‹‹

››

DevGuide

Developer's Guide

Updated Nov 14, 2010 by askxuefeng@gmail.com

Developer's Guide

JOpenID is used in web application to enable users sign on by OpenID standards.

This demonstration shows how to use JOpenID in a Servlet to handle user's sign on request.

This sample Servlet can be found here.

@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    String op = request.getParameter("op");
    if (op==null) {
        // check nonce:
        checkNonce(request.getParameter("openid.response_nonce"));
        // get authentication:
        byte[] mac_key = (byte[]) request.getSession().getAttribute(ATTR_MAC);
        String alias = (String) request.getSession().getAttribute(ATTR_ALIAS);
        Authentication authentication = manager.getAuthentication(request, mac_key, alias);
        String identity = authentication.getIdentity();
        String email = authentication.getEmail();
        // TODO: create user if not exist in database:
        showAuthentication(response.getWriter(), identity, email);
    }
    else if ("Google".equals(op)) {
        // redirect to Google sign on page:
        Endpoint endpoint = manager.lookupEndpoint("Google");
        Association association = manager.lookupAssociation(endpoint);
        request.getSession().setAttribute(ATTR_MAC, association.getRawMacKey());
        request.getSession().setAttribute(ATTR_ALIAS, endpoint.getAlias());
        String url = manager.getAuthenticationUrl(endpoint, association);
        response.sendRedirect(url);
    }
    else {
        throw new ServletException("Bad parameter op=" + op);
    }
}

We assume that the MainServlet above has been mapped to /openid in our web application:

If user requests URL /openid?op=Google, then the MainServlet will redirect user to the Google's sign on page, and store the mac key of current association into HttpSession for later use.

After sign on, the user will be redirected back to the MainServlet with URL http://your-domain/openid?parameters.....

To prevent the replay-attack, OpenID standards use a random String called nonce which is different every time when user sign on. And it is our responsibility to check if the nonce is valid.

The nonce String can be got by request.getParameter("openid.response_nonce") like this:

2009-10-21T02:11:39Zrhco-EsNzi8FtQ

It contains two parts: the time "2009-10-21T02:11:39" which time zone is GMT+00:00 and the random String "Zrhco-EsNzi8FtQ".

Web application must check the diff of nonce time and system time is less than 1 hour, and the nonce String is not exist in database. Then store the nonce into database in case of preventing the hacker using the same URL to sign on.

A cron job which cleans the expired nonce in database may needed.

If the nonce is valid, the Authentication object can be got from request with a pre-stored mac key. Use getIdentity() to get the identifier of user. And email can be got by getEmail(), but OP may not returning user's email, which means you may get a null value of email.

How to specify the OP

When you build the redirect URL for end user to sign on, the Endpoint is lookup by the name of OP:

Endpoint endpoint = manager.lookupEndpoint("Google");

Actually JOpenID will load all names of OP as well as its Endpoint URL in openid-providers.properties:

Google = https://www.google.com/accounts/o8/id
Yahoo = http://open.login.yahooapis.com/openid20/www.yahoo.com/xrds

If you want to add more OPs, just create your own openid-providers.properties and place it under /WEB-INF/classes/.

How to design UI for sign on

You may list all OPs in sign on page to let users choose their OpenID accounts. For example:

<p>Please sign on from:<p>
  <p><a href="/openid?op=Google">Google Account</a></p>
  <p><a href="/openid?op=Yahoo">Yahoo Account</a></p>

How to build JOpenID

JOpenID uses Maven 2 since 1.08. You need install Maven 2.2 first, and run following command to build:

C:\workspace\JOpenID> mvn package

The target jar and packaged source jar can be found in 'target' directory.

Comment by subwiz, Feb 23, 2010

A cron job which cleans the expired nonce in database may needed.

What is the ideal time cron-time-gap for cleaning the nonce value?

Comment by erythor...@gmail.com, Apr 21, 2010

An interval of one hour seems appropriate. Since a nonce older than one hour is considered invalid.

Comment by ping2r...@gmail.com, May 1, 2010

Currently it is supporting two providers google and Yahoo. How can i support another providers like facebook,window live etc.? I think i just need to find the end points like described above Google = https://www.google.com/accounts/o8/id

somehow i am not able to find this infor on net. Or do i need to do something else? Ravi

Comment by ibttest...@gmail.com, May 14, 2010

hi... Where can i found openid-providers.properties which supports facebook /linkedin if any one knows please fwd them to vardhanjanu@gmail.com

Comment by LilianeS...@gmail.com, May 27, 2010

Hi , i am a new developer in this field and

I have a question: As i know that the user information is shared with the relying party if the user agree on that so where is this part in the source code , the part that the Identity provider send the user information to the relying party?

waiting for ur replies

thank you, Liliane

Comment by eli.doran, Jun 8, 2010

I'd like to avoid storing those two values into the Session. Can we put them into the return URL so we'll receive them back as request parameters? It seems the OpenIdManager? is designed to hold the same return URL all the time, but, an alternate getAuthenticationUrl method could add the values to the return URL as params. It'd still be thread safe. Could set a cookie too I suppose. What do you think?

Comment by jleib...@gmail.com, Nov 21, 2010

I think there's some slop in this library. Instead of using xml dom on the xrds content you are doing string compares like <URI> looking for tags. That doesn't really work reliably. For instance the document for myopenid.com returns a line that looks like this --

<URI priority="0">http://www.myopenid.com/server</URI>

Where your simple string compare fails as the opening tag isn't an exact match "<URI>". I'd recommend not cutting corners when you're putting out a library you expect people to use.

Comment by Tarkin...@gmail.com, Dec 27, 2010

For those wishing to add providers: Wikipedia list

As far as I can tell, all conforming providers use the alias ax Example:

Live = http://www.passport.net/
Live.alias = ax

Comment by manohar....@gmail.com, Mar 6, 2011

Hi, I downloaded the sample servlet, everything works fine, but when the provider redirects the call back to the servlet, I am seeing a new session being created, so by this, byte mac_key = (byte) request.getSession().getAttribute(ATTR_MAC); String alias = (String) request.getSession().getAttribute(ATTR_ALIAS);

I am getting these values as null. how to solve this. Any help greatly appreciated.

thanks Manohar

Comment by thomas.bruyelle@gmail.com, Jun 21, 2011

@Manobar did you push the attribute in Session before calling the authorization url, as it's done in the MainServlet? sample class ?

Comment by vladimir...@gmail.com, Aug 3, 2011

Hi, how can I relogin under another account after I've logined?

Comment by vani.mit...@gmail.com, Aug 11, 2011

The path to the sample servlet is broken: http://code.google.com/p/jopenid/source/browse/trunk/JOpenId/src/org/expressme/openid/MainServlet.java

What is the correct path?

Comment by arjunkum...@gmail.com, Aug 31, 2011

Hi Vani

Here is the link for jopenid's MainServlet?.java

http://code.google.com/p/jopenid/source/browse/trunk/src/test/java/org/expressme/openid/MainServlet.java

► Sign in to add a comment