Using OpenID as the only authentication method
Posted
by iconiK
on Stack Overflow
See other posts from Stack Overflow
or by iconiK
Published on 2010-04-08T17:22:34Z
Indexed on
2010/04/08
18:03 UTC
Read the original article
Hit count: 439
I have read the other questions and they mostly talk about the security of doing so. That's not entirely my concern, mostly because the website is question is a browser-based game. However, the larger issue is the user - not every user is literate enough to understand OpenID. Sure RPX makes this pretty easy, which is what I'll use, but what if the user does not have an account at Google or Facebook or whatever, or does not trust the system to log in with an existing account? They'd have to get an account at another provide - I'm sure most will know how to do it, let alone be bothered to do it.
There is also the problem of how to manage it in the application. A user might want to use multiple identities with a single account, so it's not as simple as username + password to deal with. How do I store the OpenID identities of a user in the database? Using OpenID gives me a benefit too: RPX can provide extensive profile information, so I can just prefill the profile form and ask the user to edit as required.
I currently have this:
UserID Email
------ ---------------
86000 [email protected]
86001 [email protected]
UserOpenID OpenID
---------- ------
86000 16733
86001 16839
86002 19361
OpenID Provider Identifier
------ -------- ----------------
16733 Yahoo https:\\me.yahoo.com\bob#d36bd
16839 Yahoo https:\\me.yahoo.com\bigbobby#x75af
19361 Yahoo https:\\me.yahoo.com\alice#c19fd
Is that the right way to store OpenID identifiers in the database? How would I match the identifier RPX gave me with one in the database to log in the user (if the identifier is known).
So here are concrete questions:
- How would I make it accessible to users not having an OpenID or not wanting to use one? (security concerns over say, logging in with their Google account for example)
- How do I store the identifier in the database? (I'm not sure if the tables above are right)
- What measures do I need to take in order to prevent someone from logging in as another user and happily doing anything with their account? (as I understand RPX sends the identifier via HTTP, so what anyone would have to do is to just somehow grab it then enter it in the "OpenID" field)
- What else do I need to be aware of when using OpenID?
© Stack Overflow or respective owner