Question

When authenticating my users via LightOpenId, I'm getting a different identity if they access the site using http://www.example.com or when they access via http://example.com. Is there any way to avoid this.

Also, I'm planning on also allowing authentication via Facebook, and last time I remember they were using some other method that doesn't return an identity but a token. Because of this, would it just be a better idea to use the email address as a unique identifier, to make both Facebook and Google logins based on the same value?

Thanks!

No correct solution

OTHER TIPS

You need to have the same realm set for both domains, such as:

$openid = new LightOpenID('www.example.com');

If you use different realms (domains), it is valid for a provider to return different identities, as Google does, for example.

Also, you can't rely on the email address returned by OpenID without further verification. From the protocol point of view, it's just a string value that's filled with whatever the user wants.

And lastly - don't limit your OpenID support to Google. The protocol was specifically designed to make it easy to be decentralized, and it isn't much harder to at least provide a way to enter any openid url, instead of just clicking "sign in with google".

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top