Path

ez components / documentation / api reference / 2007.1.1 / authentication

eZ Components 2007.1.1

Authentication: ezcAuthenticationOpenidFilter

[ Tutorial ] [ Security ] [ Class tree ] [ Element index ] [ ChangeLog ] [ Credits ]

Class: ezcAuthenticationOpenidFilter

Filter to authenticate against OpenID. Currently supporting OpenID 1.1. [source]
The filter takes an identifier (URL) as credentials, and performs these steps:
  1. Normalize the identifier
  2. Discover the provider and delegate by requesting the URL - first using the Yadis discovery protocol - if Yadis fails then discover by parsing the HTML page source at URL
  3. (Optional) OpenID associate request - for the so-called 'smart' (stateful) mode.
  4. OpenID checkid_setup request. This step redirects the browser to the OpenID provider discovered in step 2. After user enters his OpenID username and password at this page and accepts the originating site, the browser is redirected back to the originating site.
  5. OpenID check_authentication request. After the redirection from the provider to the originating site, the values provided by the provider must be checked in an extra request against the provider. The provider responds with is_valid true or false.
Specifications: Example of use (authentication code + login form + logout support) - stateless ('dumb'): 
 1.  // no headers should be sent before calling $session->start()
 2.  $session = new ezcAuthenticationSession();
 3.  $session->start();
 4.  
 5.  $url = isset( $_GET['openid_identifier'] ) ? $_GET['openid_identifier'] : $session->load();
 6.  $action = isset( $_GET['action'] ) ? strtolower( $_GET['action'] ) : null;
 7.  
 8.  $credentials = new ezcAuthenticationIdCredentials( $url );
 9.  $authentication = new ezcAuthentication( $credentials );
10.  $authentication->session = $session;
11.  
12.  if ( $action === 'logout' )
13.  {
14.      $session->destroy();
15.  }
16.  else
17.  {
18.      $filter = new ezcAuthenticationOpenidFilter();
19.      $authentication->addFilter( $filter );
20.  }
21.  
22.  if ( !$authentication->run() )
23.  {
24.      // authentication did not succeed, so inform the user
25.      $status = $authentication->getStatus();
26.      $err = array(
27.               'ezcAuthenticationOpenidFilter' => array(
28.                   ezcAuthenticationOpenidFilter::STATUS_SIGNATURE_INCORRECT => 'OpenID said the provided identifier was incorrect',
29.                   ezcAuthenticationOpenidFilter::STATUS_CANCELLED => 'The OpenID authentication was cancelled',
30.                   ezcAuthenticationOpenidFilter::STATUS_URL_INCORRECT => 'The identifier you provided is invalid'
31.                   ),
32.               'ezcAuthenticationSession' => array(
33.                   ezcAuthenticationSession::STATUS_EMPTY => '',
34.                   ezcAuthenticationSession::STATUS_EXPIRED => 'Session expired'
35.                   )
36.               );
37.      foreach ( $status as $line )
38.      {
39.          list( $key, $value ) = each( $line );
40.          echo $err[$key][$value] . "\n";
41.      }
42.  ?>
43.  Please login with your OpenID identifier (an URL, eg. www.example.com or http://www.example.com):
44.  <form method="GET" action="">
45.  <input type="hidden" name="action" value="login" />
46.  <img src="http://openid.net/login-bg.gif" /> <input type="text" name="openid_identifier" />
47.  <input type="submit" value="Login" />
48.  </form>
49.  
50.  <?php
51.  }
52.  else
53.  {
54.  ?>
55.  
56.  You are logged-in as <b><?php echo $url?></b> | <a href="?action=logout">Logout</a>
57.  
58.  <?php
59.  }
60.  ?>
To use stateful ('smart') mode, the only changes to the above example are in the else branch of the "if ( $action === 'logout' )": 
 1.  // ...
 2.   if $action === 'logout' )
 3.  {
 4.      $session->destroy();
 5.  }
 6.  else
 7.  {
 8.      $options new ezcAuthenticationOpenidOptions();
 9.      $options->mode ezcAuthenticationOpenidFilter::MODE_SMART;
10.      $options->store new ezcAuthenticationOpenidFileStore'/tmp/store' );
11.      $filter new ezcAuthenticationOpenidFilter$options );
12.      $authentication->addFilter$filter );
13.  }
13.  // ...

Parents

ezcAuthenticationFilter
   |
   --ezcAuthenticationOpenidFilter

Constants

MODE_DUMB = 1 OpenID authentication mode where the OpenID provider generates a secret for every request.
MODE_SMART = 2 OpenID authentication mode where the server generates a secret which will be shared with the OpenID provider.
STATUS_CANCELLED = 3 User cancelled the OpenID authentication.
STATUS_NONCE_INCORRECT = 2 The OpenID provider did not return a valid nonce in the response.
STATUS_SIGNATURE_INCORRECT = 1 The OpenID provider did not authorize the provided URL.
STATUS_URL_INCORRECT = 4 The URL provided by user was empty, or the required information could not be discovered from it.

Inherited Constants

From ezcAuthenticationFilter:
ezcAuthenticationFilter::STATUS_OK    Successful authentication.

Inherited Member Variables

From ezcAuthenticationFilter:
protected  ezcAuthenticationFilter::$options

Method Summary

public ezcAuthenticationOpenidFilter __construct( [$options = null] )
Creates a new object of this class.
protected array(string=>mixed)||null associate( $provider, $params, [$method = 'GET'] )
Attempts to establish a shared secret with the OpenID provider and returns it (for "smart" mode).
protected bool checkSignature( $provider, $params, [$method = 'GET'] )
Opens a connection with the OpenID provider and checks if $params are correct (check_authentication OpenID request).
protected bool checkSignatureSmart( $association, $params )
Checks if $params are correct by signing with $association->secret.
protected array(string=>array) discover( $url )
Discovers the OpenID server information from the provided URL.
protected array(string=>array) discoverHtml( $url )
Discovers the OpenID server information from the provided URL by parsing the HTML page source.
protected array(string=>array) discoverYadis( $url )
Discovers the OpenID server information from the provided URL using Yadis.
protected string generateNonce( [$length = 6] )
Generates a new nonce value with the specified length (default 6).
protected void redirectToOpenidProvider( $provider, $params )
Performs a redirection to $provider with the specified parameters $params (checkid_setup OpenID request).
public int run( $credentials )
Runs the filter and returns a status code when finished.

Inherited Methods

From ezcAuthenticationFilter :
public ezcAuthenticationFilterOptions ezcAuthenticationFilter::getOptions()
Returns the options of this class.
public abstract int ezcAuthenticationFilter::run()
Runs the filter and returns a status code when finished.
public void ezcAuthenticationFilter::setOptions()
Sets the options of this class to $options.

Methods

__construct

ezcAuthenticationOpenidFilter __construct( [ezcAuthenticationOpenidOptions $options = null] )
Creates a new object of this class.

Parameters

Name Type Description
$options ezcAuthenticationOpenidOptions Options for this class

associate

array(string=>mixed)||null associate( string $provider, $params, [string $method = 'GET'] )
Attempts to establish a shared secret with the OpenID provider and returns it (for "smart" mode).
If the shared secret is still in its validity period, then it will be returned instead of establishing a new one.
If the shared secret could not be established the null will be returned, and the OpenID connection will be in "dumb" mode.
The format of the returned array is: array( 'assoc_handle' => assoc_handle_value, 'mac_key' => mac_key_value )

Parameters

Name Type Description
$provider string The OpenID provider (discovered in HTML or Yadis)
$params array(string=>string) OpenID parameters for associate mode
$method string The method to connect to the provider (default GET)

checkSignature

bool checkSignature( string $provider, $params, [string $method = 'GET'] )
Opens a connection with the OpenID provider and checks if $params are correct (check_authentication OpenID request).
The format of the check_authentication $params array is: 
1.  array(
2.         'openid.assoc_handle' => urlencodeHANDLE ),
3.         'openid.signed' => urlencodeSIGNED ),
4.         'openid.sig' => urlencodeSIG ),
5.         'openid.mode' => 'check_authentication'
6.       );
where HANDLE, SIGNED and SIG are parameters returned from the provider in the id_res step of OpenID authentication. In addition, the $params array must contain the values present in SIG.

Parameters

Name Type Description
$provider string The OpenID provider (discovered in HTML or Yadis)
$params array(string=>string) OpenID parameters for check_authentication mode
$method string The method to connect to the provider (default GET)

Throws

ClassDescription
ezcAuthenticationOpenidException if connection to the OpenID provider could not be opened

checkSignatureSmart

bool checkSignatureSmart( ezcAuthenticationOpenidAssociation $association, $params )
Checks if $params are correct by signing with $association->secret.
The format of the $params array is: 
1.  array(
2.         'openid.assoc_handle' => HANDLE,
3.         'openid.signed' => SIGNED,
4.         'openid.sig' => SIG,
5.         'openid.mode' => 'id_res'
6.       );
where HANDLE, SIGNED and SIG are parameters returned from the provider in the id_res step of OpenID authentication. In addition, the $params array must contain the values present in SIG.

Parameters

Name Type Description
$association ezcAuthenticationOpenidAssociation The OpenID association used for signing $params
$params array(string=>string) OpenID parameters for id_res mode

discover

array(string=>array) discover( string $url )
Discovers the OpenID server information from the provided URL.
First the Yadis discovery is tried. If it doesn't succeed, then the HTML discovery is tried.
The format of the returned array is (example): 
1.    array'openid.server' => array=> 'http://www.example-provider.com' ),
2.           'openid.delegate' => array=> 'http://www.example-delegate.com' )
3.         );

Parameters

Name Type Description
$url string URL to connect to and discover the OpenID information

Throws

ClassDescription
ezcAuthenticationOpenidException if connection to the URL could not be opened

discoverHtml

array(string=>array) discoverHtml( string $url )
Discovers the OpenID server information from the provided URL by parsing the HTML page source.
The format of the returned array is (example): 
1.    array'openid.server' => array=> 'http://www.example-provider.com' ),
2.           'openid.delegate' => array=> 'http://www.example-delegate.com' )
3.         );

Parameters

Name Type Description
$url string URL to connect to and discover the OpenID information

Throws

ClassDescription
ezcAuthenticationOpenidException if connection to the URL could not be opened

discoverYadis

array(string=>array) discoverYadis( string $url )
Discovers the OpenID server information from the provided URL using Yadis.
The format of the returned array is (example): 
1.    array'openid.server' => array=> 'http://www.example-provider.com' ),
2.           'openid.delegate' => array=> 'http://www.example-delegate.com' )
3.         );

Parameters

Name Type Description
$url string URL to connect to and discover the OpenID information

Throws

ClassDescription
ezcAuthenticationOpenidException if connection to the URL could not be opened

generateNonce

string generateNonce( [int $length = 6] )
Generates a new nonce value with the specified length (default 6).

Parameters

Name Type Description
$length int The length of the generated nonce, default 6

redirectToOpenidProvider

void redirectToOpenidProvider( string $provider, $params )
Performs a redirection to $provider with the specified parameters $params (checkid_setup OpenID request).
The format of the checkid_setup $params array is: 
1.  array(
2.         'openid.return_to' => urlencodeURL ),
3.         'openid.trust_root' => urlencodeURL ),
4.         'openid.identity' => urlencodeURL ),
5.         'openid.mode' => 'checkid_setup'
6.       );

Parameters

Name Type Description
$provider string The OpenID provider (discovered in HTML or Yadis)
$params array(string=>string) OpenID parameters for checkid_setup

Throws

ClassDescription
ezcAuthenticationOpenidException if redirection could not be performed

run

int run( ezcAuthenticationIdCredentials $credentials )
Runs the filter and returns a status code when finished.

Parameters

Name Type Description
$credentials ezcAuthenticationIdCredentials Authentication credentials

Redefinition of

Method Description
ezcAuthenticationFilter::run() Runs the filter and returns a status code when finished.

Last updated: Wed, 28 Nov 2007