Pseudo code | Clickpass Documentation

Now with: A BLOG!

OpenID Pseudo Code

OpenID enables one website to piggy-back off an authenticated session from another website. In this way, only one password is required for both.

Normal login/authentication

User submits username and password
Your website looks up the account corresponding to username
Your website checks that submitted password corresponds to password stored for account (authenticates user)
If password is valid then your website creates an authenticated session for the user

OpenID login/authentication

User submits OpenID
Your website looks up the account corresponding to OpenID
Your website sends a request to OpenID provider to confirm that user owns the OpenID (authenticates user)
If the OpenID is valid, your website creates an authenticated session for the user

Traditional login pseudo code

Traditional login:


// Retrieve the user corresponding to the submitted username
user = Database.getUserByUsername( submittedUsername )

// Check the password and either log the user in or reject them
if ( submittedPassword == user.storedPassword )
   user.completeLogin( )
else
   user.failLogin( )
end

Legend:
local function
Database query

OpenID login pseudo code

OpenID login:


// Begin authentication
OpenIDLibrary.beginAuth(submitted_OpenID)

// library redirects user to OpenID provider: USER LEAVES YOUR SITE

User is redirected to OpenID Provider.

Their OpenID provider prompts user to log in if necessary. Once done it sends them back to your site together with an assertion that they're logged in (or not).


// complete authentication
authenticationResult = OpenIDLibrary.completeAuth()
openid_URL           = OpenIDLibrary.getOpenID()

// deal with user accordingly
if ( authenticationResult == success )
   user = Database.getUserByOpenID( openid_URL )
   user.completeLogin( )
else
   user.failLogin( )
end

Legend:
local function
OpenID library function
Database query

"Redirects" and OpenID

You will see a lot of 'begin' and 'complete' functions in OpenID. This is because OpenID operates by completely redirecting the user between sites.

OpenID is a type of web-service but unlike traditional web-services which operate server-side and statelessly, OpenID is designed to take advantage of sessions.

The only way an OpenID provider can assert that the user is logged in is by checking their session and the only way they can do that is if the user is actually at their site.

This means that the whole OpenID process operates by bouncing the user between their OpenID provider and your site: the OpenID consumer. All the information about these bounces is passed on the query string as the user moves to and fro.

User contributed notes

Have something to add to the docs or a question you want to ask? Get stuck in.

(We may occasionally prune notes to keep them as useful as possible to our readers)