/
OpenID Support Version 2

OpenID Support Version 2

Dec 17, 2013

Introduction

The current implementation of OpenID support for PLFM is restricted to using Google.com as the provider.  This is a side-effect of how OpenID support was implemented.  The security of the current implementation depended on the OpenID provider to pass along a user's email address as part of authentication because the email address was used to resolve the caller to a Synapse ID.

Since this is not how OpenID was designed to be used, other OpenID providers would not guarantee a users email address.  So as long the implementation depends on the OpendID provider to provide the user's email address, only Google can be used as a provider.

Alternative Implementation

An alternative implementation is to allow a user to "bind" any of their OpenIDs to their Synapse account.  However, this changes the authentication work flow because the user must first authenticate with Synapse using some other means (like password, or API key) and then bind the OpenID to their account.  Once the OpenID is bound to an account the user can log-in using this OpenID.

 

New OpendID REST calls

HTTP TYPE

Response

URL

Request

Description

HTTP TYPE

Response

URL

Request

Description

POST

Session

/openId/authenticate

QueryString

This method is used authenticate a user using OpenID.  Upon success, a session token will be return that can be used with most other REST calls.

After completing the OpenID communication with an OpenID provider, the resulting query string returned from the OpenID provider is passed to this service.  If the query string  signature is valid and the OpenId is bound to a Synpase user the Session token will be returned (201).  If the signature is not valid a 401 will be returned.  If the signature is valid but the OpenID is not bound to a user a Precondition Failed (412) will be returned.  For the latter case, see POST /openid/bind.

POST

String

/openid/bind

SessionToken, QueryString

Before a user can authenticate using OpenID, they must first bind their OpenID to their Synapse user account.  To bind an OpenId to an account the user must first authenticate via some other means (username/password, api key, or even another bound OpenID) to get a session token.  This is necessary to validate that a user actually wants to allow the ID to be bound to their account.  This method is idempotent. This method will return 201 for success with user's OpenID (string).

GET

List<String>

/openid/bind

SessionToken

List the OpenIds bound to a user.  A user can only list their own OpenIDs.

DELETE

Boolean

/openid/bind

SessionToken, OpenID (string)

This call is used to "unbind" and OpenId from a user's account.  Once an OpenID is removed, the caller will no longer be able to authenticate via that OpenID.