Much like OAuth (which we explored in Chapter 9), OpenID maintains a standardized flow by which a user can authenticate on a third-party relaying site to an OpenID provider such as Yahoo! or Google.
There are three participants in the OpenID authentication flow that we will be working with and describing in this chapter:
This is the end user who is attempting to sign in to a site or service using one of the OpenID providers.
This is the OpenID consumer site that is implementing an OpenID provider login in order to allow users to authenticate their accounts.
This is the site or service that has the membership database that the relaying party will authenticate against and through which the user will log in.
With that said, the OpenID authentication process will take us through four different steps, starting from when the user chooses which provider to use to sign in and ending with the authentication pass/fail returned by the provider when the user attempts to authenticate. These steps are:
Request user login by passing an OpenID identifier URI.
Perform discovery on the OpenID endpoint.
Require the user to authenticate his account.
Provide a pass/fail state based on the authentication.
Let’s break these down to see what happens between the user, relaying party, and OpenID provider at each stage.