OpenID Dumb Mode Consumer with OpenID4Java
A dumb mode consumer or a stateless consumer is an openid assertion consumer which is not capable or which is not willing to create associations with the openid provider Association is the the process of sharing a cryptographic secretes between the openid provider and the relying party. This shared secrete is used by the openid provider to sing the messages it sends to the relying party and the relying party uses the shared secrete to verify the signature of the messages. Singing messages is important to make sure the intergirty and the authenticity of the message. Assertion consumers should only trust signature verified assertions, if not they should discard the assertions. Smart consumers verify the messages sent by the openid provider using the pre shared secrete. Since dumb consumers have no pre shared secrete, they will verify messages with the help of the openid provider by sending a "check_authentication" message.Sequence of operations for a dumb consumer
- User logins with the openid identifier
- Consumer does a discovery based on the user supplied identifier
- Consumer creates the AuthRequest message
- Consumer redirect the browser to the openid provider
- User is authenticated at the openid provider and redirect back to the consumer with an AuthResponse message
- Openid provider verifies the AuthResponse message with the help of the openid provider.
- Instantiating a ConsumerManager object
ConsumerManager dumbManager = new ConsumerManager();
- Switching the consumer manager to the dumb mode
- Performing discovery on the user supplied openid identifier
List discoveries = dumbManager.discover(identifier);
- Creating the DiscoveryInformation object
Note that by default the consumer manager works in the smart mode and will take four attempts to create an association with the openid provider. Since we have set the number of attempts to zero, the method returns only the DiscoveryInformation object and would make no association though the name of the method is "associate".
DiscoveryInformation discovered = dumbManager.associate(discoveries);
- Creating the AuthRequest message
AuthRequest authRequest = dumbManager.authenticate(discovered, returnToUrl);
The returnToUrl value must be the URL of the consumer.
String returnToUrl = httpRequest.getRequestURL().toString();
- Redirecting the user to the openid provider
- Capturing the AuthResponse message
Map httpReqParams = httpRequest.getParameterMap();
ParameterList authRespParams = new ParameterList(httpReqParams);
- Verifying the AuthResponse
Note that verifiedId will be null if the verification failed. This verification is done with the help of the openid provider.
VerificationResult result = dumbManager.verify(receivingUrl, authRespParams, discovered);
Identifier verifiedId = result.getVerifiedId();