OpenID Dumb Mode Consumer with OpenID4Java

A dumb mode consumer or a stateless consumer is an openid assertion consumer which is not capable or which is not willing to create associations with the openid provider Association is the the process of sharing a cryptographic secretes between the openid provider and the relying party. This shared secrete is used by the openid provider to sing the messages it sends to the relying party and the relying party uses the shared secrete to verify the signature of the messages. Singing messages is important to make sure the intergirty and the authenticity of the message. Assertion consumers should only trust signature verified assertions, if not they should discard the assertions. Smart consumers verify the messages sent by the openid provider using the pre shared secrete. Since dumb consumers have no pre shared secrete, they will verify messages with the help of the openid provider by sending a "check_authentication" message.
Sequence of operations for a dumb consumer
  1. User logins with the openid identifier
  2. Consumer does a discovery based on the user supplied identifier
  3. Consumer creates the AuthRequest message
  4. Consumer redirect the browser to the openid provider
  5. User is authenticated at the openid provider and redirect back to the consumer with an AuthResponse message
  6. Openid provider verifies the AuthResponse message with the help of the openid provider.
To experience the operation of the dumb mode consumer, you can download and run the demo application war file in Apache Tomcat. The source code of the application is available here. Use maven2 to build the project. Deploy the war file in Apache Tomcat and access the link http://localhost:8080/openid-dumb-consumer-app/

  • Instantiating a ConsumerManager object
ConsumerManager dumbManager = new ConsumerManager();
  • Switching the consumer manager to the dumb mode
  • Performing discovery on the user supplied openid identifier
List discoveries =;
  • Creating the DiscoveryInformation object
DiscoveryInformation discovered = dumbManager.associate(discoveries);
Note that by default the consumer manager works in the smart mode and will take four attempts to create an association with the openid provider. Since we have set the number of attempts to zero, the method returns only the DiscoveryInformation object and would make no association though the name of the method is "associate".
  • Creating the AuthRequest message
AuthRequest authRequest = dumbManager.authenticate(discovered, returnToUrl);
The returnToUrl value must be the URL of the consumer.
String returnToUrl = httpRequest.getRequestURL().toString();
  • Redirecting the user to the openid provider
  • Capturing the AuthResponse message
Map httpReqParams = httpRequest.getParameterMap();
ParameterList authRespParams = new ParameterList(httpReqParams);
  • Verifying the AuthResponse
VerificationResult result = dumbManager.verify(receivingUrl, authRespParams, discovered);
Identifier verifiedId = result.getVerifiedId();
Note that verifiedId will be null if the verification failed. This verification is done with the help of the openid provider.

Popular posts from this blog

How To Read A SAML 2.0 Response With OpenSAML

Exporting The Private Key Of A JKS As A PEM File

How To Enable SSL Debugging In Tomcat