Yahoo returns different identity URL when using OpenID with delegation
https://stackoverflow.com/questions/8181308
-
03-03-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm implementing an OpenID based login system with LightOpenID. Following the documentation, I use the $openid->identity property to set and get the identity supplied by the user:
Set it before calling authUrl(), and get after validate().
So I do as follows:
<?php
$openid = new OpenID;
if( !$openid->mode ){
if( isset($_POST['openid']) ){
// Auth required
$openid->identity = $_POST['openid'];
header('Location: ' . $this->authUrl());
exit;
}
}elseif( $openid->mode == 'cancel' ){
// Cancelled by user
}else{
if( $this->validate() ){
// Sucess
$user = $openid->identity;
}else{
// Error
}
}
When I test the system with delegation (I believe that's the technical name: I type my domain name in the login box and get authenticated with a third-party provider) the resulting identity is not always the one I initially typed and this behaviour seems to depend on the provider behind the scenes. More specifically, if I type http://example.com/ Yahoo will always return https://me.yahoo.com/XXXXXXXXXX#5ab6d where XXXXXXXXXX is my Yahoo username. As a result, I can't reliably identify recurring users: as soon as they switch providers, they'll lose their account data in my site:
["openid_claimed_id"] => string(37) "https://me.yahoo.com/XXXXXXXXXX#5ab6d"
["openid_identity"] => string(31) "https://me.yahoo.com/XXXXXXXXXX"
My questions:
- Is this behaviour correct?
- Is my code wrong?
(Please correct me if I'm misusing any term. Everything around OpenID tends to overcomplication, esp. the terminology.)
Solution
As far as I know it isn't correct behavior on the part of the provider.
Yahoo (and AOL, by the way) just does that. The only way to fix this is to start using a different provider.
As for your second question, your code is correct. Remember though, that the authentication status isn't remembered automatically, and you have to store it in a session yourself (if you want it to persist between requests, of course).
