I'm implementing an OpenID based login system with LightOpenID. Following the documentation, I use the $openid->identity property to set and get the identity supplied by the user:
Set it before calling authUrl(), and get after validate().
So I do as follows:
<?php
$openid = new OpenID;
if( !$openid->mode ){
if( isset($_POST['openid']) ){
// Auth required
$openid->identity = $_POST['openid'];
header('Location: ' . $this->authUrl());
exit;
}
}elseif( $openid->mode == 'cancel' ){
// Cancelled by user
}else{
if( $this->validate() ){
// Sucess
$user = $openid->identity;
}else{
// Error
}
}
When I test the system with delegation (I believe that's the technical name: I type my domain name in the login box and get authenticated with a third-party provider) the resulting identity is not always the one I initially typed and this behaviour seems to depend on the provider behind the scenes. More specifically, if I type http://example.com/ Yahoo will always return https://me.yahoo.com/XXXXXXXXXX#5ab6d where XXXXXXXXXX is my Yahoo username. As a result, I can't reliably identify recurring users: as soon as they switch providers, they'll lose their account data in my site:
["openid_claimed_id"] => string(37) "https://me.yahoo.com/XXXXXXXXXX#5ab6d"
["openid_identity"] => string(31) "https://me.yahoo.com/XXXXXXXXXX"
My questions:
- Is this behaviour correct?
- Is my code wrong?
(Please correct me if I'm misusing any term. Everything around OpenID tends to overcomplication, esp. the terminology.)
