|
QuickStart
Brief introduction to OpenID-enabling your webapp
Quick StartOnce you have installed the library and have obtained the user's OpenID identifier, you have to put in the following code to have your webapp perform authentication using OpenID: Instantiate a ConsumerManager Object public ConsumerManager manager;
public SampleConsumer() throws ConsumerException
{
_manager = new ConsumerManager();
}The ConsumerManager will do all the OpenID hard work for you. Define a ReturnURLThis is the endpoint where your webapp will receive and process the authentication responses from the OpenID Provider. String _returnURL = "http://example.com/openid"; Create an Authentication Request // perform discovery on the user-supplied identifier
List discoveries = manager.discover(userSuppliedString);
// attempt to associate with the OpenID provider
// and retrieve one service endpoint for authentication
DiscoveryInformation discovered = manager.associate(discoveries);
// store the discovery information in the user's session for later use
// leave out for stateless operation / if there is no session
session.setAttribute("discovered", discovered);
// obtain a AuthRequest message to be sent to the OpenID provider
AuthRequest authReq = manager.authenticate(discovered, _returnURL);Redirect the User to Their OpenID ProviderhttpResp.sendRedirect(authReq.getDestinationUrl(true)); Verify the OpenID Provider's Authentication ResponseReceive the response at your webapp's ReturnURL and process it like this: // extract the parameters from the authentication response
// (which comes in as a HTTP request from the OpenID provider)
ParameterList openidResp = new ParameterList(request.getParameterMap());
// retrieve the previously stored discovery information
DiscoveryInformation discovered = (DiscoveryInformation) session.getAttribute("discovered");
// extract the receiving URL from the HTTP request
StringBuffer receivingURL = request.getRequestURL();
String queryString = request.getQueryString();
if (queryString != null && queryString.length() > 0)
receivingURL.append("?").append(request.getQueryString());
// verify the response
VerificationResult verification = _consumerManager.verify(receivingURL.toString(), openidResp, discovered);
// examine the verification result and extract the verified identifier
Identifier verified = verification.getVerifiedId();
if (verified != null)
// success, use the verified identifier to identify the user
else
// OpenID authentication failedWhere to go next?You can see all the above put together in the SampleConsumer class. |
Sign in to add a comment
Note that the same instance of ConsumerManager? is used for association/authentication and verification. Otherwise, verification fails (or at least it did for me). It looks like ConsumerManager? is thread-safe, but it'd be really nice to get some confirmation that it is safe to share a single instance between all requests.