Using OpenID as the only authentication method

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by iconiK on Stack Overflow See other posts from Stack Overflow or by iconiK
Published on 2010-04-08T17:22:34Z Indexed on 2010/04/08 18:03 UTC
Read the original article Hit count: 407

Filed under:
|
|

I have read the other questions and they mostly talk about the security of doing so. That's not entirely my concern, mostly because the website is question is a browser-based game. However, the larger issue is the user - not every user is literate enough to understand OpenID. Sure RPX makes this pretty easy, which is what I'll use, but what if the user does not have an account at Google or Facebook or whatever, or does not trust the system to log in with an existing account? They'd have to get an account at another provide - I'm sure most will know how to do it, let alone be bothered to do it.

There is also the problem of how to manage it in the application. A user might want to use multiple identities with a single account, so it's not as simple as username + password to deal with. How do I store the OpenID identities of a user in the database? Using OpenID gives me a benefit too: RPX can provide extensive profile information, so I can just prefill the profile form and ask the user to edit as required.

I currently have this:

UserID     Email       
------     ---------------
86000      [email protected]
86001      [email protected]

UserOpenID     OpenID
----------     ------
86000          16733
86001          16839
86002          19361

OpenID     Provider   Identifier
------     --------   ----------------
16733      Yahoo      https:\\me.yahoo.com\bob#d36bd
16839      Yahoo      https:\\me.yahoo.com\bigbobby#x75af
19361      Yahoo      https:\\me.yahoo.com\alice#c19fd

Is that the right way to store OpenID identifiers in the database? How would I match the identifier RPX gave me with one in the database to log in the user (if the identifier is known).

So here are concrete questions:

  • How would I make it accessible to users not having an OpenID or not wanting to use one? (security concerns over say, logging in with their Google account for example)
  • How do I store the identifier in the database? (I'm not sure if the tables above are right)
  • What measures do I need to take in order to prevent someone from logging in as another user and happily doing anything with their account? (as I understand RPX sends the identifier via HTTP, so what anyone would have to do is to just somehow grab it then enter it in the "OpenID" field)
  • What else do I need to be aware of when using OpenID?

© Stack Overflow or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about openid

Related posts about rpx

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle