OpenId implementation for web services - need tips/help

Question

Suppose I'm trying to implement OpenId for relying in my n-tier web site which uses web services. Please tell me if some steps seem strange.

1) I want the user to enter their OpenId url in a textbox. ex: http://vidalsasoon.myopenid.com

2) The user then clicks submit where the entered Url is sent to my web service using the OpenId api. With the OpenId API on the server, I can build a proper OpenId request.

3) User receives the Url where he should get authenticated.

4) User gets redirected to their provider, Logs in, get redirected back to my web site.

CONFUSION HERE: Now steps 2 - 4 happen between the user and the provider. My web service is not involved during these steps.

I would like the user to then send their desired username and OpenId back to the web service at this point. The problem is how can I know that the user/client hasn't tampered with with them?

Answer 1

There are two ways you can verify that the user has properly authenticated

1. Establish a shared secret between the yourself and the OpenID provider. When the user logs in to the provider, it shares the secret with them, who in turns shares the secret with you, which you can then validate against the original shared secret.

2. Through OpenIDs check_authentication spec. Make this call once the user has passed you information in order to verify it. Link to Spec