LightOpenID authentication using POST method

1.9k views Asked by At

Is there a way to authenticate using LightOpenID library using POST method? To be exact, after authenticating, Google (for example) returns to specified URL but all data is sent to me using GET method, which ends up in ugly and long URL.

My code is:

define('BASE_URL', 'http://someurl.com');

try {
    $openid = new LightOpenID();

    if (!isset($_GET['openid_mode'])) {
        // no openid mode was set, authenticate user
        $openid->identity = 'https://www.google.com/accounts/o8/id';
        $openid->realm = BASE_URL;
        $openid->required = array('contact/email');

        header('Location: '.$openid->authUrl());

    } else if ($_GET['openid_mode'] == 'cancel') {
        // user canceled login, redirect them
        header('Location: '.BASE_URL);

    } else {
        // authentication completed, perform license check
        if ($openid->validate()) {
            $openid->getAttributes();
        }
    }

} catch (ErrorException $e) {

}

So after authentication OP returns to url that looks something like this:

http://someurl.com/index.php?openid.ns=http://specs.openid.net/auth/2.0&openid.mode=id_res&openid.op_endpoint=https://www.googl...

And I want the OP to return to:

http://someurl.com/index.php

and send all the data using POST not GET.

2

There are 2 answers

2
Floccinaucinihilipilification. On BEST ANSWER

I've been working on the same. See the code below. I think this should help.

<?php 
require 'lightopenid/openid.php';
try {
    $openid = new LightOpenID;                       
    if(!$openid->mode) {
        if(isset($_GET['login'])) {
            $openid->identity = 'https://www.google.com/accounts/o8/site-xrds?hd=yourdomain.com';         
        $openid->required = array('namePerson/friendly', 'contact/email' , 'contact/country/home', 'namePerson/first', 'pref/language', 'namePerson/last'); 
            header('Location: ' . $openid->authUrl());    
        }
?>
<form action="?login" method="post">
    <button>Login with Google</button>
</form>
<?php
    } elseif($openid->mode == 'cancel') {
        echo 'User has canceled authentication !';
    } else {
        session_start();
        $fname = $openid->ret_fname();                        // setting session
        $lname = $openid->ret_lname();                        // setting session
        $email = $openid->ret_email();                        // setting session
        $_SESSION['admin']['name'] = $fname.' '.$lname;       // setting session
        $_SESSION['admin']['emailID'] = $email;               // setting session

        header('Location:approve.php');  // PUT YOUR PAGE/URL HERE.... I THINK THIS SHOULD DO THE TRICK !!! 
    }
} catch(ErrorException $e) {
    echo $e->getMessage();
}
0
Ed Randall On

It's possible that it is not possible, according to the top answer to this question: Response.Redirect with POST instead of Get?

The authentication response from Google back to your page handler might be a "request" rather than a "redirect" though, so I'm still not sure.

Redirecting yourself after a response using a POST as above seems a good workaround.

Another solution might be to bury the whole process using AJAX.