OpenID is an authentication protocol, wherein OpenID Providers validate the identity of a user for third-party applications. An OpenID Provider is any service/application that provides an OpenID to users. Yahoo, AOL, and others are a few examples of these. Applications that require a user's OpenID to complete transactions are known as OpenID Consumers.
The flow of control in an OpenID Consumer is as follows:
Play provides an API to simplify OpenID transactions, which is documented at https://www.playframework.com/documentation/2.3.x/api/scala/index.html#play.api.libs.openid.OpenID$.
Two critical methods are as follows:
redirectURL
: This is used for verifying the user, requesting specific user information and redirecting it to the callback pageverifiedId
: This is used to extract user information from a verified OpenID callback requestLet's build an application that uses OpenID from the provider, Yahoo. We can define the controller as follows:
object Application extends Controller { def index = Action.async { implicit request => OpenID.verifiedId.map(info => Ok(views.html.main(info.attributes))) .recover { case t: Throwable => Redirect(routes.Application.login()) } } def login = Action.async { implicit request => val openIdRequestURL: String = "https://me.yahoo.com" OpenID.redirectURL( openIdRequestURL, routes.Application.index.absoluteURL(), Seq("email" -> "http://schema.openid.net/contact/email", "name" -> "http://openid.net/schema/namePerson/first")) .map(url => Redirect(url)) .recover { case t: Throwable => Ok(t.getMessage) } } }
In the preceding code snippet, the login
method redirects the user to the Yahoo login page (refer to https://me.yahoo.com). Once the user logs in, he or she is asked if the user's profile can be shared by the application. If the user agrees, it redirects to routes.Application.index.absoluteURL()
.
The index
method expects data shared by the OpenID Provider (Yahoo, in our case) on a successful login. If it is not available, the user is redirected to the login
method.
The third parameter for OpenID.redirectURL
is a sequence of tuples which indicates the information required by the application (required attributes). The second element in each tuple label of the attribute property is requested using OpenID Attribute Exchange—it enables the transport of personal identity information. The first element in each tuple is the label with which the value for the attribute property should be mapped by the OpenID Provider in the callback request's queryString
.
For example, the http://openid.net/schema/namePerson/first
property represents the attribute property by its first name. On successful login, the value of this property and the label provided by the consumer are added to the queryString
in the callback. So, openid.ext1.value.name=firstName
is added to the login callback.
18.191.74.66