This release fixes a bug in the isOpenIDResponse() method. So far this method only recognized OpenID responses from a GET request. But as I had to learn, there are OpenID providers (e.g. Hyves) responding with a POST request… So, if you use the isOpenIDResponse() method, please upgrade to the new version.

However, this bug not only affected the component itself but also the examples and the example application. They contained code that looked like:

if ($this->RequestHandler->isPost()) {
    // make OpenID request
} elseif ($this->Openid->isOpenIDResponse()) {
    // handle OpenID response
}

This snippet will fail if the response from an OpenID provider is a POST request. Instead it should look like:

if ($this->RequestHandler->isPost() && !$this->Openid->isOpenIDResponse()) {
    // make OpenID request
} elseif ($this->Openid->isOpenIDResponse()) {
    // handle OpenID response
}

Please fix this in your code if you followed the examples.

Thanks go to Sam Mousa for reporting this issue.

I also got asked whether there is an example application that shows the usage of the OpenID component. As I already use a very simple application to test the component manually, I pushed this application to GitHub (you can see the application in action on http://openid-example.42dh.com/). I hope this will make it easier for some of you to get started with the OpenID component.

Let’s say we want to add a method to the request handler component. And so we create a new class which inherits from the request handler component:

// app/controllers/components/my_request_handler.php
App::import('Component', 'RequestHandler');
class MyRequestHandlerComponent extends RequestHandlerComponent {
    public function example() {
        // do something
    }
}

To use this component, we have to add it to the $components array of our controller:

// app/app_controller.php
class AppController extends Controller {
    public $components = array('MyRequestHandler');	
}

Nothing new so far. However, a disadvantage of this approach is that you have to use the component in the following way:

$this->MyRequestHandler->isAjax();
$this->MyRequestHandler->example();

Wouldn’t it be nice if we could use it in the usual way?

$this->RequestHandler->isAjax();
$this->RequestHandler->example();

And yes, it is possible. For this purpose we have to override Controller::constructClasses():

// app/app_controller.php
class AppController extends Controller {
    public $components = array('MyRequestHandler');
	
    public function constructClasses() {
        parent::constructClasses();
        $this->RequestHandler = $this->MyRequestHandler;
    }
}

Happy baking!

Almost all external libraries are now included in the package to make the installation a bit easier. Included are the required PHP OpenID library and PEAR DB (which is used if you want to store the OpenID data in the database). Not included is the EAUT library as I think this standard is dead (i.e. nobody is using it).

The configuration settings are now set when you add the OpenID component to the $components array of your controller(s):

public $components = array('Openid' => array('use_database' => true));

or

public $components = array('Openid' => array('database_config' => 'name_of_database_config));

The old way, using Configure::write(), is no longer supported:

Configure::write('Openid.use_database', true);
Configure::write('Openid.database_config', 'name_of_database_config');

So, if you upgrade and you use those configuration settings, make sure to adapt your code accordingly.

Last, but not least, I fixed a bug which caused a “class not found” error if you used the component in a plugin.

That’s it. You can get the component from http://code.42dh.com/openid or directly from GitHub.

Happy baking!

Some days ago I got asked how you can use the OpenID component together with the Auth component from CakePHP.

As I didn’t knew the answer, I had to experiment a bit. Even though it was a quite frustrating experience (thanks to the strange design of the Auth component and too much automagic), I finally managed to find a “solution”. It is rather a hack, but it seems to work ;-)

Ok, here we go.

The first step is to create the login form. Because the Auth component expects the login credentials to consist of username and password, we have to add a (hidden) field for the password.

<?php
// app/views/users/login.ctp
$session->flash('auth');

echo $form->create('User', array('action' => 'login'));
echo $form->input('username', array('label' => 'OpenID:'));
echo $form->input('password', array('type' => 'hidden'));
echo $form->end('Login');
?>

The next step is to create the UsersController. The login() method is a bit special in this case, it is called three times: when you visit the login form, when you submit the login form, and when you come back from the OpenID provider. The rest of the code should be self-explanatory (if not, please leave a comment).

// app/controllers/users_controller.php
class UsersController extends AppController {
    public $components = array('Auth', 'Openid', 'RequestHandler');
 
    public function beforeFilter() {
        $this->Auth->loginError = 'Login failed';
    }
    
    public function login() { 
        $returnTo = 'http://'.$_SERVER['SERVER_NAME'].'/users/login';
		
        if ($this->RequestHandler->isPost()) {   
    	    $this->makeOpenIDRequest($this->data['User']['username'], $returnTo);
        }
    	
        if ($this->isOpenIDResponse()) {
            $this->handleOpenIDResponse($returnTo);
        }
    }
    
    private function makeOpenIDRequest($openid, $returnTo) {
        try {
            $this->Openid->authenticate($openid, $returnTo, 'http://'.$_SERVER['SERVER_NAME']);
        } catch (Exception $e) {
            // empty
        }
    }
    
    private function isOpenIDResponse() {
        return (count($_GET) > 1);
    }
    
    private function handleOpenIDResponse($returnTo) {
        $response = $this->Openid->getResponse($returnTo);
        $this->Auth->login($response);
        $this->redirect($this->Auth->redirect());
    }
    
    public function logout() {
        $this->redirect($this->Auth->logout());
    }
}

As you can see in the handleOpenIDResponse() method, we pass the OpenID response object to the login method of the Auth component. As the Auth component cannot know how to deal with that object, we have to write some functionality to deal with the response object. For this purpose we have to override the find() method of the User model, as it is the method which is eventually called by the Auth component if you call its login() method. The response object is passed to the find() method in the $conditions array and is available via the strange “`User`.`id`” key. The implementation itself is quite simple: you have to return an array with user data if the login was successful, or an empty array if the login was not successful.

// app/models/user.php
class User extends AppModel {
    public function find($conditions = null, $fields = array(), $order = null, $recursive = null) {	
        if (is_array($conditions) && isset($conditions['`User`.`id`'])) {
            $response = $conditions['`User`.`id`'];
			
            if ($response->status == Auth_OpenID_SUCCESS) {
                return array('User' => array('openid' => $response->identity_url));
            }
			
            return array();
        }

        if (is_array($conditions) && isset($conditions['User.username']) && isset($conditions['User.password'])) {
            return array();
        }
		
        return parent::find($conditions, $fields, $order, $recursive);
    }
}

Especially if you have only an OpenID column in your table you have to hinder the Auth component from performing a find() operation using the non-existing columns “username” and “password”, hence the check in the example whether those conditions are set.

With that, it should now be possible to login with your OpenID into your application protected by the Auth component.

I hope this is useful for some of you!

Update (2008-12-24): Fixing some small issues mentioned by lboy in the comments.

First, there are some preparations necessary, namely the download of the required files:

• Get the OAuth component and place its content in “app/controllers/components”
• Get the OAuth library and put it in “vendors/OAuth”
• Set the security level in app/config/core.php to “low” (thanks to Bryan Young for mentioning in the comments)

The next step is to register your application at the service provider (e.g. Yahoo’s Fire Eagle) to get consumer key and consumer secret. Those values are then stored in a class called FireEagleConsumer if we go on using Fire Eagle as example service provider in this article:

// app/controllers/components/oauth_consumers/fire_eagle_consumer.php
class FireEagleConsumer extends AbstractConsumer {
    public function __construct() {
        parent::__construct('THE KEY', 'THE SECRET');
    }
}

This class is then used by the component to access consumer key and secret.

Using an OAuth-enabled API consists of four steps:

• Get RequestToken
• Authorize RequestToken
• Exchange RequestToken for AccessToken
• Access the API using the AccessToken

In the ideal case the first three steps are performed once. But it is also possible that for example the service provider expires the AccessToken after some time, and so those steps have to be repeated.

Anyway, let’s have a look at how those steps look in code. We start with getting the RequestToken:

// app/controller/oauth_consumer_example_controller.php
class OauthConsumerExampleController extends AppController {
    public $uses = array();
    public $components = array('OauthConsumer');
	
    public function index() {
        $requestToken = $this->OauthConsumer->getRequestToken('FireEagle', 'https://fireeagle.yahooapis.com/oauth/request_token');
        $this->Session->write('requestToken', $requestToken);
    }
}

The code is probably self-explanatory, we have to add the component to the $components array, and then we get the RequestToken from the specified url (while writing this I just realized it would make sense to move the url to the FireEagleConsumer class…).

The next step is simple: we have to redirect the user to the authorize page of the service provider:

// app/controller/oauth_consumer_example_controller.php
class OauthConsumerExampleController extends AppController {
    public $uses = array();
    public $components = array('OauthConsumer');
	
    public function index() {
        $requestToken = $this->OauthConsumer->getRequestToken('FireEagle', 'https://fireeagle.yahooapis.com/oauth/request_token');
        $this->Session->write('requestToken', $requestToken);
        $this->redirect('http://fireeagle.yahoo.net/oauth/authorize?oauth_token='.$requestToken->key);
    }
}

After the RequestToken is authorized, we get redirected to a callback url we specified while registering the application. We can now exchange the authorized RequestToken for an AccessToken:

// app/controller/oauth_consumer_example_controller.php
class OauthConsumerExampleController extends AppController {
    public $uses = array();
    public $components = array('OauthConsumer');

    ...

    public function callback() {
        $requestToken = $this->Session->read('requestToken');
        $accessToken = $this->OauthConsumer->getAccessToken('FireEagle', 'https://fireeagle.yahooapis.com/oauth/access_token', $requestToken);
    }
}

In a real use case you would also save the data of the AccessToken (key and secret) to the database, so you don’t have to perform all those steps every time you want to call the API.

The last step is to call the API, in this example to get the latest location of the user:

// app/controller/oauth_consumer_example_controller.php
class OauthConsumerExampleController extends AppController {
    public $uses = array();
    public $components = array('OauthConsumer');

    ...

    public function callback() {
        $requestToken = $this->Session->read('requestToken');
        $accessToken = $this->OauthConsumer->getAccessToken('FireEagle', 'https://fireeagle.yahooapis.com/oauth/access_token', $requestToken);
        $data = $this->OauthConsumer->get('FireEagle', $accessToken->key, $accessToken->secret, 'https://fireeagle.yahooapis.com/api/0.1/user');
        // do something with the data
    }
}

That’s it. Feedback is welcome!

Update 2008-09-15: Slightly adapted for new version of the component.
Update 2009-01-14: Adding hint about security level.

Anyway, in the meantime I used a more pragmatic approach and used what’s already there. So, instead of using CakePHP for accessing the database, the superseded PEAR DB package is used…

If you want to use the OpenID component with MySQL, you have to perform the following steps:

• Download the latest version of the OpenID component
• If you already use the component, simply replace it with the new version. In the other case follow the installation instructions from the download page
• Execute the SQL script included in the zip file to create the necessary tables
• Download the PEAR base system and place PEAR.php from the zip in vendors/pear
• Download PEAR DB and place DB.php and the DB folder from the zip in vendors/pear
• In the file which uses the OpenID component add: Configure::write(‘Openid.use_database’, true);
• If you want to use a database configuration other than “default” you can specify it with: Configure::write(‘Openid.database_config’, ‘name_of_database_config’);

With that, the data should now get stored in the database. If there are any questions/problems/whatever, please leave a comment!

As its name implies, the beforeRender() callback method is called before the view is rendered, but after the beforeRender() callback method of the controller:

// in your component
public function beforeRender($controller) {
    // do something
}

The beforeRedirect() callback is also quite obvious, it gets called before a redirect is performed:

// in your component
public function beforeRedirect($controller, $url, $status = null, $exit = true) {
    // do something
}

By providing a return value, you can override the values with which the redirect method was originally called. For example:

public function beforeRedirect($controller, $url, $status = null, $exit = true) {
    // return '/redirect/target';  // a single value is treated as an URL
    return array('url' => '/redirect/target', 'status' => 307);
}

The last callback method, shutdown(), is called after Controller::render() and before Controller::afterFilter():

// in your component
public function shutdown($controller) {
    // do something
}

Those callback methods are probably a “nice to have” feature, at least I didn’t miss them up to now.

Anyway, happy baking!

One idea is to move the functionality to the AppModel. That works, but it is a dirty solution. The AppModel should contain generic functionality relevant for all models, and not functionality specific to only two models.

Another idea is to move the functionality into a class in the vendors folder and to load it with App::import(). That works fine, but if you compare this solution with elements and helpers for reusing view functionality, and with components for reusing controller functionality, it is a bit strange there is no “native” solution for models (sure, there are behaviors, but they are not designed for the kind of code reuse I described above).

Hence I think it would be useful to have model “components”, which could be realized in the same way as controller components are realized. For example:

class Example extends AppModel {
    public $components = array('X');

    public function doSomething() {
        ...
        $this->X->doSomethingElse(); // using model component
        ...
    }
}

In the longer term it would even make sense to have a unified “components” concept to replace the current concepts of components and helpers. But well, we will see what the future brings ;-)

As the API has changed a bit, let me make a simple example to show you how the component is used.

First we create the login form:

<?php
// app/views/users/login.ctp
if (isset($message)) {
    echo '<p class="error">'.$message.'</p>';
}
echo $form->create('User', array('type' => 'post', 'action' => 'login'));
echo $form->input('OpenidUrl.openid', array('label' => false));
echo $form->end('Login');
?>

As next step we have to implement the login action in our controller:

// app/controllers/users_controller.php
class UsersController extends AppController {
    var $components = array('Openid');
    var $uses = array();

    function login() {
        $returnTo = 'http://'.$_SERVER['SERVER_NAME'].'/users/login';

        if (!empty($this->data)) {
            try {
                $this->Openid->authenticate($this->data['OpenidUrl']['openid'], $returnTo, 'http://'.$_SERVER['SERVER_NAME']);
            } catch (InvalidArgumentException $e) {
                $this->setMessage('Invalid OpenID');
            } catch (Exception $e) {
                $this->setMessage($e->getMessage());
            }
        } elseif (count($_GET) > 1) {
            $response = $this->Openid->getResponse($returnTo);

            if ($response->status == Auth_OpenID_CANCEL) {
                $this->setMessage('Verification cancelled');
            } elseif ($response->status == Auth_OpenID_FAILURE) {
                $this->setMessage('OpenID verification failed: '.$response->message);
            } elseif ($response->status == Auth_OpenID_SUCCESS) {
                echo 'successfully authenticated!';
                exit;
            }
        }
    }

    private function setMessage($message) {
        $this->set('message', $message);
    }
}

The login action basically performs three things. If it is called with a GET request without any parameters, it simply shows the login form. If we submit the login form, then the OpenID authentication process is started and you will be redirected to your OpenID provider. And when you get redirected back from the OpenID provider, we process the response.

That’s it. You can download the component from the download area (and don’t forget to read the installation instructions).

Happy baking :)

See also: Using the OpenID Simple Registration Extension