New version of the OpenID component
Just uploaded a new version of the OpenID component I wrote sometime ago. It uses now version 2.0.0 of the PHP OpenID library, which supports the OpenID 2.0 specification.
As the API has changed a bit, let me make a simple example to show you how the component is used.
First we create the login form:
<?php
// app/views/users/login.ctp
if (isset($message)) {
echo '<p class="error">'.$message.'</p>';
}
echo $form->create('User', array('type' => 'post', 'action' => 'login'));
echo $form->input('OpenidUrl.openid', array('label' => false));
echo $form->end('Login');
?>
As next step we have to implement the login action in our controller:
// app/controllers/users_controller.php
class UsersController extends AppController {
var $components = array('Openid');
var $uses = array();
function login() {
$returnTo = 'http://'.$_SERVER['SERVER_NAME'].’/users/login’;
if (!empty($this->data)) {
try {
$this->Openid->authenticate($this->data['OpenidUrl']['openid'], $returnTo, ‘http://’.$_SERVER['SERVER_NAME']);
} catch (InvalidArgumentException $e) {
$this->setMessage(’Invalid OpenID’);
} catch (Exception $e) {
$this->setMessage($e->getMessage());
}
} elseif (count($_GET) > 1) {
$response = $this->Openid->getResponse($returnTo);
if ($response->status == Auth_OpenID_CANCEL) {
$this->setMessage(’Verification cancelled’);
} elseif ($response->status == Auth_OpenID_FAILURE) {
$this->setMessage(’OpenID verification failed: ‘.$response->message);
} elseif ($response->status == Auth_OpenID_SUCCESS) {
echo ’successfully authenticated!’;
exit;
}
}
}
private function setMessage($message) {
$this->set(’message’, $message);
}
}
The login action basically performs three things. If it is called with a GET request without any parameters, it simply shows the login form. If we submit the login form, then the OpenID authentication process is started and you will be redirected to your OpenID provider. And when you get redirected back from the OpenID provider, we process the response.
That’s it. You can download the component from the download area (and don’t forget to read the installation instructions).
Happy baking :)
There’s a slight typo in the second catch block. > is not properly rendered.
Anyway great component, thanks!
@klevo: Thanks for the hint, it is fixed now.
Could this be used directly to ask for fullname during authentication ?
@Matti: Yes, you can use either the 4th or 5th parameter of the authenticate() method for this purpose. Simply pass an array with the fields you are interested in, but be aware that it is not guaranteed that those fields will be in the response from the OpenID server.
Hope that helps!
[...] Hofstetter aka CakeBaker a publié une version mise à jour de son composant OpenID. Elle se trouve ici avec toutes les [...]
[...] the OpenID component it is quite easy to use Simple Registration. The authenticate() method provides the two parameters [...]
Argh, set it up, but I keep getting
OpenID verification failed: Server denied check_authentication
when i’m clearly allowing it, not sure where the break down is. I’ve googled the server denied message and see a lot of people with different implementations that have the issue, but haven’t found a fix for it yet, anyone run into this and know how to fix it? or at least know how to fix it?
Thanks
@Jeremy: Did you test it with different OpenID providers?
just signed up for a different one, so i’ve tried both myopenid.com and claimid.com and am getting the same thing.
Just tried a separate provider, so i’ve tried myopenid.com and claimid same issue with both, and it’s definitely authorizing because the count is going up on my history in myopenid. any ideas where to go from here?
@Jeremy: Hm, difficult to say what the problem is. Did you debug the response you get from the OpenID provider?
[...] Please notice there is a newer tutorial! [...]
if your develop on http://localhost:3000 the you need to use
$returnTo =’http://’.$_SERVER['SERVER_NAME'].’:’.$_SERVER['SERVER_PORT'].’/users/login’;
Also I think you should extend the example to show how simple registration is done.
I am trying the example but there is a problem.
After the redirection return to my site $_GET on contains
Array ( [url] => /openids/login )
So, the script can’t get the info.
Being a cakephp newbie I might have forgotten to do something but what ?
@knud: Thanks for your comments!
I added a link to an article, where I show, how to use the Simple Registration Extension. Hope that helps.
Difficult to say what the problem is. Can you provide more details?
I used cakephp-instaweb it cut off the reply.
When I use apache it works okey.
@knud: Cool to hear it is working! And regarding the problem with cakephp-instaweb, you may contact its author.
I think I was to fast to conclude that it works.
I get the error
“OpenID verification failed: Nonce already used or out of range”
all the time, any ideas why that could be ??
@knud: Hm, never encountered such an error yet. Is your site online?
Maybe the following message helps: http://lists.openidenabled.com/pipermail/dev/2008-February/001068.html
No, my site is not online yet.
Thanks, the problem was the time on my computer as the message suggest.
@knud: Uff, good to hear the tip was helpful :)
I have now installed ntpd, so my time is very precise and openid worked for a time.
But I made some changes to my script which resulted in cake/php taking very long to process my script, and as a result the error is back !
Is openid meant to work like this or is it a bug in the php-openid
library ?
@knud: Hm, what changes did you make? Maybe you can mail me the code that causes the problem?
While working with the component I encountered an error, regarding the return_to which in the latest version of OpenId-PHP library must be a string.
The line 47:
$response = $consumer->complete($_GET);
Must be changed into
$return_to = substr($_GET['openid_return_to'], 0, strpos($_GET['openid_return_to'], “?”));
$response = $consumer->complete($return_to);
This fix was provided on:
http://www.codymays.net/content/2007/02/20/the-future-and-openid/
Calin, line 47 in which file ??
I think I have found the error in php-openid.
A openid responce return 2 nonces.
from consumer: [janrain_nonce] => 2008-04-15T03:18:00ZW7×3v0
from server: [openid_response_nonce] => 2008-04-15T03:18:03ZDK8rIP
The problem is that the timestamp of the server nonce is used to check for a nonce file created with the timestamp from the consumer nonce.
So, if the two timestamp differ within a second you will get a error.
This will happen if you script is slow like when you use cake debug mode 3.
Calin, line 47 in which file ?
I think I have found the error in php-openid !
A openid respone return 2 nonces:
from consumer:[janrain_nonce] => 2008-04-15T03:18:00ZW7×3v0
from server:[openid_response_nonce] => 2008-04-15T03:18:03ZDK8rIP
The problem is that the time stamp from the server nonce
is used to check for a nonce file created by the time stamp
from the consumer nonce.
If the 2 nonces differ within the second you will get a error.
This happens if you script is slow or your are using cake debug mode.
Hope someone with more insight into the php-openid code can help
with a real fix.
Calin, line 47 in which file ?
I think I have found the error in php-openid !
A openid respone return 2 nonces:
from consumer:[janrain_nonce] => 2008-04-15T03:18:00ZW7×3v0
from server:[openid_response_nonce] => 2008-04-15T03:18:03ZDK8rIP
The problem is that the time stamp from the server nonce
is used to check for a nonce file created by the time stamp
from the consumer nonce.
If the 2 nonces differ within the second you will get a error.
This happens if you script is slow or your are using cake debug mode.
Hope someone with more insight into the php-openid code can help
with a real fix.
@equanimous in the app/controller/components/openid.php
I am also facing the same problem with the nonce, although I don’t think it’s related to the above fix, because after the above fix it the authentication worked for me (for a while).
Currently I’m digging for a solution to this… keep you posted.
So looks like the FileStore (Auth/OpenId/FileStore.php) is the trouble maker. The solution was to remove the contents under /app/tmp/openid . Also to see a hint why it cannot open the file containing the nonce remove the @ from Auth/OpenId/FileStore.php line 389 or else the library will complain about the nonce, but you will not see the reason.
Btw, anyone managed to use the MySQLStore instead of the FileStore?
I am sorry about the trible post.
The page did not update, so I made some retries.
calin, line 47 in that file says:
$authRequest->addExtension($sregRequest);
I am using openid_component_2008-02-06.zip which are you using ?
@Calin: I think you downloaded an old version of the component. It’s my bad, somehow the wrong page was shown after upgrading to Wordpress 2.5. It’s now fixed. I’m sorry for the inconvenience…
I don’t have used the MySQLStore yet, but it is probably a good idea to support it in one of the next versions.
@knud: No problem, thanks to your triple post I noticed that a cache was activated which shouldn’t have been activated ;-)
As a workaround you may try to set Security.level to “low” (in app/config/core.php), but I’m not sure it will help in your situation…
After styding the problem in detail it seems that those
how made the openid 2.0 spec really fucked up the nonce issue.
it seems that before 2.0 nonce worked as a non standard (therefore the janrain_nonce format) ticket issued by the consumer and returned by the server.
When the nonce was returned the consumer checked that the nonce was issued.
But in 2.0 response_nonce is issued by the server
and the consumer have to check that the nonce haven’t been seen before from that server.
It seems that jan rain didn’t make a distinction between the two types of nonce when he made the last update.
I like the ticket idea the most so I will use that,
even it is not standard.
@knud: I don’t understand exactly the problem you encounter, but I would be careful with using a non-standard approach and test it with different OpenID providers (OPs). If it works with differents OPs, then go for it :)