Authenticating with PHP and Google’s OpenID Service : Part-1 November 26, 2011Posted by Tournas Dimitrios in PHP.
Most websites nowadays ask you to register in order to use their applications . That means that you have first to go through the well-known repetitive registration process : give your credentials with a valid email-address where you will receive a confirmation link -> log-in your email address and click on the confirmation link that was sent from the website where you requested a member-account -> login your account .
Most web users struggle to remember the multiple username / password combinations required to sign in to each of their favorite websites , and the password recovery process can be tedious . Many web users deploy the same password across multiple websites . And since traditional passwords are not centrally administered , if a security compromise occurs at any website you use , a hacker could gain access to your password across multiple sites . Just to convince you , this message is displayed on the central webpage of a well know site .
4 October 2011 – In light of a recent security incident , customers are advised to update their antivirus definitions and run a full antivirus scan on all computers that accessed the XYΖ- site between September 20th , 2011 and September 28th, 2011 . Also , out of an abundance of caution , we advise XYZ- account holders to then change their account passwords .
OpenID is a decentralized standard , meaning it is not controlled by any one website or service provider . You control how much personal information you choose to share with websites that accept OpenIDs , and multiple OpenIDs can be used for different websites or purposes . If your email (Google, Yahoo, AOL), photo stream (Flickr) or blog (Blogger, WordPress, LiveJournal) serves as your primary online presence , OpenID allows you to use that portable identity across the web .
How do I login with OpenID : Let’s say that you’re visiting a new web site that supports OpenID . After you click the login button , your browser takes you from the web site you are visiting to your OpenID provider’s web site . The provider — Gmail.com in this example — receives a message . This message asks the provider :
“ Somebody is claiming to tournasdimitrios.host56.com . Is he actually John Doe ? Can he log in to our web site ? ”
At this point , your pass your Gmail’s account credentials and if you are who you say you are it will asks you which of this information you’re willing to give out and which not . You usually also have the option of giving it out just for this session (once) or giving it out automatically whenever the website asks for it . That will look something like this : All you have to do is choose how much information to give and whether to give it just once or whenever the web site asks . Now , your provider sends you back to the web site you were visiting and gives it the information you allowed . You are now logged in !
At any time , you can revoke the permissions or level of information is send back to the website by deleting this site from the list of your Gmail’s account . Login to Gmail.com -> privacy -> Security-section (Authorizing applications & sites ) -> From ” Connected Sites, Apps, and Services ” remove the site from the list .
What’s the benefit ? Simple : because your OpenID is stored with your OpenID service provider and any site can contact this provider to authenticate you , there’s no need to create multiple accounts or remember multiple usernames and passwords for different sites — all you need is a single OpenID . This assumes , of course , that the external site supports the OpenID framework ( adoption of this is gradually increasing) and the OpenID Web site has some interesting information about various large organizations that have begun using the framework . The OpenID framework is completely open-source and any Web site can become a Consumer or a Provider of OpenIDs without incurring any costs on licensing fees. As a result , there are already many OpenID Providers on the Web (Gmail , Twitter , Facebook , Yahoo , AOL , WordPress.com …….. ) , and a growing number of Web sites have begun allowing users to sign in to their services using an OpenID . Visit the OpenID site for a current list and here . Do you know your gmail Google OpenID? You can find it with just a few clicks .
If you have a WordPress.com blog , (like let’s say you have a blog called myblogname.wordpress.com) you use the URL http://myblogname.wordpress.com/ as your OpenID . Now any site that support OpenID will redirect you to WordPress.com , where you have to log in order to validate your password , but once you’ve done that , you will be redirected back to the site and logged in , all without using a username or password !!! .
WordPress.com OpenIDs belong to blogs , not individual users . Any user who has the Administrator role on a blog can authenticate using that blog as their OpenID. You probably don’t have to worry about this, but you should keep it in mind if you have multiple administrators set up for your blog .
If you’re new to OpenID , the information above should be enough to explain the basic concepts and make sure that you can follow the material that comes on next part of this article , so stay tuned 🙂