: correct, I didn't mention the site part but yes.
Amber  2010-04-28 06:14:33
I thought the hash string is used for direct login,seems I'm wrong?
openid  2010-04-28 06:25:17
No, the hash is part of the per-user identifier. OpenID does not support direct login (and supplying repeated-use login credentials via a URI would be rather insecure).
Amber  2010-04-28 07:57:21
A: 

https://www.google.com/accounts/o8/id is what you use for login. Upon a successful login, the response from Google will contain the long unique url (with hash) in the openid.claimed_id variable; that is the one you should store in your db and compare to know if it is a new user or an existing one.

In other openid providers like myopenid, both (login url and the claimed_id) are same.

Amarghosh  2010-04-28 06:44:00
But the tuto I posted seems to say that OpenID can be got before redirect to gmail?
openid  2010-04-28 06:54:49
The page isn't accessible here; but yeah, as I said, in the case of other providers like myopenid etc, you can get the unique id before redirection: but how can you confirm that user is not lying - you can confirm the identity only based on the response from the openid provider, be it google or myopenid.
Amarghosh  2010-04-28 07:04:50
That's exactly what I think!
openid  2010-04-28 07:10:19
A: 

The key distinction here is that https://www.google.com/accounts/o8/id is not an OpenID identifier, not in the way that the tutorial means. Because, as you've noted, it's the same for all users. In the terminology of the specification, it is an "OP Identifier", it identifies the provider (Google), not a user.

This practice (entering the provider's identifier instead of the user's) wasn't common at the time A Recipe for OpenID-Enabling Your Site was written. When using this flow, you don't have an identifier for the user until the user is redirected back to your site from the provider with an id_res response.

As an aside, Google does offer more legible identifier URLs now. If you've set up your Google Profile, your profile page (http://www.google.com/profiles/myProfileName) is an OpenID too. Unlike the /accounts/o8/id identifiers, this one is stable across all the sites you use it with, no funky hash string involved.

keturn  2010-05-02 18:21:38

related questions

how to get login credentials by openId?
OpenID Migration
PHP Tutorial for OpenId and OAuth
OpenID login workflow?
OpenID support for Ruby on Rails application
Using OpenID for both .NET/Windows and PHP/Linux/Apache web sites
What is the benefit of using ONLY OpenID authentication on a site?
Problems with migrating Cardspace cards between computers
secure way to authenticate administrator in ASP.NET site using OpenID with DotNetOpenID
How do I enable open id on a Java Webapp?
What would it take to make OpenID mainstream?
What's the best .NET library for OpenID and ASP.NET MVC?
Useful browser plugins for openid authentication?
How do I implement an OpenID server in Rails?
How do I implement OpenID in my web application?
Why is HTML form redirection used in OpenID 2?
How do you set up an OpenID provider (server) in Ubuntu?
OpenID as a Single Sign On option??
Should my website abandon username/password authentication in favor of OpenID?
OpenID authentication in ASP.NET?
Open ID - What happens when you decide you don't like your existing provider?
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
How do I use more than one OpenID?