authentication - How do multiple websites get same unique identifier from the same OpenID user/identify? -
we have backend (restful) service websites depends upon uniquely identifying same user across multiple, unrelated websites. have been using email address unique identifier, email address not used websites, when openid authentication websites.
so, openid provide unique identifier same across multiple relying parties (if user authenticates same openid)?
if so, 1 instruct series of independent website provide user identifier each of users if goal multiple, unrelated websites provide same identifier when each have same openid user?
also, goal create easy possible developers consume our apis. so, if know of api documentation has solved this, links helpful.
without knowing web service or language written in, i'm not how helpful reply general , less technical.
openid providers responding identification/authorization request respond "claimed id" , "identity" "attribute exchanges" requested. attribute exchange info can things such email/username/language/realname/etc may looking for.
google (as openid provider) supports querying decent number attribute exchange information, , provides list in documentation: https://developers.google.com/accounts/docs/openid#parameters
the openid identity should unique user, may not cross-identify them different websites when issued same provider. (it can directed id unique rp issued to). see more on here: is openid.claimed_id static?
with of said, reasonable you, designer of api, define info (i.e. email address) required consume webservice. , leave parties wish utilize webservice somehow gain info (directly asking user, or through attribute exchange, etc).
for more info on openid @ website, particularly specifications , libraries: http://openid.net/specs/openid-authentication-2_0.html http://openid.net/developers/libraries/
libraries documentation utilize starting point include:
jopenid (java): http://code.google.com/p/jopenid/wiki/quickstart lightopenid (php): http://code.google.com/p/lightopenid/w/listimplementing openid authentication straight not applicable backend webservice since end user has no involvement (i.e. not supply credentials).
to meet requirement of identifying same user across various 3rd party websites may need become openid provider. , provide farther api allow functionality on 3rd party websites users link openid profile manage.
without beingness actual provider of identity... sharing openid identity 3rd party may potential security/privacy concern or in to the lowest degree against specs of openid (which describes exchange a shared secret between rp , op). though may beyond scope of wanted do, beingness openid provider @ to the lowest degree remove many of privacy issues since users have opt-in explicitly.
i'm not aware of apis handle uniquely identifying users across multiple 3rd party websites without direct user interaction. webservices have written required either direct user credentials supplied (for user aware), or had identify user unique particular client. in later case user authentication not necessary, client blanket authentication , provide own unique id track users, letting the webservice blind constitutes user. requirements not appear fit these mutual scenarios unfortunately.
one final thing consider design api...
providing uniquely identifiable info (i.e. email address) 3rd party may raise eyebrows in net privacy ring. if there financial gain had exchange (advertisments/directly-paying/etc) or if utilize of info unknown/insecure or otherwise unwelcome. http://www.ehow.com/about_5332990_legal-sell-email-list.html http://www.aclu.org/technology-and-liberty/internet-privacy
you may want ensure target clients (the consumers of webservice) have right jargon in terms or can provide sufficient powerfulness users allow them opt-out of beingness submitted service. , create clear doing information...
issues can holds acceptance of api, worth considering.
authentication openid
No comments:
Post a Comment