[SOLVED] Using OpenID with an existing website login sytem

Using OpenID with an existing website login sytem

I have recently implemented Google and Yahoo's OpenID endpoints into my authentication system on my site so that users can avoid creating an account on my site. Pretty common practice, right?

I have a specific question though, but first a little background information.

When I get through the three-legged authentication I used Attribute Exchange to get the user's name and email address. Currently, I am storing their OpenID (a long string that looks like this: https://me.yahoo.com/a/2Z7LplQsnI_DgtAw(... a bunch of alphanumeric) in a special field in the users table.

Let's say my users table looks like this.

type  id  password                          email             key
1     1   0e9212587d373ca58e9bada0c15e6fe4  test@example.com
2     1   b8d2f4a50d2b364ff2766556ba50da48  me@gmail.com      https://www.google.com/accounts/o8/id?id=AItOawll6-m_y…
2     2   6687d5d88b359ee1340717ebf0d1afc6  you@gmail.com     https://www.google.com/accounts/o8/id?id=AItOawm3-C_9…
3     1   fd193c2fa449c9d6dc201d62d5ca86d3  him@yahoo.com     https://me.yahoo.com/a/2Z7LplQsnI_DgtAw…
1     2   2e710b13b3dd787e2b15eab3dde508c2  person@site.com

types
1 = native account
2 = Google OpenID
3 = Yahoo OpenID

When a user logs in with a native account, the email and password are used to authenticate (duh).

When a user uses Google or Yahoo OpenID, then the OpenID (key field) is used to authenticate.

Okay, now that all the background information is out of the way... will it be secure if I forget about storing the OpenID itself and simply use the email I got back from Attribute Exchange to authenticate the user? Can someone spoof the third leg of an OpenID transaction or can I trust that whenever I get you@gmail.com from the Attribute Exchange portion of an OpenID transaction with Google that it is genuine and not spoofed?

Solution

Such an intentional breaking of the protocol will cause you major headaches in the long run. For instance, consider cases where a user logs in using a custom-built OpenID server, but provides a @gmail.com email address.

The only information guaranteed to be absolutely consistent and reliable after an OpenID authentication exchange is the identity URL.