1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
|
<?xml version="1.0" encoding="UTF-8"?>
<!-- Reviewed: no -->
<sect1 id="zend.openid.introduction">
<title>Introduction</title>
<para>
<classname>Zend_OpenId</classname> is a Zend Framework component that provides a
simple <acronym>API</acronym> for building OpenID-enabled sites and identity providers.
</para>
<sect2 id="zend.openid.introduction.what">
<title>What is OpenID?</title>
<para>
OpenID is a set of protocols for user-centric digital identities.
These protocols allows users to create an identity online, using an identity
provider. This identity can be used on any site that supports OpenID.
Using OpenID-enabled sites, users do not need to remember traditional
authentication tokens such as usernames and passwords for each site. All OpenID-enabled
sites accept a single OpenID identity. This identity is typically a
<acronym>URL</acronym>. It may be the <acronym>URL</acronym> of the user's personal
page, blog or other resource that may provide additional information about them. That
mean a user needs just one identifier for all sites he or she uses. services. OpenID is
an open, decentralized, and free user-centric solution. Users may choose which OpenID
provider to use, or even create their own personal identity server. No central authority
is required to approve or register OpenID-enabled sites or identity providers.
</para>
<para>
For more information about OpenID visit the <ulink url="http://www.openid.net/">OpenID
official site</ulink>.
</para>
</sect2>
<sect2 id="zend.openid.introduction.how">
<title>How Does it Work?</title>
<para>
The purpose of the <classname>Zend_OpenId</classname> component is to
implement the OpenID authentication protocol as described in the following
sequence diagram:
</para>
<para>
<inlinegraphic align="center" fileref="figures/zend.openid.protocol.jpg" format="JPEG"
scale="100" valign="middle" width="559" />
</para>
<orderedlist>
<listitem>
<para>
Authentication is initiated by the end user, who passes their
OpenID identifier to the OpenID consumer through a User-Agent.
</para>
</listitem>
<listitem>
<para>
The OpenID consumer performs normalization and discovery on the user-supplied
identifier. Through this process, the consumer obtains the claimed identifier,
the <acronym>URL</acronym> of the OpenID provider and an OpenID protocol
version.
</para>
</listitem>
<listitem>
<para>
The OpenID consumer establishes an optional association with the
provider using Diffie-Hellman keys. As a result, both parties have
a common "shared secret" that is used for signing and verification
of the subsequent messages.
</para>
</listitem>
<listitem>
<para>
The OpenID consumer redirects the User-Agent to the <acronym>URL</acronym> of
the OpenID provider with an OpenID authentication request.
</para>
</listitem>
<listitem>
<para>
The OpenID provider checks if the User-Agent is already
authenticated and, if not, offers to do so.
</para>
</listitem>
<listitem>
<para>
The end user enters the required password.
</para>
</listitem>
<listitem>
<para>
The OpenID provider checks if it is allowed to pass the user
identity to the given consumer, and asks the user if necessary.
</para>
</listitem>
<listitem>
<para>
The user allows or disallows passing his identity.
</para>
</listitem>
<listitem>
<para>
The OpenID Provider redirects the User-Agent back to the OpenID
consumer with an "authentication approved" or "failed" request.
</para>
</listitem>
<listitem>
<para>
The OpenID consumer verifies the information received from the
provider by using the shared secret it got in step 3 or by
sending an additional direct request to the OpenID provider.
</para>
</listitem>
</orderedlist>
</sect2>
<sect2 id="zend.openid.introduction.structure">
<title>Zend_OpenId Structure</title>
<para>
<classname>Zend_OpenId</classname> consists of two sub-packages. The first one
is <classname>Zend_OpenId_Consumer</classname> for developing OpenID-enabled sites,
and the second is <classname>Zend_OpenId_Provider</classname> for developing OpenID
servers. They are completely independent of each other and may be used
separately.
</para>
<para>
The only common code used by these sub-packages are the OpenID Simple
Registration Extension implemented by
<classname>Zend_OpenId_Extension_Sreg</classname> class and a set of utility
functions implemented by the <classname>Zend_OpenId</classname> class.
</para>
<note>
<para>
<classname>Zend_OpenId</classname> takes advantage of the <ulink
url="http://php.net/gmp">GMP extension</ulink>, where available. Consider
enabling the GMP extension for enhanced performance when using
<classname>Zend_OpenId</classname>.
</para>
</note>
</sect2>
<sect2 id="zend.openid.introduction.standards">
<title>Supported OpenID Standards</title>
<para>
The <classname>Zend_OpenId</classname> component supports the following
standards:
</para>
<itemizedlist>
<listitem>
<para>
OpenID Authentication protocol version 1.1
</para>
</listitem>
<listitem>
<para>
OpenID Authentication protocol version 2.0 draft 11
</para>
</listitem>
<listitem>
<para>
OpenID Simple Registration Extension version 1.0
</para>
</listitem>
<listitem>
<para>
OpenID Simple Registration Extension version 1.1 draft 1
</para>
</listitem>
</itemizedlist>
</sect2>
</sect1>
<!--
vim:se ts=4 sw=4 et:
-->
|
