views:

60

answers:

2

I'm setting up a login system for a site and someone suggested using openID instead.

In my current setup, I log users' login attempts into a db table. When using openID, would I still be able to have that fine-grained control or not?

+2  A: 

Yes, but it's more complex than what you may be used to.

Typically, you will have a login page on your web site where you ask the user to enter his identifier (the user-supplied identifier, which can be the identifier the user claims to own or something like http://yahoo.com, where the user will be taken to the provider's website and the provider will help him select the identifier he will claim to own). By the time the user submits this form, you can log that into the database.

Now, the user will be taken to the OpenID provider's website. He can now do three things:

  • Abort it by pressing the back button, close the browser, whatever. In this case, you will get no feedback whatsoever, so there's nothing for you to log.
  • Ask the OpenID provider to be taken back to the website without authentication. The OpenID provider should, in this case, redirect the user so that a negative assertion is made. You can detect this (and log it), but the specification does not require the providers to have this behaviors.
  • The user can successfully authenticate with the provider and you get a positive assertion. In this case, the login may be successful (if the positive assertion is verified with success) or not; in either case, you can know (and log it).

Finally, you may receive an unsolicited positive assertion or negative assertion, i.e., an assertion that was not initiated by your website. You can reject these or verify the positive assertions, but any case, you can log them.

Artefacto
A: 

Sure thing. Any easy way is to use Janrain's Engage with account mapping: http://www.janrain.com/products/engage

bkkissel