OpenID for Java Web Developers

I’ve been thinking about OpenID a lot lately. Probably since around October of 2009. On my current engagement, my customer uses OpenID to enable Single Signon (SSO) for their partner applications. There is an implicit trust between them because of their business relationship, so they include links to their partners’ applications from their own applications as a convenience. The problem (before OpenID) was that each time their users accessed their partner’s application through one of these links the user was forced to sign in. A SSO solution was necessary, and OpenID was the solution. Through OpenID, my customer’s application acts as the OpenID provider (OP) and the partner applications are the relying parties (RPs). It works like a dream.

Now, I didn’t architect the OpenID solution. My colleague Oscar Pearce did, and did a great job of implementing it. He has since moved on to other things, and in October 2009 my customer asked me to help another one of their partners to OpenID-enable their application. My journey into OpenID land thus began.

At first I didn’t really understand OpenID (and to be honest, didn’t really like it). But it began to grow on me as I began to get what it was all about (funny how that happens). Slowly it started to gel, and I realized there are two main pieces to understand when using OpenID in this type of architecture (i.e., as a SSO solution):

  1. The Relying Party (RP) code and surrounding issues
  2. How to write the OpenID Server for the OpenID Provider (OP)

I love to write. It’s what I do. So I began thinking of ways to share this knowledge with the IT community. I pitched the idea to Jenni Aloi at IBM Developer Works, she liked it, and Part I (the RP stuff) is now available for your reading pleasure. You can find the article here.

I’m working on Part II (the OP stuff) now. Stay tuned. And please let me know what you think. I really like OpenID. It’s gaining momentum as an identity management solution. Check out My OpenID to see one of the largest OPs on the planet, or for the specs, etc.

Have fun.


4 thoughts on “OpenID for Java Web Developers

  1. Hello Steven, could you possibly help me with a problem?

    I’m trying to develop an open-id Relying Party, based on your article, without using Wicket and the other example’s classes, though. I’m just using a servlet to create the authentication request, another to handle the response from the OP, and a web page to user data entry. Very simple stuff.

    In the response verification, i get this verification status – “nonce verification failed” (returned from “verificationResult.getStatusMsg();”). This method: “verificationResult.getVerifiedId();” also returns a null VerifiedId, and it shouldn’t.

    I’m using the ConsumerManager and DiscoveryInformation previously stored in a session. The returnToUrl is the url of the servlet that processes the response. I get the PageParameters using “ParameterList parameters = new ParameterList(request.getParameterMap());” I use this based on an example found in openid4java website, and it seems, not to work.

    I don’t know what I’m possibly doing wrong. Could you help me? Sending my code would help? Maybe the solution is very simple, but i just can’t see it. Thank you already, greetings from Brazil!

  2. It seems like I’ve seen this error before. I believe you can set the nonce timeout value to a number greater than the default. There is a comment in the RegistrationService getConsumerManager() about this. If setting the InMemoryNonceVerifier timeout value to a number greater than the default (10 seconds) does not help, then you will have to dig into the openid4java source code.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.