Implementing OpenID with PHP

Question

I'm interested in implementing OpenID and I've been reading about it, but there's still a few aspects I'm a bit confused about.

I've seen multiple flow charts of the interaction and step-by-step details, such as this one, but they all skip details about what happens upon a successful login. Everything I've read says something along the lines of "upon successful login, the user is redirected back to the site." Well, how does my site know that the login was successful? Are cookies set, do I get a POST back, something else?

For example, here are the details from the link I included

9. User POSTs response to OpenID Server.
10. User is redirected to either the success URL or the failure URL returned in (5) depending on the User response

//this is the step that it says tells me I've had a succes/failure upon login
5. Consumer inspects the HTML document header for <link/> tags with the attribute rel set to openid.server and, optionally, openid.delegate. The Consumer uses the values in these tags to construct a URL with mode checkid_setup for the Identity Server and redirects the User Agent. This checkid_setup URL encodes, among other things, a URL to return to in case of success and one to return to in the case of failure or cancellation of the request

I'm not quite sure how to interpret that. What specifically is telling me that the login was successful? From what I gather, it seems as if something in the header is set, but how do I access it? Assuming I find out the login was successful logged in, does that mean I can then go ahead and proceed to set cookies/sessions pertaining to my site?

edit- I found LightOpenID and it appears to suit my needs, but I'm still a bit unsure of something

I tested it out on localhost and got the google login to work. Upon logging in I receive a URL like

User https://www.google.com/accounts/o8/id?id=sdlkfjlkwliej9392010fjos has logged in.

Inspecting the code, it's generated by the following

echo 'User ' . ($openid->validate() ? $openid->identity . ' has ' : 'has not ') . 'logged in.';

I'm assuming this means I simply check $openid->validate() for the login? Will $openid->identity be the same every time for the given google account? I'm assuming yes, otherwise there'd be no way to track the user each time. If the user has logged in I can then set cookies, sessions, and whatever other fun stuff I deem necessary, right?

Answer 1

Here's some code I use:

require '../../php/lightopenid-lightopenid/openid.php';

if( isset( $_COOKIE[ 'claimed_id' ] ))
{
    $claimed_id = $_COOKIE[ 'claimed_id' ];
    try
    {

            if(!isset($_GET['openid_mode']))
            {
                            $openid = new LightOpenID;
                            $openid->identity = 'https://www.google.com/accounts/o8/id';
                            header('Location: ' . $openid->authUrl());
            }
            elseif($_GET['openid_mode'] == 'cancel')
            {
                    unset( $claimed_id );
                    setcookie( "claimed_id", 0, time() - 3600, "/" );
            }
            else
            {
                    $openid = new LightOpenID;

                    if( $openid->validate() )
                    {
                    // different login
                            if ( $_REQUEST[ 'openid_claimed_id' ] != $claimed_id )
                            {
                                    unset( $claimed_id );
                                    setcookie( "claimed_id", 0, time() - 3600, "/" );
                            }
                    }
                    else
                    {
                    // cant validate
                            unset( $claimed_id );
                            setcookie( "claimed_id", 0, time() - 3600, "/" );
                    }
            }
    }
    catch(ErrorException $e)
    {
            echo "Authentication error.";
            error_log( $e->getMessage() );
            exit;
    }
}

// fall through to rest of code...