Wednesday, December 30, 2009

Quick Guide to Using Google's OpenID

These notes are based on some work done by Jun Ji in our group.  He's been converting the QuakeSim project's portlets into Google gadgets as a prelude to Open Social integration, as discussed in previous posts.  One problem is that the gadgets need to identify and authenticate the user. We don't have excessive security requirements.  We just need to save the users' interactions with the web interface as persistent sessions ("projects") so that they can be accessed again in later sessions.

This identification step is actually pretty simple to do with OpenID and openid4java, but you may not guess this from Google's documentation (see for example http://code.google.com/apis/apps/sso/openid_reference_implementation.html).   To start, you will need to download the openid4java tar file (see http://code.google.com/p/openid4java/) and unpack it. The openid4java jars need to go in your webapps's WEB-INF/lib directory, as usual.

Next, you need to copy the provided samples consumer_redirect.jsp and consumer_returnurl.jsp to your webapp's directory. They are in ./samples/simple-openid/src/main/webapp/ of the openid4java download.   You will need to modify them a little: consumer_redirect.jsp for example has a variable returnToUrl that needs to be changed to use your webapp's name. For our other modifications to these codes, see the source code at source forge: http://crisisgrid.svn.sourceforge.net/viewvc/crisisgrid/QuakeSim2/portlets_dev/Disloc3/src/main/webapp/


This completes the setup.  You can now make simple login page like the one below (call it index.jsp or whatever).  You need to do the following:
  1. See if a logout action has been requested.  If so, clean up relevant OpenID session variables.
  2. See if the openid attribute has been set.  If so, give the user an option of logging out or navigating on to other pages.
  3. Otherwise, redirect the user to the Google OpenID login page.  
Here's what the JSP page looks like:
<%@ page session="true" %>
<html>
<body>
<%
    if (request.getParameter("logout")!=null)
    {
        session.removeAttribute("openid");
        session.removeAttribute("openid-claimed");
%>
    Logged out!<p>
<%
    }
    if (session.getAttribute("openid")==null) {
%>
<form method="POST" action="consumer_redirect.jsp">
<strong><br>QuakeSim2 OpenID login test page:<br><br>
</strong>
<input type="hidden" name="openid" value="https://www.google.com/accounts/o8/id" size="60"/><br>
<input type="submit" value="log in into google"/>
</form>
<%
} else {
%>

Logged in as <%= session.getAttribute("openid") %><p>
email address <%= session.getAttribute("email")%><p>
<a href="?logout=true">Log out</a>

<% } %>

</body>
</html>

Note the form action sends the user to the consumer_redirect.jsp page we took from openid4java.  The hidden parameter openid is sent to consumer_redirect.jsp and tells it to redirect to the Google login page. The consumer_returnurl.jsp page acts like a callback page and tells the Google login form where to redirect the browser request if login was successful.  Your future requests will be filtered through this servlet, which can enforce verification.

Finally, note that several session variables will be set. Here are some sample name-value pairs (just use session.getAttributeNames() in index.jsp and list):

openid-disco OpenID2 OP-endpoint:https://www.google.com/accounts/o8/ud ClaimedID:null Delegate:null
email marpierc AT gmail.com
openid-claimed https://www.google.com/accounts/o8/id?id=ABCdefg-hIJKLMNop
openid https://www.google.com/accounts/o8/id?id=ABCdefg-hIJKLMNop


You may want to use these in other applications.  We use the email attribute to identify the user for database purposes.  You may also want to use these variables to associate a successful OpenID login with a legacy user entry in your database.

1 comment:

Varun said...

thank you so much