Reputation: 6345
Google OpenID openid.return_to
If I understand correctly, if the user approves the authentication, Google takes the user to the location specified in openid.return_to. Does that mean openid.return_to could be the URL to the members' area? Does Google create a cookie or something to indicate that the user has passed authentication? If not, how do I tell if a user arriving at the members' area is indeed a genuine Google user logged in via OpenID?
Upvotes: 1
Views: 480
Answers (1)
Reputation: 4715
After returning to the url, you are supposed to verify that it does indeed come from Google. Then, if the verification is successful, you can assume that the user's logged in. Otherwise, the user has either canceled the authentication, sent a fake assertion, or simply something went wrong with the authentication process.
As for it being an url to the members' area - it can be any url, but the fact that it has been accessed doesn't mean that an user is logged in. Again, you have to verify it first.
It is a pretty complicated process, and depends on previous steps in authentication, so unless you want to read the specification, it would be best to use an openid library to do that.
Upvotes: 1
Related Questions
- GOOGLE id - PHP use
- Implementing OpenID with PHP
- OpenID Implementation for Google.. 400 Bad Request
- Handling Google OpenID
- OpenID integration
- OpenID Redirection
- Verifying Google OpenID response
- OpenIDenabled PHP library with Google Openid
- LightOpenID forbidden when redirecting back
- How to provide Return URL Verification with OpenID?