How to Use Open Id as Login System

How to use open id as login system

You can use the PHP OpenID library here or for PHP 4 here

Integrating openID and oauth as website login, signin and authentication system

Your question has to main parts to it:

  1. Authentication
  2. Authorization

Usually the two are not treated differently if the identity provider (IP) is your own, which has been the most common setup in web apps until now.

When using an OpenId Provider such as Google, the authentication part is seperated from your control. You will get a token back telling you if the user is authenticated or not. The token will normally contain the following claims: Name, Email and Named Identity where the last is the unique id of the identity at the IP.

So far so good.

The trick is now as you ask, how do I authorize this user?

well, there are a couple of approaches to this.

First off, when you create a local user in your system, you can prepopulate the Name and Email values based off the claims you get from the IP. In this process, you can start and say that all users that have a profile stored in your system are authorized, or you can develop further processes that will add whatever details you need to know about the user.

Then, how do you avoid that the user is not re-registered if they switch from google to facebook as the IP?

This is where things get tricky. The most common claim that Google, Yahoo, Facebook will provide to you is the email address and Name. So what you can do, is try to match the incomming claim with existing customers in your app. This is not failsafe however, as people can have different emails in different systems.

The name value is also not safe.

In our setup, we start by matching emails, as we know that most IPs validate email addresses. This will reduce duplicates a lot. After that check, we start our own validation process where the goal is to see if the person is already registered. This process looks for the customers mobile number in our database, and if a match is found, we send a one-time-password to the customer to verify correct ownership of the phone number.

Since login is a time sensitive setup, we are created a simple SQL table that maps external identities to our customer numbers. This allows us to implement this kind of validation logic outside all our web apps (and thereby reduce code redundancy)

Implement Open Id login

In stackoverflow here are answer

How to use open id as login system

How do I implement OpenID in my web application?

How can I use Google's OpenID and/or OAuth services to login and allow access to APIs with only ever one prompt to the user?

I would suggest using OAuth 2.0. This supports getting both identity and access to APIs -- so accomplishes the same end goal, but is much easier than OAuth 1 Hybrid.

Take a look here:
https://developers.google.com/accounts/docs/OAuth2Login

The scopes you're trying to access are included in the URL (see "Forming the URL"). The referenced doc lists the scopes required for getting identity/profile information. You can simply add additional scopes to the string, comma-delimited in order to request access to other APIs. The resulting access token will access both the APIs and identity information (via the UserInfo API endpoint mentioned).

That said, what you're trying to do with OpenID 2.0/OAuth 1 hybrid should work-- and the user should see a checkbox for "remembering" the authorization. If you really want to debug this further, it'd be helpful to have a webpage you can point to which kicks off this authentication+authorization flow so we can see what's happening.

Is there a way to use OpenIdConnect flows to implement login as functionality

This is impersonation, so you are not really logging in as someone else, and you also won't want lots of separate credentials for the root user.

The usual technique is to invoke a custom screen after a root user authenticates, to see if they want to impersonate someone. Then claims such as sub and act_as in access tokens are updated.

A couple of recent articles from Curity explore this topic and the related standards. It is one of many areas where you need good extensibility in the Authorization Server, since OAuth is meant to provide toolbox features such as this, to simplify your code.

  • Impersonation Approaches
  • Impersonation Tutorial

For systems without these capabilities it can get a bit messy, since you may end up with custom screens in your own apps, along with secondary cookies, plus changing your API authorization.

Login system just like stackoverflow's, written in php

If you want to implement it yourself, here is a great walkthrough. There's also the PHP OpenID Library, but that's probably a lot more than you need.

Here is the client-side OpenID selector that SO uses on its login screen.

Edit: Stack Overflow no longer uses the one that I linked to, but it still works, as far as I'm aware.


Related Topics

How to Run Cronjobs More Often Than Once Per Minute

Execute Commands on Remote MAChine via PHP

The Post Method Is Not Supported for This Route. Supported Methods: Get, Head. Laravel

Parse a CSS File with PHP

PHP Cron Job Not Running

Php, Display Image with Header()

Php: Using a Variable Inside a Double Quotes

Google_Service_Directory - (403) Not Authorized to Access This Resource/Api

Executing a Shell Script in Background with PHP

Reading Doc File in PHP

Two Simultaneous Ajax Requests Won't Run in Parallel

Executing MySQLi_Query Inside a Function

How to Zip Folder Without Full Path

Posting Multidimensional Array with PHP and Curl

How to Replace (Monkeypatch) PHP Functions

How to Process JSON in PHP

Chmod 777 in PHP

Using X-Sendfile with Apache/Php


Leave a reply



Submit