开发者

Can OpenID be used to authenticate access to a website client area?

开发者 https://www.devze.com 2023-01-17 14:45 出处:网络
Is i开发者_StackOverflow社区t possible to limit the users who can sign in with open id on my site. I have clients that I want to give access to a client area on my website.I don\'t want anyone with a

Is i开发者_StackOverflow社区t possible to limit the users who can sign in with open id on my site. I have clients that I want to give access to a client area on my website. I don't want anyone with a open id to be able to login just my clients. Is this possible?


One way to do this would be to create a "sign up" form to validate the user. Part of the sign up process would be to associate your OpenID. You can then leave the newly created account in a "pending" mode to be approved by an admin. (note: if you have a different way of adding the clients, you would use that method.)

Basically you would create a profile for a user the same way you would in any other application, except you would replace the UserName / Password portion with OpenID.


OpenID is made for authentification, not for authorization. I am sure, you could make it work (*), however you must keep in mind that OpenID has not been made for this sort of task.

If you want to do it, you must probably restrict the set of allowed OpenID providers to prevent a malicious provider to hand faked/bogus identity URLs to your application (consumer).

(*) how, depends on where you want to enforce the restriction (web server, web framework, etc.)

0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号