1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
|
<?xml version="1.0" encoding="UTF-8"?>
<!-- Reviewed: no -->
<sect1 id="zend.openid.provider">
<title>Zend_OpenId_Provider</title>
<para>
<classname>Zend_OpenId_Provider</classname> can be used to implement OpenID
servers. This chapter provides examples that demonstrate how to
build a very basic server. However, for implementation of a production OpenID
server (such as <ulink url="http://www.myopenid.com">www.myopenid.com</ulink>) you
may have to deal with more complex issues.
</para>
<sect2 id="zend.openid.provider.start">
<title>Quick start</title>
<para>
The following example includes code for creating a user account
using <classname>Zend_OpenId_Provider::register</classname>. The link element with
<command>rel="openid.server"</command> points to our own server script. If you
submit this identity to an OpenID-enabled site, it will perform
authentication on this server.
</para>
<para>
The code before the <html> tag is just a trick that automatically
creates a user account. You won't need such code when using real
identities.
</para>
<example id="zend.openid.provider.example-1">
<title>The Identity</title>
<programlisting language="php"><![CDATA[
<?php
// Set up test identity
define("TEST_SERVER", Zend_OpenId::absoluteURL("example-8.php"));
define("TEST_ID", Zend_OpenId::selfURL());
define("TEST_PASSWORD", "123");
$server = new Zend_OpenId_Provider();
if (!$server->hasUser(TEST_ID)) {
$server->register(TEST_ID, TEST_PASSWORD);
}
?>
<html><head>
<link rel="openid.server" href="<?php echo TEST_SERVER;?>" />
</head><body>
<?php echo TEST_ID;?>
</body></html>
]]></programlisting>
</example>
<para>
The following identity server script handles two kinds of requests
from OpenID-enabled sites (for association and authentication). Both of
them are handled by the same method:
<classname>Zend_OpenId_Provider::handle</classname>. The two arguments to the
<classname>Zend_OpenId_Provider</classname> constructor are <acronym>URL</acronym>s of
login and trust pages, which ask for input from the end user.
</para>
<para>
On success, the method <classname>Zend_OpenId_Provider::handle</classname>
returns a string that should be passed back to the OpenID-enabled site. On
failure, it returns <constant>FALSE</constant>. This example will return an
<acronym>HTTP</acronym> 403 response if
<classname>Zend_OpenId_Provider::handle</classname> fails. You will get this response if
you open this script with a web browser, because it sends a non-OpenID conforming
request.
</para>
<example id="zend.openid.provider.example-2">
<title>Simple Identity Provider</title>
<programlisting language="php"><![CDATA[
$server = new Zend_OpenId_Provider("example-8-login.php",
"example-8-trust.php");
$ret = $server->handle();
if (is_string($ret)) {
echo $ret;
} else if ($ret !== true) {
header('HTTP/1.0 403 Forbidden');
echo 'Forbidden';
}
]]></programlisting>
</example>
<note>
<para>
It is a good idea to use a secure connection (HTTPS) for these scripts-
especially for the following interactive scripts- to prevent password
disclosure.
</para>
</note>
<para>
The following script implements a login screen for an identity
server using <classname>Zend_OpenId_Provider</classname> and redirects to this page when
a required user has not yet logged in. On this page, a user will enter his password
to login.
</para>
<para>
You should use the password "123" that was used in the identity script above.
</para>
<para>
On submit, the script calls <classname>Zend_OpenId_Provider::login</classname>
with the accepted user's identity and password, then redirects back
to the main identity provider's script. On success, the
<classname>Zend_OpenId_Provider::login</classname> establishes a session between the
user and the identity provider and stores the information about
the user, who is now logged in. All following requests from the same user won't
require a login procedure- even if they come from another OpenID enabled
web site.
</para>
<note>
<para>
Note that this session is between end-user and identity provider
only. OpenID enabled sites know nothing about it.
</para>
</note>
<example id="zend.openid.provider.example-3">
<title>Simple Login Screen</title>
<programlisting language="php"><![CDATA[
<?php
$server = new Zend_OpenId_Provider();
if ($_SERVER['REQUEST_METHOD'] == 'POST' &&
isset($_POST['openid_action']) &&
$_POST['openid_action'] === 'login' &&
isset($_POST['openid_identifier']) &&
isset($_POST['openid_password'])) {
$server->login($_POST['openid_identifier'],
$_POST['openid_password']);
Zend_OpenId::redirect("example-8.php", $_GET);
}
?>
<html>
<body>
<form method="post">
<fieldset>
<legend>OpenID Login</legend>
<table border=0>
<tr>
<td>Name:</td>
<td>
<input type="text"
name="openid_identifier"
value="<?php echo htmlspecialchars($_GET['openid_identity']);?>">
</td>
</tr>
<tr>
<td>Password:</td>
<td>
<input type="text"
name="openid_password"
value="">
</td>
</tr>
<tr>
<td> </td>
<td>
<input type="submit"
name="openid_action"
value="login">
</td>
</tr>
</table>
</fieldset>
</form>
</body>
</html>
]]></programlisting>
</example>
<para>
The fact that the user is now logged in doesn't mean that the
authentication must necessarily succeed. The user may decide not to trust
particular OpenID enabled sites. The following trust screen allows the
end user to make that choice. This choice may either be made only for current
requests or forever. In the second case, information about
trusted/untrusted sites is stored in an internal database, and all
following authentication requests from this site will be handled
automatically without user interaction.
</para>
<example id="zend.openid.provider.example-4">
<title>Simple Trust Screen</title>
<programlisting language="php"><![CDATA[
<?php
$server = new Zend_OpenId_Provider();
if ($_SERVER['REQUEST_METHOD'] == 'POST' &&
isset($_POST['openid_action']) &&
$_POST['openid_action'] === 'trust') {
if (isset($_POST['allow'])) {
if (isset($_POST['forever'])) {
$server->allowSite($server->getSiteRoot($_GET));
}
$server->respondToConsumer($_GET);
} else if (isset($_POST['deny'])) {
if (isset($_POST['forever'])) {
$server->denySite($server->getSiteRoot($_GET));
}
Zend_OpenId::redirect($_GET['openid_return_to'],
array('openid.mode'=>'cancel'));
}
}
?>
<html>
<body>
<p>A site identifying as
<a href="<?php echo htmlspecialchars($server->getSiteRoot($_GET));?>">
<?php echo htmlspecialchars($server->getSiteRoot($_GET));?>
</a>
has asked us for confirmation that
<a href="<?php echo htmlspecialchars($server->getLoggedInUser());?>">
<?php echo htmlspecialchars($server->getLoggedInUser());?>
</a>
is your identity URL.
</p>
<form method="post">
<input type="checkbox" name="forever">
<label for="forever">forever</label><br>
<input type="hidden" name="openid_action" value="trust">
<input type="submit" name="allow" value="Allow">
<input type="submit" name="deny" value="Deny">
</form>
</body>
</html>
]]></programlisting>
</example>
<para>
Production OpenID servers usually support the Simple Registration
Extension that allows consumers to request some information about the user from
the provider. In this case, the trust page can be extended to allow
entering requested fields or selecting a specific user profile.
</para>
</sect2>
<sect2 id="zend.openid.provider.all">
<title>Combined Provide Scripts</title>
<para>
It is possible to combine all provider functionality in one script. In
this case login and trust <acronym>URL</acronym>s are omitted, and
<classname>Zend_OpenId_Provider</classname> assumes that they point to the same page
with the additional "openid.action" <constant>GET</constant> argument.
</para>
<note>
<para>
The following example is not complete. It doesn't provide GUI code for
the user, instead performing an automatic login and trust relationship instead.
This is done just to simplify the example; a production server should include some
code from previous examples.
</para>
</note>
<example id="zend.openid.provider.example-5">
<title>Everything Together</title>
<programlisting language="php"><![CDATA[
$server = new Zend_OpenId_Provider();
define("TEST_ID", Zend_OpenId::absoluteURL("example-9-id.php"));
define("TEST_PASSWORD", "123");
if ($_SERVER['REQUEST_METHOD'] == 'GET' &&
isset($_GET['openid_action']) &&
$_GET['openid_action'] === 'login') {
$server->login(TEST_ID, TEST_PASSWORD);
unset($_GET['openid_action']);
Zend_OpenId::redirect(Zend_OpenId::selfUrl(), $_GET);
} else if ($_SERVER['REQUEST_METHOD'] == 'GET' &&
isset($_GET['openid_action']) &&
$_GET['openid_action'] === 'trust') {
unset($_GET['openid_action']);
$server->respondToConsumer($_GET);
} else {
$ret = $server->handle();
if (is_string($ret)) {
echo $ret;
} else if ($ret !== true) {
header('HTTP/1.0 403 Forbidden');
echo 'Forbidden';
}
}
]]></programlisting>
</example>
<para>
If you compare this example with previous examples split in to
separate pages, you will see only the one
difference besides the dispatch code:
<methodname>unset($_GET['openid_action'])</methodname>. This call to
<methodname>unset()</methodname> is necessary to route the next request to main handler.
</para>
</sect2>
<sect2 id="zend.openid.provider.sreg">
<title>Simple Registration Extension</title>
<para>
Again, the code before the <html> tag is just a trick to demonstrate
functionality. It creates a new user account and associates it with a profile (nickname
and password). Such tricks aren't needed in deployed providers where end users register
on OpenID servers and fill in their profiles. Implementing this GUI is out of scope for
this manual.
</para>
<example id="zend.openid.provider.example-6">
<title>Identity with Profile</title>
<programlisting language="php"><![CDATA[
<?php
define("TEST_SERVER", Zend_OpenId::absoluteURL("example-10.php"));
define("TEST_ID", Zend_OpenId::selfURL());
define("TEST_PASSWORD", "123");
$server = new Zend_OpenId_Provider();
if (!$server->hasUser(TEST_ID)) {
$server->register(TEST_ID, TEST_PASSWORD);
$server->login(TEST_ID, TEST_PASSWORD);
$sreg = new Zend_OpenId_Extension_Sreg(array(
'nickname' =>'test',
'email' => 'test@test.com'
));
$root = Zend_OpenId::absoluteURL(".");
Zend_OpenId::normalizeUrl($root);
$server->allowSite($root, $sreg);
$server->logout();
}
?>
<html>
<head>
<link rel="openid.server" href="<?php echo TEST_SERVER;?>" />
</head>
<body>
<?php echo TEST_ID;?>
</body>
</html>
]]></programlisting>
</example>
<para>
You should now pass this identity to the OpenID-enabled web site (use the Simple
Registration Extension example from the previous section), and it should use the
following OpenID server script.
</para>
<para>
This script is a variation of the script in the "Everything Together" example. It uses
the same automatic login mechanism, but doesn't contain any code for a trust
page. The user already trusts the example scripts forever. This trust was
established by calling the <methodname>Zend_OpenId_Provider::allowSite()</methodname>
method in the identity script. The same method associates the profile with the trusted
<acronym>URL</acronym>. This profile will be returned automatically for a request from
the trusted <acronym>URL</acronym>.
</para>
<para>
To make Simple Registration Extension work, you must simply
pass an instance of <classname>Zend_OpenId_Extension_Sreg</classname> as the second
argument to the <methodname>Zend_OpenId_Provider::handle()</methodname> method.
</para>
<example id="zend.openid.provider.example-7">
<title>Provider with SREG</title>
<programlisting language="php"><![CDATA[
$server = new Zend_OpenId_Provider();
$sreg = new Zend_OpenId_Extension_Sreg();
define("TEST_ID", Zend_OpenId::absoluteURL("example-10-id.php"));
define("TEST_PASSWORD", "123");
if ($_SERVER['REQUEST_METHOD'] == 'GET' &&
isset($_GET['openid_action']) &&
$_GET['openid_action'] === 'login') {
$server->login(TEST_ID, TEST_PASSWORD);
unset($_GET['openid_action']);
Zend_OpenId::redirect(Zend_OpenId::selfUrl(), $_GET);
} else if ($_SERVER['REQUEST_METHOD'] == 'GET' &&
isset($_GET['openid_action']) &&
$_GET['openid_action'] === 'trust') {
echo "UNTRUSTED DATA" ;
} else {
$ret = $server->handle(null, $sreg);
if (is_string($ret)) {
echo $ret;
} else if ($ret !== true) {
header('HTTP/1.0 403 Forbidden');
echo 'Forbidden';
}
}
]]></programlisting>
</example>
</sect2>
<sect2 id="zend.openid.provider.else">
<title>Anything Else?</title>
<para>
Building OpenID providers is much less common than building
OpenID-enabled sites, so this manual doesn't cover all
<classname>Zend_OpenId_Provider</classname> features exhaustively, as was done for
<classname>Zend_OpenId_Consumer</classname>.
</para>
<para>
To summamize, <classname>Zend_OpenId_Provider</classname> contains:
</para>
<itemizedlist>
<listitem>
<para>
A set of methods to build an end-user GUI that allows
users to register and manage their trusted sites and profiles
</para>
</listitem>
<listitem>
<para>
An abstract storage layer to store information about users,
their sites and their profiles. It also stores associations between
the provider and OpenID-enabled sites. This layer is very similar
to that of the <classname>Zend_OpenId_Consumer</classname> class. It also uses
file storage by default, but may used with another backend.
</para>
</listitem>
<listitem>
<para>
An abstract user-association layer that may associate
a user's web browser with a logged-in identity
</para>
</listitem>
</itemizedlist>
<para>
The <classname>Zend_OpenId_Provider</classname> class doesn't attempt to cover all
possible features that can be implemented by OpenID servers, e.g. digital
certificates, but it can be extended easily using
<classname>Zend_OpenId_Extension</classname>s or by standard object-oriented extension.
</para>
</sect2>
</sect1>
<!--
vim:se ts=4 sw=4 et:
-->
|
