This release fixes a bug in the isOpenIDResponse() method. So far this method only recognized OpenID responses from a GET request. But as I had to learn, there are OpenID providers (e.g. Hyves) responding with a POST request… So, if you use the isOpenIDResponse() method, please upgrade to the new version.

However, this bug not only affected the component itself but also the examples and the example application. They contained code that looked like:

if ($this->RequestHandler->isPost()) {
    // make OpenID request
} elseif ($this->Openid->isOpenIDResponse()) {
    // handle OpenID response
}

This snippet will fail if the response from an OpenID provider is a POST request. Instead it should look like:

if ($this->RequestHandler->isPost() && !$this->Openid->isOpenIDResponse()) {
    // make OpenID request
} elseif ($this->Openid->isOpenIDResponse()) {
    // handle OpenID response
}

Please fix this in your code if you followed the examples.

Thanks go to Sam Mousa for reporting this issue.

I also got asked whether there is an example application that shows the usage of the OpenID component. As I already use a very simple application to test the component manually, I pushed this application to GitHub (you can see the application in action on http://openid-example.42dh.com/). I hope this will make it easier for some of you to get started with the OpenID component.

To update, simply replace the OpenID component and the content of the “vendors/Auth” folder (and its subfolders) with the files from the zip archive.

You can download the new version from Github.

The reason it didn’t work is that Google introduced it’s own OpenID discovery protocol as they faced challenges not addressed by the current version (2.0) of the OpenID standard. And this means such OpenIDs are not recognized by current OpenID libraries. For this reason, Google provides with php-openid-apps-discovery an add-on to the PHP OpenID library.

I integrated this add-on into the OpenID component as an optional feature. You have to enable it with:

public $components = array('Openid' => array('accept_google_apps' => true));

I made it an optional feature because it introduces an additional step to the authentication process: the provided OpenID url is sent to Google to figure out whether it is a Google Apps OpenID. And this makes the authentication process a bit slower. Hence I think you should have a choice whether you want to use this feature.

The new version of the OpenID component doesn’t contain any other new features/bugfixes.

You can download the component from Github.

Enjoy!

In this case, the following steps might help to fix this issue:

• Ensure you have Curl and OpenSSL installed
• Enable the Curl and OpenSSL extensions in your php.ini (on Archlinux this file is found in /etc/php/):

  extension=curl.so
  extension=openssl.so
  

• Restart your web server

Now the error message should disappear and you should be able to log in with the Google OpenID.

—-

That’s it for 2009. It was a rather lazy year on this blog from my side (I didn’t even manage to do a redesign…), and so I hope I will be a bit less lazy with writing on this blog in 2010.

Anyway, thank you for reading this blog, and for all your comments and emails. A Happy New Year everyone & cu in 2010 :)

AX is in principle the “big brother” of the Simple Registration Extension (or SReg for short). Whereas SReg only allows you to retrieve nine commonly requested pieces of information, AX allows you to retrieve any identity information. And theoretically it also allows you to store/update your identity information at your OpenID provider. But it seems like no OpenID provider supports this feature…

Let’s have a look at an example.

First the login method:

// app/controllers/users_controller.php
class UsersController extends AppController {
    public $components = array('Openid', 'RequestHandler');

    public function login() {
        $realm = 'http://'.$_SERVER['SERVER_NAME'];
        $returnTo = $realm . '/users/login';

        if ($this->RequestHandler->isPost()) {
            $this->makeOpenIDRequest($this->data['User']['openid_identifier'], $returnTo, $realm);
        } elseif ($this->Openid->isOpenIDResponse()) {
            $this->handleOpenIDResponse($returnTo);
        }
    }
}

The next step is to implement the makeOpenIDRequest() method. For each attribute we want to retrieve, we have to create an Auth_OpenID_AX_AttrInfo object with the respective attribute type. A list of possible types is available on http://www.axschema.org/types/. Though there are many types defined, OpenID providers usually only support a small subset of those types.

The “1″ we pass to the make() method specifies the number of values we want for this type. In this example it doesn’t make much sense to specify a value other than “1″, but for other types it is theoretically possible to have multiple values (for example you could have defined multiple email addresses). It is an optional parameter and by default it is “1″.

The last parameter specifies whether the value of the attribute is required for our application. This is simply a hint for the OpenID provider so it could display this attribute differently, but it doesn’t guarantee a value is returned. By default this parameter is “false”.

(Update 2010-04-19: Google requires that you set the fourth parameter of the make() method: a string with an alias for the attribute.)

private function makeOpenIDRequest($openid, $returnTo, $realm) {
    $attributes[] = Auth_OpenID_AX_AttrInfo::make('http://axschema.org/namePerson', 1, true);
    $this->Openid->authenticate($openid, $returnTo, $realm, array('ax' => $attributes));
}

Finally, we have to implement the handleOpenIDResponse() method. As we expect only one value for the attribute we specified, we can use either get() or getSingle() to retrieve its value. getSingle() returns the value whereas get() returns an array.

private function handleOpenIDResponse($returnTo) {
    $response = $this->Openid->getResponse($returnTo);

    if ($response->status == Auth_OpenID_SUCCESS) {
        $axResponse = Auth_OpenID_AX_FetchResponse::fromSuccessResponse($response);

        if ($axResponse) {
            debug($axResponse->get('http://axschema.org/namePerson'));
            debug($axResponse->getSingle('http://axschema.org/namePerson'));
        }
    }
}

That’s it.

You can get the new version of the OpenID component from GitHub. If you use SReg in your code and you want to update to this version, please make sure to adapt your code in the following way:

// old
$this->Openid->authenticate($openid, $returnTo, $realm, array('email'), array('nickname'));

// new
$this->Openid->authenticate($openid, $returnTo, $realm, array('sreg_required' => array('email'), 'sreg_optional' => array('nickname')));

Feedback is welcome :)

Almost all external libraries are now included in the package to make the installation a bit easier. Included are the required PHP OpenID library and PEAR DB (which is used if you want to store the OpenID data in the database). Not included is the EAUT library as I think this standard is dead (i.e. nobody is using it).

The configuration settings are now set when you add the OpenID component to the $components array of your controller(s):

public $components = array('Openid' => array('use_database' => true));

or

public $components = array('Openid' => array('database_config' => 'name_of_database_config));

The old way, using Configure::write(), is no longer supported:

Configure::write('Openid.use_database', true);
Configure::write('Openid.database_config', 'name_of_database_config');

So, if you upgrade and you use those configuration settings, make sure to adapt your code accordingly.

Last, but not least, I fixed a bug which caused a “class not found” error if you used the component in a plugin.

That’s it. You can get the component from http://code.42dh.com/openid or directly from GitHub.

Happy baking!

Some days ago I got asked how you can use the OpenID component together with the Auth component from CakePHP.

As I didn’t knew the answer, I had to experiment a bit. Even though it was a quite frustrating experience (thanks to the strange design of the Auth component and too much automagic), I finally managed to find a “solution”. It is rather a hack, but it seems to work ;-)

Ok, here we go.

The first step is to create the login form. Because the Auth component expects the login credentials to consist of username and password, we have to add a (hidden) field for the password.

<?php
// app/views/users/login.ctp
$session->flash('auth');

echo $form->create('User', array('action' => 'login'));
echo $form->input('username', array('label' => 'OpenID:'));
echo $form->input('password', array('type' => 'hidden'));
echo $form->end('Login');
?>

The next step is to create the UsersController. The login() method is a bit special in this case, it is called three times: when you visit the login form, when you submit the login form, and when you come back from the OpenID provider. The rest of the code should be self-explanatory (if not, please leave a comment).

// app/controllers/users_controller.php
class UsersController extends AppController {
    public $components = array('Auth', 'Openid', 'RequestHandler');
 
    public function beforeFilter() {
        $this->Auth->loginError = 'Login failed';
    }
    
    public function login() { 
        $returnTo = 'http://'.$_SERVER['SERVER_NAME'].'/users/login';
		
        if ($this->RequestHandler->isPost()) {   
    	    $this->makeOpenIDRequest($this->data['User']['username'], $returnTo);
        }
    	
        if ($this->isOpenIDResponse()) {
            $this->handleOpenIDResponse($returnTo);
        }
    }
    
    private function makeOpenIDRequest($openid, $returnTo) {
        try {
            $this->Openid->authenticate($openid, $returnTo, 'http://'.$_SERVER['SERVER_NAME']);
        } catch (Exception $e) {
            // empty
        }
    }
    
    private function isOpenIDResponse() {
        return (count($_GET) > 1);
    }
    
    private function handleOpenIDResponse($returnTo) {
        $response = $this->Openid->getResponse($returnTo);
        $this->Auth->login($response);
        $this->redirect($this->Auth->redirect());
    }
    
    public function logout() {
        $this->redirect($this->Auth->logout());
    }
}

As you can see in the handleOpenIDResponse() method, we pass the OpenID response object to the login method of the Auth component. As the Auth component cannot know how to deal with that object, we have to write some functionality to deal with the response object. For this purpose we have to override the find() method of the User model, as it is the method which is eventually called by the Auth component if you call its login() method. The response object is passed to the find() method in the $conditions array and is available via the strange “`User`.`id`” key. The implementation itself is quite simple: you have to return an array with user data if the login was successful, or an empty array if the login was not successful.

// app/models/user.php
class User extends AppModel {
    public function find($conditions = null, $fields = array(), $order = null, $recursive = null) {	
        if (is_array($conditions) && isset($conditions['`User`.`id`'])) {
            $response = $conditions['`User`.`id`'];
			
            if ($response->status == Auth_OpenID_SUCCESS) {
                return array('User' => array('openid' => $response->identity_url));
            }
			
            return array();
        }

        if (is_array($conditions) && isset($conditions['User.username']) && isset($conditions['User.password'])) {
            return array();
        }
		
        return parent::find($conditions, $fields, $order, $recursive);
    }
}

Especially if you have only an OpenID column in your table you have to hinder the Auth component from performing a find() operation using the non-existing columns “username” and “password”, hence the check in the example whether those conditions are set.

With that, it should now be possible to login with your OpenID into your application protected by the Auth component.

I hope this is useful for some of you!

Update (2008-12-24): Fixing some small issues mentioned by lboy in the comments.

Anyway, in the meantime I used a more pragmatic approach and used what’s already there. So, instead of using CakePHP for accessing the database, the superseded PEAR DB package is used…

If you want to use the OpenID component with MySQL, you have to perform the following steps:

• Download the latest version of the OpenID component
• If you already use the component, simply replace it with the new version. In the other case follow the installation instructions from the download page
• Execute the SQL script included in the zip file to create the necessary tables
• Download the PEAR base system and place PEAR.php from the zip in vendors/pear
• Download PEAR DB and place DB.php and the DB folder from the zip in vendors/pear
• In the file which uses the OpenID component add: Configure::write(‘Openid.use_database’, true);
• If you want to use a database configuration other than “default” you can specify it with: Configure::write(‘Openid.database_config’, ‘name_of_database_config’);

With that, the data should now get stored in the database. If there are any questions/problems/whatever, please leave a comment!

The protocol works in the following way (optimal scenario):

• The user enters his email address, e.g. daniel@example.com
• The server makes a request to http://example.com to get the location of an XML file with EAUT information
• The server retrieves the XML file
• Using the information from the XML file, the server transforms the email address to an URL, e.g. daniel@example.com to http://daniel.example.com
• The server can now use this URL, for example, to perform an OpenID authentication

For the curious the XML file for the transformation described above:

<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS
    xmlns:xrds="xri://$xrds"
    xmlns:openid="http://openid.net/xmlns/1.0"
    xmlns="xri://$xrd*($v*2.0)">
    <XRD>
        <Service priority="0">
            <Type>http://specs.eaut.org/1.0/template</Type>
            <URI>http://%7Busername%7D.example.com</URI>
        </Service>
    </XRD>
</xrds:XRDS>

Ok, that was a short introduction to EAUT, for more details I recommend to have a look at the specification.

If you want to use EAUT in your application, you do not have to care much about the protocol details. There are libraries for PHP, Python, and Rails, which do the heavy work for you.

And to make it even easier for cakebakers, I integrated EAUT support into the latest version of the OpenID component. To enable it, you simply have to place the EAUT library (Email.php) in the vendors/Auth/Yadis folder. And with that it should also be possible for your users to use an email address instead of an OpenID for authentication purposes.

PS: On September 13/14 there will be a NoseRub DevCamp