5

I'm getting confused.

I was able to make openid login kinda work using LightOpenID.

All I get doing that is just an openid_identity such as "https://www.google.com/accounts/o8/id?id=xxx". Pretty disappointing: I was expecting to get the email address too.

i.e. I need to login (that's what openid does) and to know the email address of the google account the user used to login.

There is the function $openid->getAttributes() but all I get from that is just an empty array: I guess google isn't going to give me anything else than that openid_identity.

So I guess I'm supposed to use OAuth, right? I'm clueless about that. I've only found horrible and confused documentation, that either pretends to explain everything (and I do mean everything), or it fails explain anything at all.

Yes, of course I've tried to look at the previous posts about that, just as I did search on google. Read again the above paragraph, please.

Alix Axel
  • 151,645
  • 95
  • 393
  • 500
o0'.
  • 11,739
  • 19
  • 60
  • 87
  • please have a look at my question (might be useful to you) here : http://stackoverflow.com/questions/2667447/how-to-use-the-correct-google-openid-url-to-login-to-my-site So basically as far as I know, that's the way how it is for OpenID at gmail, you cannot have your gmail address expressively as part of your OpenID – Michael Mao Jul 13 '10 at 23:06
  • thanks. If that's so we are back to the second part of the question: `OAuthWTF`? – o0'. Jul 13 '10 at 23:09

4 Answers4

10

I've just discovered LightOpenID and I think it's wonderful. I've managed to get the email address, the first and last name and the prefered language using the following modification of example-gmail.php:

<?php

require_once('openid.php');

if (empty($_GET['openid_mode']))
{
    if (isset($_GET['login']))
    {
        $openid = new LightOpenID();
        $openid->identity = 'https://www.google.com/accounts/o8/id';
        $openid->required = array('namePerson/first', 'namePerson/last', 'contact/email', 'pref/language');

        header('Location: ' . $openid->authUrl());
        //header('Location: ' . str_replace('&amp;', '&', $openid->authUrl()));
    }

    else
    {
        echo '<form action="?login" method="post">' . "\n";
        echo '<button>Login with Google</button>' . "\n";
        echo '</form>' . "\n";
    }
}

else if ($_GET['openid_mode'] == 'cancel')
{
    echo 'User has canceled authentication!';
}

else
{
    $openid = new LightOpenID();

    echo 'User ' . ($openid->validate() ? $_GET['openid_identity'] . ' has ' : 'has not ') . 'logged in.';

    echo '<pre>';
    print_r($openid->getAttributes());
    echo '</pre>';
}

?>

I changed the code to make it a little more readable, the output:

User https://www.google.com/accounts/o8/id?id=*** has logged in.

Array
(
    [namePerson/first] => Alix
    [contact/email] => ***@gmail.com
    [pref/language] => en
    [namePerson/last] => Axel
)

I still can't get the postal code and others from Google but I've had success with myOpenID.com.

Alix Axel
  • 151,645
  • 95
  • 393
  • 500
  • Thanks, but my question is: where is the list of `required` attributes I may ask? I could only find the list of `openix.ax.wtf`, but I have no idea about how to use them in LightOpenID... :/ – o0'. Jul 14 '10 at 10:22
  • Oh, here it is --> http://www.axschema.org/types/ ... still, is there a way to ask google which of these fields is going to export? Or just try them all and some will work while some won't? – o0'. Jul 14 '10 at 10:26
  • Does LightOpenID store the request you made in the `if (isset($_GET['login']))`? It doesn't appear to, yet it should (for performance reasons). In case of Google, it's indifferent, but it may not be if the user-supplied identifier (USI) is the claimed identifier (CI). Let's say you enter myusername.myopenid.com. In the discovery phase for that url, you find out that the endpoint url that responds authoritatively for that identifier. If you don't save that information, in the second phase you'll have to check again if the endpoint has authority over the CI. – Artefacto Jul 14 '10 at 10:30
  • 1
    @Lo'oris: I'm also still pretty green at this. =P I tried them all, but then I found this: http://code.google.com/apis/accounts/docs/OpenID.html#Parameters. Google delivers `country`, `email`, `firstname`, `language` and `lastname`. – Alix Axel Jul 14 '10 at 10:58
  • @Artefacto: No it doesn't. And that's one of the reasons I'm enjoying LightOpenID so much. Ideally you should call the `validate()` method and if it returns true save `$_GET['openid_identity']` in the `$_SESSION` and never worry about it again. That's what I'm getting from this, still I might be wrong or may not have understood what you're trying to ask (I'm really sleepy right now). – Alix Axel Jul 14 '10 at 11:02
  • @Alix It's not wrong, but for user-supplied identifier that don't result in "identifier_select" behavior, this causes an extra discovery. – Artefacto Jul 14 '10 at 12:08
  • @Artefacto: I'm sorry but I'm having trouble understanding what you're saying. Do you mean the usage of `https://www.google.com/accounts/o8/id`? That's specific for the `example-gmail.php` file only. The general example goes something like `$openid->identity = $_POST['openid_identifier'];`. – Alix Axel Jul 14 '10 at 12:27
  • @Artefacto: There seems to be another question regarding `identifier_select` @ http://stackoverflow.com/questions/3015765/is-google-the-only-openid-provider-that-requires-identifier-select/3048335#3048335. I'm failing to understand what this is and what it does. – Alix Axel Jul 14 '10 at 12:31
  • `https://www.google.com/accounts/o8/id` causes user_select behaviour; the user will claim an identifier different from `https://www.google.com/accounts/o8/id`. So that's not really the case. And the general example doesn't change anything. It's really difficult to explain this in this short space. See the [docs](http://openid.net/specs/openid-authentication-2_0.html#verify_disco), 11.2 §3 – Artefacto Jul 14 '10 at 12:32
  • @Artefacto: I still don't fully understand it. I'll have to take a look at this tomorrow, I'm way to tired today. – Alix Axel Jul 14 '10 at 14:22
  • @Alix Well, it's subtle, you have to fully grasp the OpenID workflow. – Artefacto Jul 14 '10 at 14:24
5

You can use OpenID's attribute exchange. See the Google documentation here (in particular, openid.ax.type.email).

Artefacto
  • 96,375
  • 17
  • 202
  • 225
  • 1
    great! While I wasn't able to understand how to "map" those attributes such as `openid.ax.type.email` to LightOpenID's different ones (`contact/email`), knowing that it *could* be done I looked deeper into LightOpenID's documentation and I managed to do it :) thanks – o0'. Jul 14 '10 at 10:20
1

Having a Google account doesn't mean you get a gmail account. You can start a Google account with any email address.

Having said that I don't think its part of the spec to return email addresses or login data as part of the identity.

BC.
  • 24,298
  • 12
  • 47
  • 62
  • 1
    good point. I'd like to get *that* email address, doesn't matter if it's not gmail. – o0'. Jul 13 '10 at 23:11
1

OAuth and OpenID are not the same. They solve completely different things. I'm going under the assumption you checked out: Federated Login for Google Account Users it has a bit more explanation on how the accounts work for Google Accounts.

Solutions:

  1. This is in Python but you should be able to adjust it accordingly for PHP.
  2. This is in .Net - again you should be able to change the AX mode yourself.
Community
  • 1
  • 1
John Wang
  • 6,136
  • 2
  • 28
  • 23