I have been having a goosey around the login functions of stackexchange, and I have noticed that depends on what you click, it adjusts a form with either OAuth information, or OpenID information in the form of the query which submits the form to a script inside of stackexchange, and I was wondering if anyone had the information for how the script would communicate with that particular service and use the returned information to login, as well as fetching additional information about that account from the service.
If anyone has any scripts or snippets, PHP would be preferred.
The Janrain OpenID Libraries are pretty good. They have a few quirks when it comes to extending them, but I think for your purposes they will be fine.
Facebook does NOT do OpenID. For Facebook you will need to use a different library (and that is something I have not done, so I cannot comment on it).
Related
Okay, So I have a client that wants their wordpress site to only require user to use their email to login. They instead want the site read through a google spreadsheet of all the users. Then if the users email is found in the spreadsheet it allows the user to login.
Before people start screaming, I know its extremely bad from a security stand point, we've told them this. They don't care.
So my question is, has anyone one done this or something similar in the past. How did you do it.
And how would say is the best way to go about doing this. So far I have thought of a few ways to do it.
Secretly embed the doc on a hidden web page then access it.
Some how just access it using APIs
Maybe using google forms as the email entry, and some how use that to search the google docs.
Any ideas or helps, is appreciated greatly. Thank you.
Logging in via an email address is easy, there are already plugins to do it. https://wordpress.org/plugins/wp-email-login/
There is also a plugin for external authentication. Don't know if it does it from a spreadsheet, though you may have a way to sync the spreadsheet to an external DB (via an API perhaps):
https://wordpress.org/plugins/external-db-auth-reloaded/
Would you need the logged in user to have any user-specific account info? Could you get by with allowing each logged in user to essentially be using the same single account in WordPress?
I could see a solution where you hook into wp_authenticate() https://codex.wordpress.org/Plugin_API/Action_Reference/wp_authenticate
And in your hook function call, run out to Google Spreadsheet via their API and see if that email address is found in the list. If so, log them into WP using a preset, single account that's meant to be used for all such users.
Here's some basic info for reading from a Google Sheet via their API:
https://developers.google.com/sheets/samples/reading
On many places (Google, Yahoo, Stack Exchange... ) I found that Ajax coding (for example php+Ajax login system) is not, and cannot be secure enough. So many reserve about Ajax security, and nowhere you can find an example of secure Ajax code.
At the same time, all this sites (even Facebook, Twitter...) USES a lot of Ajax code, for registering and loging users, for commenting features etc. Seems like Top Secret matter.
So, could someone show an example of secure php-Ajax code ?
An AJAX request is just like a normal browser request, just in the background. So if you would normally have a login form that posts data to your checklogin.php, you can do the same with AJAX and its equally secure.
Another thing to keep in mind is with cross site javascript calls. This is used for example when you are creating apps on facebook to transfer data from/to your server. These request have to be signed to make sure the data is comming from a valid source. This is done by using a secret and public key. These sites use oauth to handle these request. You can also implement this in your own site, but for any regular authentication (login/post messages/etc) this will not be needed. Just code like you would if it were a regular request.
I am trying to implement openid selector into my website, I wonder what is the try_auth file that I need for my openid selector to work?
All I want user to login into my website is using only their google account, so could anyone help me out? I have been doing alot of research and I didn't find a successful way of doing so. I am using PHP for my back end development.
Perhaps if someone could help explain how everything works that will be great, as well I didn't plan to use DB to store any user login. I know I have to have a session variable to check in every page whether user have login or not.
openid-selector is just a nice front-end for choosing which OpenID provider to use for signing in.
You also need a library that does the according back-end stuff. In your case this missing file is part of php-openid: https://github.com/openid/php-openid
I m very impressed with the idea of stackoverflow, the way they provide the options to login to the users is very easy for any user. And if I have to do the same thing in my website then how its going to be. what will be the coding structure and coding snippets for the same in php , mysql and javascript (ajax).
https://stackoverflow.com/users/login
Here is a simple OpenID class, that provides some functionality. First, you need to register an OpenID URL, then, simply type your OpenID in form in openid-example.php and it will redirect you to your OpenID provider, just as you do it on StackOverflow. Then, after your confirmation, it will redirect you back with some personal information, which you can use on your site.
I'm trying to implement Google OpenID for my website, but I'm struggling to figure out how to handle the OpenID response I get.
At the moment, when you click a login button, it takes you to the Google site, asks you to login there and when i click 'Sign In' it takes me back to my site and I get the followingi n the URL:
http://mysite.com/return.php?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0
&openid.mode=id_res
&openid.op_endpoint=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud
&openid.response_nonce=2009-11-07T02%3A50%3A43Zv7QGuR9bs7yijw
&openid.return_to=http%3A%2F%2Fmysite.com%2Freturn.php
&openid.assoc_handle=AOQobUfDUg3KHwhcQlAgh4cjISdyflaGuGzWJEpNzR8TnufNIvKLBex4
&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle
&openid.sig=FRIZWu78OrjWgb%2Fkiqq%2B63Zs8Pk%3D
&openid.identity=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawn34aUewQCm4U9DSwJFm4rVyyw9Zi6S_1k
&openid.claimed_id=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawn34aUewQCm4U9DSwJFm4rVyyw9Zi6S_1k
Now i have absolutely no idea what to do with this.
Could someone point me in the right direction please?
Thanks
Use the php-openid library to make OpenID requests and verify the responses from your PHP based website. Rolling your own OpenID is very complicated, and includes complex things like cryptography (eg: Diffie Hellman Key exchange).
The openid specification is an interesting read if you'd like to understand how things work, even if implementing it all would be too tedious. Here are some more developer resources.
To help get you started: In OpenID terminology your website is called a 'relying party' or 'consumer'. Google in this case, would be the 'identity provider' (a service that authenticates users).
There are also specifics using on Google's OpenID implementation online.
But again, I highly recommend using a library.
See PHP library for openID for a list of PHP OpenID libraries. As Andrew Amott said, implementing it yourself is not trivial.
Now Google has made very easy handling of OPENID Requests and other things for implementations , just login in to https://code.google.com/apis/console known as developers console and create the project and you have to click on Identification Toolkit and provide the the information and just provide simple link on website and OPENID is implemented