Filter to authenticate against OpenID. Currently supporting OpenID 1.0, 1.1 and 2.0.
The filter takes an identifier (URL) as credentials, and performs these steps (by default, with redirection of the user agent to the OpenID provider):
For example, this is one simple way of implementing checkid_immediate:
Specifications:
OpenID 2.0 will use XRDS discovery by default instead of Yadis. If XRDS discovery fails (or if the specified version is not '2.0') then Yadis discovery will be performed, and if Yadis fails then HTML discovery will be performed.
Example of use (authentication code + login form + logout support) - stateless ('dumb'):
To use stateful ('smart') mode, the only changes to the above example are in the else branch of the "if ( $action === 'logout' )":
Extra data can be fetched from the OpenID provider during the authentication process, by registering the data to be fetched before calling run(). Example:
The $data array will be something like:
The extra data which is possible to be fetched during the authentication process is:
Source for this file: /Authentication/src/filters/openid/openid_filter.php
ezcAuthenticationFilter | --ezcAuthenticationOpenidFilter
Version: | //autogen// |
Todo: | add support for fetching extra data as in OpenID attribute exchange http://issues.ez.no/14847 |
Todo: | add support for multiple URLs in each category at discovery |
Todo: | add support for XRI identifiers and discovery |
Todo: | check if the nonce handling is correct (openid.response_nonce?) |
Todo: | check return_to in the response |
MODE_DUMB
= 1
|
OpenID authentication mode where the OpenID provider generates a secret for every request. The server (consumer) is stateless. An extra check_authentication request to the provider is needed. This is the default mode. |
MODE_SMART
= 2
|
OpenID authentication mode where the server generates a secret which will be shared with the OpenID provider. The server (consumer) is keeping state. The extra check_authentication request is not needed. The shared secret must be established once in a while (defined by the option secretValidity, default 1 day = 86400 seconds). |
STATUS_CANCELLED
= 3
|
User cancelled the OpenID authentication. |
STATUS_NONCE_INCORRECT
= 2
|
The OpenID provider did not return a valid nonce in the response. |
STATUS_SETUP_URL
= 5
|
The OpenID server returned a setup URL after a checkid_immediate request, which is available by calling the getSetupUrl() method. |
STATUS_SIGNATURE_INCORRECT
= 1
|
The OpenID provider did not authorize the provided URL. |
STATUS_URL_INCORRECT
= 4
|
The URL provided by user was empty, or the required information could not be discovered from it. |
VERSION_1_0
= '1.0'
|
OpenID version 1.0. |
VERSION_1_1
= '1.1'
|
OpenID version 1.1. |
VERSION_2_0
= '2.0'
|
OpenID version 2.0. |
From ezcAuthenticationFilter: | |
---|---|
ezcAuthenticationFilter::STATUS_OK
|
Successful authentication. |
protected array(string=>mixed) |
$data
= array()
Holds the extra data fetched during the authentication process. Usually it has this structure:
|
protected array(string) |
$requestedData
= array()
Holds the attributes which will be requested during the authentication process. Usually it has this structure:
|
protected string |
$setupUrl
= false
Holds the setup URL retrieved during the checkid_immediate OpenID request. This URL can be used by the application to authenticate the user in a pop-up window or iframe (or similar techniques). |
From ezcAuthenticationFilter | |
---|---|
protected |
ezcAuthenticationFilter::$options
|
public ezcAuthenticationOpenidFilter |
__construct(
[ $options
= null] )
Creates a new object of this class. |
protected array(string=>mixed)||null |
associate(
$provider
, $params
, [ $method
= 'GET'] )
Attempts to establish a shared secret with the OpenID provider and returns it (for "smart" mode). |
protected bool |
checkImmediate(
$provider
, $params
, [ $method
= 'GET'] )
Connects to $provider (checkid_immediate OpenID request) and returns an URL (setup URL) which can be used by the application in a pop-up window. |
protected bool |
checkSignature(
$provider
, $params
, [ $method
= 'GET'] )
Opens a connection with the OpenID provider and checks if $params are correct (check_authentication OpenID request). |
protected bool |
checkSignatureSmart(
$association
, $params
)
Checks if $params are correct by signing with $association->secret. |
protected array(string=>array) |
createAssociateRequest(
)
Returns an array of parameters for use in an OpenID associate request. |
public array(string=>array) |
createCheckidRequest(
$id
, $providers
)
Returns an array of parameters for use in an OpenID check_id request. |
protected array(string=>array) |
discover(
$url
)
Discovers the OpenID server information from the provided URL. |
protected array(string=>array) |
discoverHtml(
$url
)
Discovers the OpenID server information from the provided URL by parsing the HTML page source. |
protected array(string=>array) |
discoverXrds(
$url
)
Discovers the OpenID server information from the provided URL using XRDS. |
protected array(string=>array) |
discoverYadis(
$url
)
Discovers the OpenID server information from the provided URL using Yadis. |
public array(string=>mixed) |
fetchData(
)
Returns the extra data fetched during the authentication process. |
protected string |
generateNonce(
[ $length
= 6] )
Generates a new nonce value with the specified length (default 6). |
protected bool|string |
getProvider(
$providers
)
Returns the first provider in the $providers array if exists, otherwise returns false. |
public string |
getSetupUrl(
)
Returns the setup URL. |
protected void |
redirectToOpenidProvider(
$provider
, $params
)
Performs a redirection to $provider with the specified parameters $params (checkid_setup OpenID request). |
public void |
registerFetchData(
[ $data
= array()] )
Registers which extra data to fetch during the authentication process. |
public int |
run(
$credentials
)
Runs the filter and returns a status code when finished. |
From ezcAuthenticationFilter | |
---|---|
public ezcAuthenticationFilterOptions |
ezcAuthenticationFilter::getOptions()
Returns the options of this class. |
public abstract int |
ezcAuthenticationFilter::run()
Runs the filter and returns a status code when finished. |
public void |
ezcAuthenticationFilter::setOptions()
Sets the options of this class to $options. |
Creates a new object of this class.
Name | Type | Description |
---|---|---|
$options |
ezcAuthenticationOpenidOptions | Options for this class |
Attempts to establish a shared secret with the OpenID provider and returns it (for "smart" mode).
If the shared secret is still in its validity period, then it will be returned instead of establishing a new one.
If the shared secret could not be established the null will be returned, and the OpenID connection will be in "dumb" mode.
The format of the returned array is: array( 'assoc_handle' => assoc_handle_value, 'mac_key' => mac_key_value )
Name | Type | Description |
---|---|---|
$provider |
string | The OpenID provider (discovered in HTML or Yadis) |
$params |
array(string=>string) | OpenID parameters for associate mode |
$method |
string | The method to connect to the provider (default GET) |
Connects to $provider (checkid_immediate OpenID request) and returns an URL (setup URL) which can be used by the application in a pop-up window.
The format of the check_authentication $params array is:
Name | Type | Description |
---|---|---|
$provider |
string | The OpenID provider (discovered in HTML or Yadis) |
$params |
array(string=>string) | OpenID parameters for checkid_immediate mode |
$method |
string | The method to connect to the provider (default GET) |
Type | Description |
---|---|
ezcAuthenticationOpenidException |
if connection to the OpenID provider could not be opened |
Opens a connection with the OpenID provider and checks if $params are correct (check_authentication OpenID request).
The format of the check_authentication $params array is:
Name | Type | Description |
---|---|---|
$provider |
string | The OpenID provider (discovered in HTML or Yadis) |
$params |
array(string=>string) | OpenID parameters for check_authentication mode |
$method |
string | The method to connect to the provider (default GET) |
Type | Description |
---|---|
ezcAuthenticationOpenidException |
if connection to the OpenID provider could not be opened |
Checks if $params are correct by signing with $association->secret.
The format of the $params array is:
Name | Type | Description |
---|---|---|
$association |
ezcAuthenticationOpenidAssociation | The OpenID association used for signing $params |
$params |
array(string=>string) | OpenID parameters for id_res mode |
Returns an array of parameters for use in an OpenID associate request.
Returns an array of parameters for use in an OpenID check_id request.
Name | Type | Description |
---|---|---|
$id |
string | The OpenID identifier from the user |
$providers |
array(string) | OpenID providers retrieved during discovery |
Discovers the OpenID server information from the provided URL.
First the XRDS discovery is tried, if the openidVersion option is "2.0". If XRDS discovery fails, or if the openidVersion option is not "2.0", Yadis discovery is tried. If it doesn't succeed, then the HTML discovery is tried.
The format of the returned array is (example):
Name | Type | Description |
---|---|---|
$url |
string | URL to connect to and discover the OpenID information |
Type | Description |
---|---|
ezcAuthenticationOpenidConnectionException |
if connection to the URL could not be opened |
Discovers the OpenID server information from the provided URL by parsing the HTML page source.
The format of the returned array is (example):
Name | Type | Description |
---|---|---|
$url |
string | URL to connect to and discover the OpenID information |
Type | Description |
---|---|
ezcAuthenticationOpenidConnectionException |
if connection to the URL could not be opened |
Discovers the OpenID server information from the provided URL using XRDS.
The format of the returned array is (example):
Name | Type | Description |
---|---|---|
$url |
string | URL to connect to and discover the OpenID information |
Type | Description |
---|---|
ezcAuthenticationOpenidConnectionException |
if connection to the URL could not be opened |
Discovers the OpenID server information from the provided URL using Yadis.
The format of the returned array is (example):
Name | Type | Description |
---|---|---|
$url |
string | URL to connect to and discover the OpenID information |
Type | Description |
---|---|
ezcAuthenticationOpenidConnectionException |
if connection to the URL could not be opened |
Returns the extra data fetched during the authentication process.
The return is something like:
Method | Description |
---|---|
ezcAuthenticationDataFetch::fetchData() |
Returns the extra data fetched during the authentication process. |
Generates a new nonce value with the specified length (default 6).
Name | Type | Description |
---|---|---|
$length |
int | The length of the generated nonce, default 6 |
Returns the first provider in the $providers array if exists, otherwise returns false.
Name | Type | Description |
---|---|---|
$providers |
array(string=>array) | OpenID providers discovered during OpenID discovery |
Returns the setup URL.
Performs a redirection to $provider with the specified parameters $params (checkid_setup OpenID request).
The format of the checkid_setup $params array is:
Name | Type | Description |
---|---|---|
$provider |
string | The OpenID provider (discovered in HTML or Yadis) |
$params |
array(string=>string) | OpenID parameters for checkid_setup |
Type | Description |
---|---|
ezcAuthenticationOpenidRedirectException |
if redirection could not be performed |
Registers which extra data to fetch during the authentication process.
The extra data which is possible to be fetched during the authentication process is:
Name | Type | Description |
---|---|---|
$data |
array(string) | A list of attributes to fetch during authentication |
Method | Description |
---|---|
ezcAuthenticationDataFetch::registerFetchData() |
Registers which extra data to fetch during the authentication process. |
Runs the filter and returns a status code when finished.
Name | Type | Description |
---|---|---|
$credentials |
ezcAuthenticationIdCredentials | Authentication credentials |
Type | Description |
---|---|
ezcAuthenticationOpenidModeNotSupportedException |
if trying to authenticate with an unsupported OpenID mode |
Method | Description |
---|---|
ezcAuthenticationFilter::run() |
Runs the filter and returns a status code when finished. |