How does OpenID work?

Question

Can someone help me understand how OpenID works? I'm interested in the following answers:

1. Do you still have to store user ids and passwords if using OpenId?
2. How does my application create a new session when a user logs in?
3. When users log out of the application do I need to do anything other than clear their session data? Do I need to inform the openId server?

Answer 1

I recently made an openid authentication system this is how it works.

login:

1. User puts in openid url (not necessarily unique),
2. Openid provider verifies and provides a unique openid url, on success.
3. Put this url in the session.

authenticate request:

there is a table that maps openid url to user.

for each request:

1. Look for openid url in the session
2. If exists, lookup user record and attach it to the request
3. Process the request.

Do you still have to store userIDs and passwords if using openId?

userIDs yes, passwords no (unless you provide other ways to login except openid)

How does my application find out and create a new session when someone logs in?

Sessions are handled as normal, sessions are for authenticated and unauthenticated users.

When I use logs out of my own application, do I need to do anything more than just clear their session from my application? (Do I need to inform the openId server?)

Nope.