Geek Answers Handbook

How does OpenID work?

Can someone help me understand how OpenID works? I am interested in the following answers:

  • Do you still need to store user IDs and passwords when using OpenId?
  • How does my application create a new session when a user logs in?
  • When users exit the application, I need to do something else, except how to clear the session data? Do I need to inform the openId server?
+6
openid
source share
2 answers

I recently created an openid authentication system, here's how it works.

Login:

  • The user enters an open URL (not necessarily unique),
  • The Openid provider checks and provides a unique openid url for success.
  • Put this url in the session.

authenticate request:

there is a table that displays the public url for the user.

for each request:

  • Look for openid url in session
  • If exists, find the user entry and attach it to the request
  • Process request.

Do you still need to save user IDs and passwords when using openId?

userIDs yes, passwords no (unless you specify other login methods other than openid)

How does my application detect and create a new session when someone logs in?

Sessions are processed as usual, sessions are for authenticated and unauthenticated users.

When I use the logs from my own application, do I need to do anything more than just clear the session from my application? (Do I need to tell the openId server?)

Nope.

+3
source share

My understanding is this:

  • OpenId allows users to register in decentralized mode. This means that the login credentials are processed by one site, the provider

  • Your system will interact with the provider to determine if the user is who they call themselves. If they pass this test, your system will log in.

  • You still need to store some user information, as data on how they can use your system must be stored on your system.

So, if Google is an open provider of identifiers, SO can verify that I am logged in to Google and I who I say that I am. SO then says, perfectly, this user hvgotcodes on our system and gives me privileges that make sense to those who I am in SO.

In response to your specific question about logging out, yes, you still register the user in your system after the provider of public identifiers checks the credentials of users, and therefore, you can process their logout status from your own system.

+3
source share

More articles:


All Articles