2

I would like to use OpenId on my site to allow user registration using Google, Twitter, Facebook... i have seen a lot of libraries to implement that in PHP but i have some doubts; especcially my site request some info when a user sign up:

1-)id generated by the system. When an user sign up with OpenId EVERY service generate an id and how is it? 2-)username. What about it i need to ask the user about? 3-)Password. i don't think that gogole give me the password of an account, i need to ask the user for it? 4_)email i think there aren't problems with it

Another thing: i noticed that a lot of sites that use OpenID or similar write "login/sign in" and not "sign up", with OpenID i can setup a sign up or only a sign in that works as long the user is connected to the service?

Matteo Pagliazzi
  • 5,140
  • 12
  • 49
  • 83

1 Answers1

5

OpenID works like this:

  1. Users go to your website
  2. They have the option to 'log in' with an account they already have with another service
  3. They click to log inwith the other service, they are redirected to that service, with the URL of your site page appended to the request
  4. They log in (if not already logged in) to the service, which then asks them whether they want to allow authorization to share details with your site
  5. If the user approves authorization, they are redirected to the return (originating) URL on your site, the service they used to sign in with then, depending on the service and what the user allows, also sends information on the user to your site with the redirect
  6. When your site picks up this information, it can then process the user as having logged in (or being rejected)

There is a lot of information on the web about how this process works and how you can handle it:

http://openid.net/developers/

http://www.windley.com/archives/2006/04/how_does_openid.shtml

http://tinisles.blogspot.com/2008/02/how-does-openid-work.html

I would also suggest searching SO:

How does OpenID authentication work?

You can even see that those people who built SO itself have covered the issue:

http://www.codinghorror.com/blog/2008/05/openid-does-the-world-really-need-yet-another-username-and-password.html

If you want to use the service for registration purposes, note that you are limited to only getting information defined by the framework that the user also elects to share (e.g. location, name, email etc) - as such it should be used either for users to log in via another service (i.e. google etc), OR to populate some shared fields of a registration form 'automatically', however this is a semi-redundant use of the service - I would recommend restricting it to sign-in only, you should keep seperate any proprietary registration process.

Community
  • 1
  • 1
SW4
  • 69,876
  • 20
  • 132
  • 137
  • Perfect. So if i choose sign in purpose the users must always sign in using the same service right? – Matteo Pagliazzi Oct 17 '11 at 14:40
  • No, they can sign in with any OpenID service you support on your site (basically a series of links, their response is the same structure)- they arent limited to electing for the same one :) – SW4 Oct 17 '11 at 14:47
  • Yes but how can i recogniza the user xy signed in with facebook as the same signed in with twitter if they haven't the same email? And for returning vusers i need to create a different mysql table for eaxh type of user or openid send an id or something similar releated to the user and unique for each service? – Matteo Pagliazzi Oct 17 '11 at 15:08
  • It sounds like you need to look at exactly what information you need from your users vs what requirements your site has, if you have more complex access permissions or requirements regarding what information you store about your users, the simplicity of OpenID is likely not the way forward. – SW4 Oct 17 '11 at 15:22
  • Ok, one last thing. What about cookies? I can use normal cookies or i need for example to use the cookie the service generated? – Matteo Pagliazzi Oct 17 '11 at 15:35
  • Cookies are domain specific so you will need to set your own once you recieve the incoming data response from the OpenID provider – SW4 Oct 17 '11 at 15:36