New version of the OpenID component

Published on and tagged with cakephp  component  openid

Just uploaded a new version of the OpenID component I wrote sometime ago. It uses now version 2.0.0 of the PHP OpenID library, which supports the OpenID 2.0 specification.

As the API has changed a bit, let me make a simple example to show you how the component is used.

First we create the login form:

// app/views/users/login.ctp
if (isset($message)) {
    echo '<p class="error">'.$message.'</p>';
echo $form->create('User', array('type' => 'post', 'action' => 'login'));
echo $form->input('OpenidUrl.openid', array('label' => false));
echo $form->end('Login');

As next step we have to implement the login action in our controller:

// app/controllers/users_controller.php
class UsersController extends AppController {
    var $components = array('Openid');
    var $uses = array();
    function login() {
        $returnTo = 'http://'.$_SERVER['SERVER_NAME'].'/users/login';
        if (!empty($this->data)) {
            try {
                $this->Openid->authenticate($this->data['OpenidUrl']['openid'], $returnTo, 'http://'.$_SERVER['SERVER_NAME']);
            } catch (InvalidArgumentException $e) {
                $this->setMessage('Invalid OpenID');
            } catch (Exception $e) {
        } elseif (count($_GET) > 1) {
            $response = $this->Openid->getResponse($returnTo);
            if ($response->status == Auth_OpenID_CANCEL) {
                $this->setMessage('Verification cancelled');
            } elseif ($response->status == Auth_OpenID_FAILURE) {
                $this->setMessage('OpenID verification failed: '.$response->message);
            } elseif ($response->status == Auth_OpenID_SUCCESS) {
                echo 'successfully authenticated!';
    private function setMessage($message) {
        $this->set('message', $message);

The login action basically performs three things. If it is called with a GET request without any parameters, it simply shows the login form. If we submit the login form, then the OpenID authentication process is started and you will be redirected to your OpenID provider. And when you get redirected back from the OpenID provider, we process the response.

That’s it. You can download the component from the download area (and don’t forget to read the installation instructions).

Happy baking :)

See also: Using the OpenID Simple Registration Extension

79 comments baked

  • Cees-Jan Kiewiet

    @lboy -> On my own system I use openid as an extension on the existing user management system. When someone is authenticated it will check if the openid login is from an existing user (just link openid URL’s to users) ifso it will log that user in. If it’s not frmo a user it will attempt to create that user with information from the openid login. (Make sure you request that information!!!)

  • cakebaker

    @lboy, Cees-Jan: Thanks for your comments!

    @lboy: Does the good answer from Cees-Jan answer your question? Or is there still something unclear?

  • lboy

    @Cees-Jan, cakebaker: Sorry for the delay… Yes, that answer is helpful, thanks. It helped to have it written down in words, even though I think I knew roughly what I needed to do.

  • Cees-Jan Kiewiet

    @lboy -> Yeah it’s a rough sketch tho :P. Just a little warning, sites like (you can use as if you have an yahooID) don’t give useable data or URL’s to generate when someone uses it as openid. Making it impossible to findout who is actually loggingin. Still working on that :P.

  • cakebaker

    @Cees-Jan: Yes, that’s true, however it looks like Yahoo wants to support Simple Registration in the future:

  • Cees-Jan Kiewiet

    @cakebaker: Ok great to hear, still it’s a scenario to keep in mind that could happen with another openid provider :P.

    Ow btw happy new year :).

  • James Rickard

    Firstly thanks for the plugin, it is unreal.

    Secondly a little problem.

    We have had this up and running on our server, but it only works intermittently. It’ll work for a few turns, but then will fail with a require_once error : (shown here).

    Wondering if you had any solutions to this problem. Everything is up to date, and our server seems to like everything else just fine. Every so often it just fails.

    Our site is – if you’d like to have a look.


  • cakebaker

    @James: Hm, sounds odd. I logged into your site for a few times, but didn’t encounter the error you describe…

    However, I fixed the // which is shown in the paths of your debug output, but I’m not sure whether this is the cause of your issue. Anyway, you can get the updated version from:

    Hope that helps!

  • James Rickard

    @cakebaker – Thanks muchly for taking the time to look into it. We are still getting the error. Is there something in the server setup I maybe overlooking? I doubt it, but I guess thats where the difference is, somewhere in the background.

    Thanks again

  • cakebaker

    @James: It’s strange that the issue appears only sporadically…

    My guess is that it is some problem with the include path and ini_set/ini_get (at the top of the Openid component), but I have no idea what… So right now I’m quite clueless :|

  • James Rickard

    @cakebaker : Thanks heaps for your help. The sporadically issue is the most annoying part of it.

    Anyways, we just went through and hardcoded the require_once links in the openID folder and it seems to be okay now. Knock wood I guess.

    Thanks again for your time.


  • cakebaker

    @James: Ah, yes, that’s the hardcore approach ;-)

    Anyway, I hope it works fine now.

  • Arne Diekmann

    Hey mister Cakebaker,

    The plugin is running very smoothly for me, thanks for that! There is only one thing I kept wondering about: When I enter my OpenID preceeded by “https://” the response does not have the same identiy_url compared to entering the OpenID with “http://”.

    This is of course totally correct according to the OpenID Specs and my first idea was to just store the identity_url for a user with the protocol stripped and compare that with the identy_url returned by the authentication process (with the protocol stripped also) and thus making the different identity-urls map to the same user, but the specs also stated that »Relying Parties MUST differentiate between URL Identifiers that have different schemes. When end user input is processed into a URL, it is processed into a HTTP URL. If the same end user controls the same URL, differing only by scheme, and it is desired that the Identifier be the HTTPS URL, it is RECOMMENDED that a redirect be issued from the HTTP URL to the HTTPS URL. Because the HTTP and HTTPS URLs are not equivalent and the Identifier that is used is the URL after following redirects, there is no foreseen reduction in security when using this scheme. If an attacker could gain control of the HTTP URL, it would have no effect on the HTTPS URL, since the HTTP URL is not ever used as an Identifier except to initiate the discovery process.« (

    Is this something to be done in the Consumer.php or is there a way to accomplish just that with your plugin the easy way? If not I’ll have to go by the stripping-approach or try to find out wether the OpenID library can be taught to do that. Anyway any hint in the right direction would be greatly appreciated!


  • cakebaker

    @Arne: Thanks for your comment!

    Well, as you quoted from the spec, “Relying Parties MUST differentiate between URL Identifiers that have different schemes.”. This means, you violate the spec if you would modify the behavior of Consumer.php (or the OpenID component) to treat and as the same identifier.

    So, my recommendation is to keep it like it is and to follow the spec ;-)

  • Dave

    Awesome. This worked flawlessly. Now my apps can be openid enabled. Thanks!

  • Mr-Yellow

    Can’t see any reason why PHP5 would be needed.

    The OpenID lib is PHP4.

    The OpenID CakePHP component is only a small amount of code to change back to PHP4.

    No reason for PHP5 except to make the script incompatible with most servers.


  • Mr-Yellow

    No need for PEAR DB package as CakePHP includes all the needed database access with a rewrite of the component to use what is already available.


  • cakebaker

    @Dave: You are welcome!

    @Ben: Well, PHP4 is officially dead and so it doesn’t make much sense to support it anymore. However, feel free to grab the source from GitHub and modify it accordingly, if you need the component in a PHP4 environment.

    Yes, CakePHP includes all the needed database access functionality, and I considered to use this functionality. However, in the end it was more pragmatic to use what’s already available in the OpenID lib than to write my own CakeMySQLStore.

  • John

    Any idea if there’s a way to get this component to work with google apps domains? The problem is that there actually need to be two discoveries to find the actual location of the XRDS document for the user. First a discovery on the site XRDS is required which after some tinkering I was able to do easily enough, but when the openid response comes back it is rejected because it is not actually hosted at the domain, but on google’s server. There is a template in the site XRDS to apply the claimed id in order to get the actual location of the user XRDS document.

    For example:

    for the XRDS doc would be located at

    User XRDS docs are located using a similar template{URLencodedClaimedID}

    however, the login process returns simply the ClaimedID.

    This is all pretty new to me, so I hope I explained it correctly. My goal is to use google provided apps login for all authentication across the entire domain.

  • Support for Google Apps OpenIDs - cakebaker

    […] a recent comment John mentioned that the OpenID component doesn’t work with Google Apps OpenIDs. And he was […]

  • cakebaker

    @John: I just released a new version of the OpenID component which supports Google Apps domains, see Support for Google Apps OpenIDs.

  • Andrea

    I have a problem with integrating this into my existing login system. Following the advice by Cees-Jan, everytime a new user logs in via OpenId, I create a new profile on the system, and associate their openid URL. The problem is that the openid URL assigned by Google and Yahoo (and probably some more providers) is not static, and changes every time a user logs in. I think you take care of this in your component; indeed I am able to login via OpenId; my problem is that I’m not able to see whether this is a new user or an already registered one.

  • cakebaker

    @Andrea: $response->identity_url contains the unique url for each user you can use to differentiate them.

    Hope this helps!

  • Brendan

    This does not appear to support anything that uses HTTPS. I could not get it to work for Google or for Yahoo.

    It does, however, work for simple URLs like myOpenID

    Any information on how I can get this to work with Google and Yahoo too?

  • cakebaker

    @Brendan: Hm, is OpenSSL installed and enabled in your php.ini?

  • PelleP

    I am trying to get the component working on my project, but it seems like something is redirecting to the $returnTo path by itself and it newer comes into the handleOpenIDResponse() function. In my adress field I got this long get-statement and the authorization with myOpenID works. What to do? Please help! :)

  • cakebaker

    @PelleP: Hm, I’m not sure I understand what you mean… It works with an OpenID from myOpenID, but not with other OpenIDs? If that’s the case, what OpenIDs don’t work?

    Plus can you show some code (for example as a Gist)?

  • PelleP

    @cakebaker. Sorry for taking up your time. My problem was quite stupid. I had set the routing wrong so I got redirected to my index page instead of being sent back to the usersController.

  • cakebaker

    @PelleP: No problem, I’m glad you could fix the issue :)

Bake a comment

(for code please use <code>...</code> [no escaping necessary])

© daniel hofstetter. Licensed under a Creative Commons License