Document toolboxDocument toolbox

OpenID Support Version 2

Introduction

The current implementation of OpenID support for PLFM is restricted to using Google.com as the provider.  This is a side-effect of how OpenID support was implemented.  The security of the current implementation depended on the OpenID provider to pass along a user's email address as part of authentication because the email address was used to resolve the caller to a Synapse ID.

Since this is not how OpenID was designed to be used, other OpenID providers would not guarantee a users email address.  So as long the implementation depends on the OpendID provider to provide the user's email address, only Google can be used as a provider.

Alternative Implementation

An alternative implementation is to allow a user to "bind" any of their OpenIDs to their Synapse account.  However, this changes the authentication work flow because the user must first authenticate with Synapse using some other means (like password, or API key) and then bind the OpenID to their account.  Once the OpenID is bound to an account the user can log-in using this OpenID.

 

New OpendID REST calls

HTTP TYPEResponseURLRequestDescription
POSTSession/openId/authenticateQueryString

This method is used authenticate a user using OpenID.  Upon success, a session token will be return that can be used with most other REST calls.

After completing the OpenID communication with an OpenID provider, the resulting query string returned from the OpenID provider is passed to this service.  If the query string  signature is valid and the OpenId is bound to a Synpase user the Session token will be returned (201).  If the signature is not valid a 401 will be returned.  If the signature is valid but the OpenID is not bound to a user a Precondition Failed (412) will be returned.  For the latter case, see POST /openid/bind.

POSTString/openid/bindSessionToken, QueryStringBefore a user can authenticate using OpenID, they must first bind their OpenID to their Synapse user account.  To bind an OpenId to an account the user must first authenticate via some other means (username/password, api key, or even another bound OpenID) to get a session token.  This is necessary to validate that a user actually wants to allow the ID to be bound to their account.  This method is idempotent. This method will return 201 for success with user's OpenID (string).
GETList<String>/openid/bindSessionTokenList the OpenIds bound to a user.  A user can only list their own OpenIDs.
DELETEBoolean/openid/bindSessionToken, OpenID (string)This call is used to "unbind" and OpenId from a user's account.  Once an OpenID is removed, the caller will no longer be able to authenticate via that OpenID.