how to verify google openid response

Question

I\'m trying to add authorization throw google openid to my users. I\'m receiving id (https://www.google.com/accounts/o8/id?id=AIt...Ew-Bo) but how can i check that it\'s legit.

Answer 1

public function verify_response()
       {$params=$_REQUEST;
        $query=array('openid.signed'=>$params['openid.signed'],
                     'openid.sig'=>$params['openid.sig'],
                     'openid.mode'=>'check_authentication'
                    );
        $keys=explode(',', 'openid.'.strtr($params['openid.signed'], array(','=>',openid.')));
        foreach ($params as $k=>$v)
                {if (in_array($k, $keys))
                    {$query[$k]=$v;
                    }
                }
        $query=http_build_query($query);
        $response=file_get_contents($params['openid.op_endpoint'].'?'.$query);
        return stripos($response, 'is_valid:true')!==false;
       }

Answer 2

Google's OpenID (Google Apps for Domains OpenID excepted) is just standard OpenID. You should take all the precautions that any other OpenID requires to make sure the assertion is legit. You're right... anyone can craft an OpenID positive assertion to fool your RP unless your RP verifies the signature, performs discovery on the identifier and matches the authorized OP Endpoint for that identifier with the one that signed the response.

As for whether you can trust the email address, that's up to you. You can choose to trust the Google OP endpoint, and then you know.

Answer 3

function ValidateWithServer(){
    $params = array(
        'openid.assoc_handle' => urlencode($_REQUEST['openid_assoc_handle']),
        'openid.signed' => urlencode($_REQUEST['openid_signed']),
        'openid.sig' => urlencode($_REQUEST['openid_sig'])
    );
    // Send only required parameters to confirm validity
    $arr_signed = explode(",",str_replace('sreg.','sreg_',$_REQUEST['openid_signed']));
    for ($i=0; $i<count($arr_signed); $i++){
        $s = str_replace('sreg_','sreg.', $arr_signed[$i]);
        $c = $_REQUEST['openid_' . $arr_signed[$i]];
        // if ($c != ""){
            $params['openid.' . $s] = urlencode($c);
        // }
    }
    $params['openid.mode'] = "check_authentication";

    $openid_server = $this->GetOpenIDServer();
    if ($openid_server == false){
        return false;
    }
    $response = $this->CURL_Request($openid_server,'POST',$params);
    $data = $this->splitResponse($response);

    if ($data['is_valid'] == "true") {
        return true;
    }else{
        return false;
    }
}

Answer 4

Rather than trying to implement discovery and signature verification by yourself, you really ought to use one of the many libraries that have already been created for this purpose. Here are a bunch for various programming languages:

http://openid.net/developers/libraries/