A description of the OpenID protocol with diagrams.
1: User submits Identity URL
1:用戶提交身份地址
The consumer uses a form with GET or POST to allow the user to enter their OpenID url.
應用服務器通過GET或者POST方法獲得用戶提交他們的OpenId地址(身份地址)
2: Consumer fetches Identity URL
2:應用服務器取得身份驗證服務器
The consumer parses the HTML content and looks for a tag:
<LINK REL='openid.server' HREF=(the server)>
應用服務器解吸用戶提交的地址的數(shù)據(jù)中的HTML標簽:<link rel=’openid.server’ href=’the server’>(其中the server 就是身份驗證服務器)
3: Consumer associates with server (option 1)
3:應用服務器與身份驗證服務器交互(選項1)
In order to communicate securely with the server, the consumer gets an association with the server discovered in step 2, using an existing association if it is available, otherwise visiting the server and using Diffie Hellman to negotiate a shared secret with which to sign communication. A consumer unable to store state uses "dumb mode" which does not perform this step, and instead uses step 7.
The OpenID server URL accepts a query, containing all the information the server needs to check the user's identity and redirect the user back to the consumer. The server checks the authentication of the user. If the user is signed in (has an auth cookie) and has already authorized sending their identity to the consumer, step 5 may be skipped.
The user authenticates to the server with a cookie or a username and password, and the server asks the user for permission to send their identity information to the consumer.
The consumer parses the servers response (which is appended to the return-to URL the consumer sent) and verifies it using the association, or in the case of dumb mode proceeds to step 7.
