CODEWITHSUNDEEP
phpopenid
SuperMan
SuperMan

Reputation: 3584

OpenID Redirection

I would like to implement OpenID on my website, but I would like to know if it is possible for me to request the OpenID URL AND password as well. For example,

OpenID URL: [ ] OpenID Password: [ ]

Instead of redirecting it to the provider (eg: myopenid.com), I would like to directly submit the information from my page to the provider server directly, for authentication.

Is this possible? If so, how? Thanks!

P.S: I'm using PHP

Edit: This is a class project where in we are implementing a login solution where a user enters only a PIN number instead of [Open ID URL & Password]. This is stored securely, so we don't need to worry about security. Therefore we need a solution to submit the OpenID URL and Password from a secure database, and submitting it to the OpenID provider.

Upvotes: 1

Views: 222

Answers (4)

cweiske
cweiske

Reputation: 31088

I don't even have an OpenID password since I login with a SSL client certificate. So there would be no point for you asking for my password.

Upvotes: 0

xDD
xDD

Reputation: 3453

Well that sounds dangerous. How do people logging in know that you are not looking at their passwords?

Sure you could do it in theory, but no sane user would use your website. :)

Edit because of your edit:

This is stored securely, so we don't need to worry about security.

What does securely mean? Surely you can retrieve it if you want to be able to send it to an OpenID provider. In this case what stops an attacker that hacked into your system from retrieving other user's passwords. And even worse, if you have a turn of fate you could just use that info for your own purposes.

Therefore we need a solution to submit the OpenID URL and Password from a secure database, and submitting it to the OpenID provider.

If you were able to do that, the database would not be secure (i.e. from you).

Upvotes: 1

mousio
mousio

Reputation: 10337

With OpenID, passwords are never shared with any websites. What you are trying to do sounds dangerous and would not seem trustworthy to me.

One of the benefits of using OpenID is that users are able to choose how much web sites get to see about them. This means that web sites that take advantage of OpenID won't bother them for the same information over and over again, so that it is faster and easier to sign in. If you require them to enter their password everytime, you also lose that benefit.

With OpenID you only give your password to your OpenID provider, and then your provider tells the websites you're visiting that you are who you say you are. No website other than your provider ever sees your password, so you don't have to worry about an insecure website compromising your identity…

Upvotes: 3

dog
dog

Reputation: 410

No it is not.

The goal of OpenID is to prevent a site owner from knowing a users password. Everyone who decides to use OpenID knows this and would not use your form.

Also making the assumption that there is only a password associated with an OpenID is wrong. It could be anything - e.g. it is Username/Password for Google, another provider could also use a token...

Upvotes: 6

Related Questions