OpenID is an authentication protocol, wherein OpenID Providers validate the identity of a user for third-party applications. An OpenID Provider is any service/application that provides an OpenID to users. Yahoo, AOL, and others are a few examples of these. Applications that require a user's OpenID to complete transactions are known as OpenID Consumers.
The flow of control in an OpenID Consumer is as follows:
- The user is directed to the login page of the supported/selected OpenID Provider.
- Once the user completes logging in, the OpenID Provider informs the user about user-related data requested by the OpenID Consumer.
- If the user agrees to share the information, he or she is redirected to the page requested by him or her on the consumer application. The information is added to the request URL. The information is termed as attribute properties and this is documented at http://openid.net/specs/openid-attribute-properties-list-1_0-01.html.
Play provides an API to simplify OpenID transactions, which is documented at https://www.playframework.com/documentation/2.3.x/api/scala/index.html#play.api.libs.openid.OpenID$.
Two critical methods are as follows:
redirectURL: This is used for verifying the user, requesting specific user information and redirecting it to the callback pageverifiedId: This is used to extract user information from a verified OpenID callback request
Let's build an application that uses OpenID from the provider, Yahoo. We can define the controller as follows:
object Application extends Controller {
def index = Action.async {
implicit request =>
OpenID.verifiedId.map(info => Ok(views.html.main(info.attributes)))
.recover {
case t: Throwable =>
Redirect(routes.Application.login())
}
}
def login = Action.async {
implicit request =>
val openIdRequestURL: String = "https://me.yahoo.com"
OpenID.redirectURL(
openIdRequestURL,
routes.Application.index.absoluteURL(),
Seq("email" -> "http://schema.openid.net/contact/email",
"name" -> "http://openid.net/schema/namePerson/first"))
.map(url => Redirect(url))
.recover { case t: Throwable => Ok(t.getMessage) }
}
}In the preceding code snippet, the login method redirects the user to the Yahoo login page (refer to https://me.yahoo.com). Once the user logs in, he or she is asked if the user's profile can be shared by the application. If the user agrees, it redirects to routes.Application.index.absoluteURL().
The index method expects data shared by the OpenID Provider (Yahoo, in our case) on a successful login. If it is not available, the user is redirected to the login method.
The third parameter for OpenID.redirectURL is a sequence of tuples which indicates the information required by the application (required attributes). The second element in each tuple label of the attribute property is requested using OpenID Attribute Exchange—it enables the transport of personal identity information. The first element in each tuple is the label with which the value for the attribute property should be mapped by the OpenID Provider in the callback request's queryString.
For example, the http://openid.net/schema/namePerson/first property represents the attribute property by its first name. On successful login, the value of this property and the label provided by the consumer are added to the queryString in the callback. So, openid.ext1.value.name=firstName is added to the login callback.