Reputation: 125
Implementing OpenID
Following this tuto:
http://www.plaxo.com/api/openid_recipe
One of the steps is:
Need to look up whether the OpenID entered already belongs to an existing user on your site
My problem:
what's the OpenID like for a gmail account(I've no other OP account yet)? It seems to me that OpenID = https://www.google.com/accounts/o8/id for gmail, but how can I use that to look up since it's the same for all users?
Upvotes: 1
Views: 1375
Answers (3)
Reputation: 4798
The key distinction here is that https://www.google.com/accounts/o8/id is not an OpenID identifier, not in the way that the tutorial means. Because, as you've noted, it's the same for all users. In the terminology of the specification, it is an "OP Identifier", it identifies the provider (Google), not a user.
This practice (entering the provider's identifier instead of the user's) wasn't common at the time A Recipe for OpenID-Enabling Your Site was written. When using this flow, you don't have an identifier for the user until the user is redirected back to your site from the provider with an id_res response.
As an aside, Google does offer more legible identifier URLs now. If you've set up your Google Profile, your profile page (http://www.google.com/profiles/myProfileName) is an OpenID too. Unlike the /accounts/o8/id identifiers, this one is stable across all the sites you use it with, no funky hash string involved.
Upvotes: 1
Reputation: 59461
https://www.google.com/accounts/o8/id is what you use for login. Upon a successful login, the response from Google will contain the long unique url (with hash) in the openid.claimed_id variable; that is the one you should store in your db and compare to know if it is a new user or an existing one.
In other openid providers like myopenid, both (login url and the claimed_id) are same.
Upvotes: 1
Reputation: 527248
It's actually https://www.google.com/accounts/o8/id?id=XXXXXXXX for some unique string XXXXXXXX on the end that corresponds to the user.
From further down in the page you linked:
When the OpenID provider redirects to your return_to URL, they will add a bunch of additional query string parameters that contain the information needed to verify the user's authentication with this OpenID. Depending on the OpenID library you're using, you may need to gather these up into a data structure to pass in to the verification function, or it may do it for you.
One of those is that string. From the Google OpenID documentation:
A Google-supplied identifier, which has no relationship to the user's actual Google account name or password, is appended as the query parameter openid.claimed_id.
Upvotes: 3
Related Questions
- Implementing OpenID along with your own authentication
- Getting started with OpenID
- OpenID implementation in PHP
- How do I implement OpenID in my web application?
- How to implement OpenID in Java
- Implementing OpenId on my own website
- OpenID Architecture for Java
- Easy OpenID Implementation
- How do I implement an OpenID client from scratch?
- Best openid implementation