OpenId Implementation using Java

 

What is Open ID..?

OpenID is a decentralized authentication protocol that makes it easy for people to sign up and access web accounts.

An OpenID is in the form of a unique URL, and is authenticated by the user's 'OpenID provider'.

OpenID is a method of using a single sign on at a trusted provider to automatically allow you trusted access to other websites. You do not need to create accounts or new logins at the other websites, you merely need to tell the other websites what your OpenID is. The first time you do this at a website you are giving permission to your trusted provider to give some of your profile information to the new website. Behind the scenes the trusted provider confirms to the other website that you are who you say you are, because you have already logged in with them today from this browser session.


Example: You have a Google account.  Now you want to login into create a new thread in any forum or website (e.g.: stackoverflow.com) . You don’t need to create a new account in that website. You need to login to your Google account in that website using the OpenID. In back end it Google generates OpenID and stackoverflow.com stores that in its database and it now recognizes as a valid user.

Implementing the Open ID using JAVA

To OpenID-enable your web-application, you need to do the following:

• Download and install the libraries to your project.
• Change your authentication prompt to ask users for their OpenID identifier rather than their username and password.
• Create an authentication request for this identifier, and redirect the user to their OpenID Provider.
• Receive the OpenID Provider's authentication response at your web-application's ReturnURL, and verify the response.

// creating consumer manager

ConsumerManager consumerManager = new ConsumerManager();

// discover the OpenID authentication server's endpoint URL

List discoveries = manager.discover(userSuppliedOpenID);

// attempt to associate with the OpenID provider

// and retrieve one service endpoint for authentication

DiscoveryInformation discovered = manager.associate(discoveries);

// store the discovery information in the user's session for later use

session.setAttribute("discovered", discovered);

// define the return path

String returnURL = "http://company.com/openidresponse.jsp";

// generate an AuthRequest message to be sent to the OpenID provider

AuthRequest authReq = manager.authenticate (discovered, returnURL);

// redirect the user to their provider for authentication

httpResp.sendRedirect (authReq.getDestinationUrl(true));

The code above will do:

• Download a list of OpenID providers (generally just one). The results will be returned in order of preference for authentication.
• Establish a shared-secret with the OpenID provider, through association.
• Store the association ('DiscoveryInformation') for later use
• Redirect the user to their OpenID Provider for authentication, we also need to tell the return to URL of the relying party website (our web appplciation), so that the provider knows where to send the user after performing the authentication.
• After authenticating the user, the OpenID Provider will redirect the user back to the Relying Party site (i.e. your web-application), using the return URL we provided, and send an authentication response message to your web-application. Our web-application will need to receive and process this response. Depending on our workflow, we can then display an error message or send the user to the 'success' page.

The simplest way to process the OpenID Provider's authentication message response is:

// extract the parameters from the authentication response

// (which comes in as a HTTP request from the OpenID provider)

ParameterList openidResp = new ParameterList(request.getParameterMap());

// retrieve the previously stored discovery information

DiscoveryInformation discovered = (DiscoveryInformation) session.getAttribute("discovered");

// extract the receiving URL from the HTTP request

StringBuffer receivingURL = request.getRequestURL();

String queryString = request.getQueryString();

if (queryString != null && queryString.length() > 0)

   receivingURL.append("?").append(request.getQueryString());

// verify the response

VerificationResult verification = manager.verify(receivingURL.toString(), openidResp, discovered);

// examine the verification result and extract the verified identifier

Identifier verified = verification.getVerifiedId();

if (verified != null)

    // success, use the verified identifier to identify the user.

Else

    // OpenID authentication failed.