4.2.2. Establishing Association

The messages you receive indirectly via the user’s browser from the OpenID provider are digitally signed. For each such message, the signatures must be verified and it must be confirmed that it really comes from the OpenID provider. Therefore it is possible to choose from two different possibilities – the so-called stateful and stateless communication between your application and the OpenID provider.

In stateless communication, you have to verify the message by establishing a communication with the OpenID provider with a request for verification of the given message. That is more performance and time consuming.

Stateful communication begins with establishing a shared secret before the start of the process of the user login, e.g. identity authentication – the so-called establishing association This shared secret is valid for the maximal period of 14 days and after it expires, the association must be established again. Both sides (the OpenID provider and your application) can also declare this shared secret invalid at any time during its period of validity. In such case, it is good to establish the association again, so that the stateless communication needs not to be used.

Tip

The OpenID libraries that can be used to implement mojeID can use both options. In common situations, we recommend using the stateful communication as much as possible. In some cases, it is necessary to use the stateless communication too, e.g. if the shared secret expired or if one side invalidated it, it is necessary to verify messages by stateless communication, until a new association is established.