Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

confused as to how these open id's work

Tags:

c#

openid

Can someone explain how these open ID systems work?

When a user redirects to the openid provider, and authenticates, what does the provider send back to the originating website? Is it some encrypted text that the website validates or does it have to actually communicate with the open-id provider to verify?

like image 921
Blankman Avatar asked Jan 22 '10 01:01

Blankman

People also ask

What is OpenID and how does it work?

OpenID Connect (OIDC) is an open authentication protocol that works on top of the OAuth 2.0 framework. Targeted toward consumers, OIDC allows individuals to use single sign-on (SSO) to access relying party sites using OpenID Providers (OPs), such as an email provider or social network, to authenticate their identities.

What does OpenID means?

OpenID is an open specification for authentication and single sign-on (SSO). OpenID, which was first created in 2005, allows web sites and authentication services to exchange security information in a standardized way.

Which of the following is an example of OpenID?

Logging into Spotify with your Facebook account is a good example of how OpenID could be applied: You log into Facebook. Facebook sends your name and e-mail to Spotify. Spotify uses those details to identify you.

1 Answers

If you're interested in all the gory details, you can check out the spec here.

On a high level though, it's pretty simple (paraphrasing here from the 2.0 spec's overview):

  1. The site redirects the user to the OpenID provider, along with an auth request

  2. The OpenID provider attempts to authenticates the user

  3. The OpenID provider redirects the user to the site, along with information on whether the authentication failed or succeeded.

  4. The site then verifies this information, checking some fields it got back from the response, as well as making a direct request (one that doesn't go through the user's browser) to the OpenID provider; all this is to prevent spoofing and the like

So steps one and two are pretty straightforward, but the latter two have some complexity. The response from step 3 in particular contains the "nonce" field, which will be unique to the request, and several fields that the site will then verify. This verification occurs in step four, where a few checks are made. Notably, the return URL and signatures.

Of course there's a lot more going on under the hood, but if that's the kind of information you're after, the spec the best place to look.

like image 92
ShZ Avatar answered Oct 09 '22 12:10

ShZ
Sign in to Comment

Related questions

Is HWND visible?
How do I package my linux application using MonoDevelop?
Working with relative file paths in .Net
WPF WebBrowser control doesn't enter design mode when the document property is changed
Could someone explain the behaviour of the garbage collector?
How to call a C# dll in ruby?
What are the best practices for class libraries using dependency injection for internal operations? [duplicate]
C# error1:The name 'DateTimeStyles' does not exist in the current context. error2:The type or namespace name 'CultureInfo' could not be found
Is it possible to lose messages using MSMQ MessageQueue.Peek with a timeout?
Eval() for current item in asp:ListView
Query Multiple databases with single ado.net query
Nhibernate doing updates on select?
Can i call a function defined in one partial class from another partial class. Is it possible?
can't consistently bring form to front
Detect a transparent proxy vs actual object reference?
Disable image loading from webbrowser control before the documentcompleted event
DynamicObject implicit casting
In Gtk, how do I center the text within a TextView vertically?
AppDomain.CurrentDomain.ProcessExit and cleanup
LINQ group by month question

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!