2

I'm implementing an OpenID provider and have it running smoothly for standard OpenID requests (where the end-user knows their OpenID url). However I want consumers to be able to use the provider without knowing the end-users OpenID url up-front, this will be determined when the user logs in.

I found that this is theoretically possible by reading this stackoverflow question, however it doesn't provide a lot of detail for me to be able to gather the required information to develop this myself, fact that it's DotNet doesn't help.

Can anyone direct me to where I might find more information on how this is set up?

I'm using Zend Framework, but couldn't find any useful information in it's documentation.

Community
  • 1
  • 1
Naatan
  • 3,424
  • 4
  • 32
  • 51

2 Answers2

1

An OpenID is a URL, so I don't see how you could log in without knowing it anymore than you could log in without knowing a username for traditional authentication.

Having stated that for the record, if your goal is just to help the user along, perhaps you could provide some sort of dropdown that lists common providers, asks for the relevant parts, and allows the user to fill them in?

Since OpenID is decentralized, and any site can become an OpenID, there is no way to predict all the URLs that could be used, but you could certainly cover the popular ones. In fact, this SO post covers them.

An "other" option could allow direct entry of a URL to handle all the other cases.

I'd say that, plus the Zend_OpenId_Consumer/Zend_Auth integration doc would make an excellent place to start.

Community
  • 1
  • 1
Kato
  • 40,352
  • 6
  • 119
  • 149
  • If you check the link in my post you can see that it is in fact possible. Also I see no reason why a user would need to know his/her openid url, the application with the consumer can simply link to the OpenID endpoint which then authenticates the user interactively and returns their OpenID to the consumer. – Naatan Apr 16 '12 at 17:07
  • Okay, it seems like your terminology is a bit garbled. OpenID is a process, a standard, not a value. What you are calling the OpenID is in fact the return value from the OpenID authentication process. The URL is where you send the user to get authenticated. You have to either ask them for that URL or use some sort of list of providers (thereby limiting which services they can use to authenticate) – Kato Apr 17 '12 at 15:45
  • So the user does not have to provide a URL, but you have to have a provider, and somebody has to know the URL to contact that provider (`define("TEST_SERVER", Zend_OpenId::absoluteURL("example-8.php"));` Common providers can be predicted, if it's your intention to only provide a limited selection. If I'm using my wordpress blog, for example, as a provider though, you're going to have to ask or generate the provider URL in some fashion. – Kato Apr 17 '12 at 15:52
  • Also, upon reflection, maybe what you're reading into the process is the [`Zend_OpenId_Consumer::check()`](http://framework.zend.com/manual/en/zend.openid.provider.html) method, which checks to see if a user is already logged into a provider. Have a look at that and see if it helps. – Kato Apr 17 '12 at 15:53
  • Thanks Kato, my terminology might indeed be slightly off. My question was about how OpenID requires me to do this though, I already knew it was possible and that I had to provide an end-point. dennisg answered this question pretty well. From the research I've done it appears the Zend OpenID provider does not support the type of OpenID query I want to make, so I'll have to resort to another library. – Naatan Apr 18 '12 at 17:46
  • @Naatan sorry, apparently I was smoking the crack rock yesterday; I didn't read that you were implementing an actual provider (first sentence?). I thought you were trying to force users to connect to authenticate with a provider for some reason. – Kato Apr 18 '12 at 18:07
1

A consumer can specify that the provider "SHOULD choose an Identifier that belongs to the end user". In such a case, the provider will choose the identifier that belongs to the user (i.e. the user logged in onto the provider most likely) and the consumer does not have to provide an openid url. See the section 9.1. Request Parameters, item openid.identity on the OpenId specification page. Basicly, the parameter openid.identity is set to http://specs.openid.net/auth/2.0/identifier_select.

With regard to your question on how to set this up: For more information you should read the specification of OpenId 2.0 Also, it might be useful to read on Google's OpenId developer page.

dennisg
  • 4,358
  • 1
  • 23
  • 28