I'm using OpenID library LightOpenID to get users to login in to their favourite provider and pass on some information to my system.
With LightOpenID this looks something like:
$openid = new LightOpenID('localhost');
if(!$openid->mode) {
$openid->identity = 'https://www.google.com/accounts/o8/id';
$openid->required = array(
'country' => 'contact/country/home',
'email' => 'contact/email',
'firstname' => 'namePerson/first',
'language' => 'pref/language',
'lastname' => 'namePerson/last',
);
header('Location: ' . $openid->authUrl());
} elseif($openid->mode == 'cancel') {
echo 'User has canceled authentication!';
} else {
echo 'User ' . ($openid->validate() ? $openid->identity . ' has ' : 'has not ') . 'logged in.';
echo '<pre>'.print_r($openid->data, true).'</pre>';
}
By setting the required property, I'm able to ask OpenID providers (such as Google) for some user details. If my research is correct, this is called "Attribute Exchange".
Now, here I've got to problems (to keep this short):
1. Only a couple or so providers list the attributes they support. I think I'm missing something here, thought it would be obvious of providers to list these attributes. By any chance, is there some way I could "discover" these attributes through protocol?
2. This is the main problem I'm facing. Basically, the information (attributes) I requested are passed over to my server after the user successfully logs in and approves. This is fine and normal - there won't be persistent storage of this data unless my system does it. The problem, however, is that I need to get this data some time after the user did log in.
If I had to do this with Facebook, it would be using $fb->api('/me');. Interestingly enough, if I redirect the user to the login page while he is logged in, he gets redirected to my website with the information I need. But this process needs to be done on the server, and I guess a simple CURL request to the provider won't get me those fields. Perhaps something from the original login response parameters might help?
TL:DR; How do I get Attribute Exchange fields after the user logged in without persistent storage from my side?
PS: I'm using sessions as persistent storage; for now I'm just storing the openid identity url, but I can add more stuff if needed. However, I just can't store all the fields given by the openid login response (name, surname, email etc).
Misc Links / Notes
I must admit there's a lot of stuff in OpenID I don't fully understand. As such, I'll try to keep some notes or "facts" which might help future readers.
- List of OpenID attributes
- Question: Why do all schema URLs result in 404s (http://schemas.openid.net/) or strange errors (http://axschema.org)?
- Additional question: I thought having responsive schema URLs is important to the specification's implementation. If not, what's the point of such URLs?
- List of some common OpenID provider URLs
OpenID doesn't work that way unless it also supports OpenID+OAuth, in which case you might do the same thing as Facebook; you simply call their API to get the user details using the access token you've been given in the positive assertion.
The AX scheme is pretty flexible; you can ask for a field using two different URI's for instance; some providers will support
axschemaand the otherschema.openid.net.It's okay to ask for emails in two ways; just include it using different aliases, e.g.:
This way you don't have to know beforehand which attribute types the provider supports.
Edit
That's because they don't need to actually exist as a document, it's just a convention.
The OpenID implementers just couldn't agree on one uniform set of attribute types; this is bad for adoption, as can be read here.