php - Using OpenID without requiring users to know their OpenID url?

Question

I'm implementing an OpenID provider and have it running smoothly for standard OpenID requests (where the end-user knows their OpenID url). However I want consumers to be able to use the provider without knowing the end-users OpenID url up-front, this will be determined when the user logs in.

I found that this is theoretically possible by reading this stackoverflow question, however it doesn't provide a lot of detail for me to be able to gather the required information to develop this myself, fact that it's DotNet doesn't help.

Can anyone direct me to where I might find more information on how this is set up?

I'm using Zend Framework, but couldn't find any useful information in it's documentation.

Answer 1

An OpenID is a URL, so I don't see how you could log in without knowing it anymore than you could log in without knowing a username for traditional authentication.

Having stated that for the record, if your goal is just to help the user along, perhaps you could provide some sort of dropdown that lists common providers, asks for the relevant parts, and allows the user to fill them in?

Since OpenID is decentralized, and any site can become an OpenID, there is no way to predict all the URLs that could be used, but you could certainly cover the popular ones. In fact, this SO post covers them.

An "other" option could allow direct entry of a URL to handle all the other cases.

I'd say that, plus the Zend_OpenId_Consumer/Zend_Auth integration doc would make an excellent place to start.

Answer 2

A consumer can specify that the provider "SHOULD choose an Identifier that belongs to the end user". In such a case, the provider will choose the identifier that belongs to the user (i.e. the user logged in onto the provider most likely) and the consumer does not have to provide an openid url. See the section 9.1. Request Parameters, item openid.identity on the OpenId specification page. Basicly, the parameter openid.identity is set to http://specs.openid.net/auth/2.0/identifier_select.

With regard to your question on how to set this up: For more information you should read the specification of OpenId 2.0 Also, it might be useful to read on Google's OpenId developer page.