I have recently implemented Google and Yahoo's OpenID endpoints into my authentication system on my site so that users can avoid creating an account on my site. Pretty common practice, right?
I have a specific question though, but first a little background information.
When I get through the three-legged authentication I used Attribute Exchange to get the user's name and email address. Currently, I am storing their OpenID (a long string that looks like this: https://me.yahoo.com/a/2Z7LplQsnI_DgtAw(... a bunch of alphanumeric) in a special field in the users table.
Let's say my users table looks like this.
type id password email key
1 1 0e9212587d373ca58e9bada0c15e6fe4 [email protected]
2 1 b8d2f4a50d2b364ff2766556ba50da48 [email protected] https://www.google.com/accounts/o8/id?id=AItOawll6-m_y…
2 2 6687d5d88b359ee1340717ebf0d1afc6 [email protected] https://www.google.com/accounts/o8/id?id=AItOawm3-C_9…
3 1 fd193c2fa449c9d6dc201d62d5ca86d3 [email protected] https://me.yahoo.com/a/2Z7LplQsnI_DgtAw…
1 2 2e710b13b3dd787e2b15eab3dde508c2 [email protected]
types
1 = native account
2 = Google OpenID
3 = Yahoo OpenID
When a user logs in with a native account, the email and password are used to authenticate (duh).
When a user uses Google or Yahoo OpenID, then the OpenID (key field) is used to authenticate.
Okay, now that all the background information is out of the way... will it be secure if I forget about storing the OpenID itself and simply use the email I got back from Attribute Exchange to authenticate the user? Can someone spoof the third leg of an OpenID transaction or can I trust that whenever I get [email protected] from the Attribute Exchange portion of an OpenID transaction with Google that it is genuine and not spoofed?