Using OpenID as the only authentication method

Posted by iconiK on Stack Overflow See other posts from Stack Overflow or by iconiK
Published on 2010-04-08T17:22:34Z Indexed on 2010/04/08 18:03 UTC
Read the original article Hit count: 444

Filed under:
|
|

I have read the other questions and they mostly talk about the security of doing so. That's not entirely my concern, mostly because the website is question is a browser-based game. However, the larger issue is the user - not every user is literate enough to understand OpenID. Sure RPX makes this pretty easy, which is what I'll use, but what if the user does not have an account at Google or Facebook or whatever, or does not trust the system to log in with an existing account? They'd have to get an account at another provide - I'm sure most will know how to do it, let alone be bothered to do it.

There is also the problem of how to manage it in the application. A user might want to use multiple identities with a single account, so it's not as simple as username + password to deal with. How do I store the OpenID identities of a user in the database? Using OpenID gives me a benefit too: RPX can provide extensive profile information, so I can just prefill the profile form and ask the user to edit as required.

I currently have this:

UserID     Email       
------     ---------------
86000      [email protected]
86001      [email protected]

UserOpenID     OpenID
----------     ------
86000          16733
86001          16839
86002          19361

OpenID     Provider   Identifier
------     --------   ----------------
16733      Yahoo      https:\\me.yahoo.com\bob#d36bd
16839      Yahoo      https:\\me.yahoo.com\bigbobby#x75af
19361      Yahoo      https:\\me.yahoo.com\alice#c19fd

Is that the right way to store OpenID identifiers in the database? How would I match the identifier RPX gave me with one in the database to log in the user (if the identifier is known).

So here are concrete questions:

  • How would I make it accessible to users not having an OpenID or not wanting to use one? (security concerns over say, logging in with their Google account for example)
  • How do I store the identifier in the database? (I'm not sure if the tables above are right)
  • What measures do I need to take in order to prevent someone from logging in as another user and happily doing anything with their account? (as I understand RPX sends the identifier via HTTP, so what anyone would have to do is to just somehow grab it then enter it in the "OpenID" field)
  • What else do I need to be aware of when using OpenID?

© Stack Overflow or respective owner

Related posts about openid

Related posts about rpx