openid y php

8/4/2019 Openid y Php

1/13

OpenID Tutorials

Getting Started with OpenID and PHPvvaswani | 9 comments | Wednesday, June 4, 2008

Out Of Memory

Something odd happened the other day. I Webbed over to a site that I visit on an irregular basis,signed in with my username and password, and hit the submit button. After a few seconds of clickingand grinding, the machinery informed me that my password had failed verification. Puzzled, I tried afew more times but, encountering zero success, stamped my heel, uttered a few creative curses andmoved on to more productive work. It was only later, after submitting to various security questionsand recovering my original password, that I realized my goof-up: I'd used a password belonging t oanother site by mistake!

If this story sounds familiar to you, that's because it's the story of today's Web: too many sites, too

many usernames, and not enough cranial capacity to file them all accurately. But there's good newsat hand: OpenID, a free, open-source framework for "single sign-on" across different Web sites andapplications. The even better news? There already exist a bunch of PHP widgets that allow developersto easily integrate OpenID into a PHP application, and this article is going to show you how to usethem. So what are you waiting for? Flip the page, and let's get going!

Digital Me

Before diving into the code, let's spend a few minutes answering a basic question: what's thisOpenID thing anyway and how does it work?

According to the official OpenID Web site OpenID is

"a free and easy way to use a single digital identity across the Internet". Fundamentally, anOpenID is a customized URL, chosen by you as your online identity and registered with anOpenID service provider. Whenever an external site needs to verify your identity for loginpurposes, you supply this URL instead of your username; the site then contacts your OpenIDservice provider for authentication.

What's the benefit? Simple: because your OpenID is stored with your OpenID service provider and

any site can contact this provider to authenticate you, there's no need to create multiple accounts orremember multiple usernames and passwords for different sites; all you need is a single OpenID. Thisassumes, of course, that the external site supports the OpenID framework; adoption of this isgradually increasing, and the OpenID Web site has some interesting information about various largeorganizations that have begun using the framework.

Typically, th ere are t wo parties to an OpenID transaction: Consum er and Provider. A Provider is like aregistrar: it allows users to create and register OpenID URLs and manage their OpenID accounts, andit also authenticates the user to Consumers on demand. A Consumer (also sometimes called aRelying Party) is an OpenID-enabled Web site.

The OpenID framework is completely open-source and any Web site can become a Consumer or aProvider of OpenIDs without incurring any costs on licensing fees. As a result, there are already alarge number of OpenID Providers on the Web, and a growing number of Web sites have begunallowing users to sign in to their services using an OpenID.

What happens in an OpenID transaction? Well, when a user tries logging into a Consumer site withan OpenID, the Consumer contacts the Provider to verify the user's credentials before allowing himor her access. The user may be redirected to the Provider and asked to sign in to his or her accountwith the Provider using a password; once this is successfully done, the Provider automaticallyredirects the user back to the Consumer site, which now treats the user as verified and grants himor her the necessary access. A shared key, known to both parties and protected with strongencryption, is used throughout to maintain the integrity of the transaction and avoid "spoofing".

If you're new to OpenID, the information above should be sufficient to explain the basic concepts andensure that you can follow the material that comes next; however, if you want/need a more detaileddescription, I'd recommend that you take a look at the OpenID developer site, athttp://openid.net/developers/ and the OpenID 1.1 specification.

Assembling The Pieces

Now that you've (hopefully) understood the basics of how the OpenID framework works, let's turn toa more pressing question: where does PHP fit it? Well, there are a number of OpenID libraries writtenfor PHP, and designed to help developers quickly add OpenID support to their Web application. Thistutorial discusses two of them:

1. The PHP OpenID Library, maintained by JanRain In c. (JanRain Inc. also operates MyOpenID.com,a popular provider of OpenID identities). This is a stable implementation for both client andserver ends of an OpenID connection, and it's used in most of the examples in this tutorial.

2. The Auth entication::OpenID_Consumer PEAR package, proposed by Pdraic Brady. It should benoted that this package is still in proposal stage at the time of writing and should be considered

alpha-state code; it's used briefly in this tutorial to illustrate an alternative implementation tothe JanRain library.

In case you don't already have them, you'll also need to download and install the following PEARpackages:

The PEAR DB packageThe Crypt_HMAC2 packageThe Crypt_DiffieHellman packageThe Services_YADIS package

You can install these packages manually, or using the PEAR installer, as below:

shell> pear install Crypt_HMAC2

Free community products:

Follow DevZone on:


2/13

In order to try out the examples in this tutorial, you'll also need your own OpenID. Get one fromhttp://www.myopenid.com/ or an y other OpenID service provider (and remember t hat you can alsouse it on any OpenID-enabled Web site!). If you use the MyOpenID service, your OpenID willprobably be in the form h ttp://yourname.myopenid.com, and will be generated for you free ofcharge.

Once you've got all the pieces together, you're ready to go. But before you flip the page, I shouldmake one rather important disclaimer: I'm not an expert on OpenID and this tutorial isn't intendedto be an exhaustive reference to OpenID int egration (specifications and client libraries change t ooquickly to even attempt such a lofty goal). Rather, it's intended as a general introduction for PHPdevelopers who are new to OpenID, to give them a broad idea of how PHP/OpenID integration worksand increase their comfort level with the technology. For this reason, I've kept the code listings fairlysimple; remember that you can always find more complex code examples in the documentationsupplied with the client libraries men tioned previously.

With that caveat out of the way, let's get started!

First Steps

The first thing you'll need, if you're going to begin accepting OpenIDs on your Web site, is a sign-inform. Here's the code:

Sign in with your OpenID:

Here's what the form looks like:

You'll notice that this sign-in form doesn't include a field for the user's password. This is because,under the OpenID framework, authentication is handled by the OpenID Provider; all the user needsto access a Consumer site is his OpenID.

When the user submits this form with his or her OpenID, the form processor needs to locate theOpenID Provider and redirect to the Provider for authentication. The PHP OpenID Library can takecare of this for you; consider the next listing, which wraps the form above in a conditional test andadds in the code that runs on form submission (I'm assuming here that your site - the Consumersite - is located at http://consumer.example.com, but feel free to change this to http://localhost fortesting purposes):


3/13


4/13


5/13


6/13


7/13


8/13

Here's what a user with an account on the system would see after signing in with an OpenID:

And here's what a new user would see after signing in with an OpenID:

A Question Of Storage

The previous examples h ave all used PHP OpenID Library's file storage class for local storage ofOpenID data. If this is not to your taste, you can also store OpenID data in a MySQL, PostgreSQL orSQLite database, by replacing the Auth_OpenID_FileStore object with Auth_OpenID_MySQLStore,Auth_OpenID_PostgreSQLStore or Auth_OpenID_SQLiteStore objects respectively.

The following example illustrates, using a MySQL database for storage:


9/13


10/13


11/13

Here, the Consumer object's finish() method is used to complete the authentication process. Theresult of the finish() method is a Response object, representing the response send by the OpenIDProvider to the Consumer's authentication request. This object's getResult() method can be used totest the result of the authentication process, and take appropriate action depending on whether the

result is successful or not.

Service With A Smile

Now that you've seen two different implementations of an OpenID Consumer, let's turn ourattention to the Provider end of the connection. First, it should be noted that the JanRain PHPOpenID Library discussed earlier in this article also includes a full-fledged OpenID Providerimplementation, which you can use to custom-code your own OpenID server. An example server isincluded in the package archive to get you started.

In most cases, however, you can get away without coding your own OpenID Provider, especially ifyour needs are simple. There are a number of open-source packages that allow you to set up andmanage an OpenID server "out of the box"; here's a quick list:

phpMyIDSimpleIDClamshell

And that's about it for this article. Over the last few pages, I gave you a crash course in OpenID,explaining what it was and how it worked. I then coerced you into installing some PHP-based OpenID

libraries, and showed you how you could use them to add OpenID support to your Web application. Ialso explained the Simple Registration extension to OpenID, showing you how it could be used toretrieve a user's profile from an OpenID Provider and inject that data into your Web application.Finally, I demonstrated an alternative, PEAR-based implementation for OpenID Consumers, andpointed you t o some easy-to-install-and-use scripts for setting up your own OpenID server.

If you're interested in learning more about PHP and OpenID, also consider the following resources:

An OpenID and PHP primerThe OpenID developer sitePlaxo's guide for OpenID-Enabling a Web siteOpenID for Non-SuperusersOpenID implementations for other programming languages

Have fun, and happy coding!

Copyright Melonfire, 20 07. All rights reserved.

Comments (Login to leave comments)

Wednesday, June 4, 2008

WHAT ABOUT THE ZEND FRAMEWORK OPENID IMPLEMENTATION?2:46PM GMT erangalp

Seems odd an article on OpenID here doesn't even mention it. You should check it out.

ZEND_OPENID3:16PM GMT Cal Evans (editor)

Hi erangalp!

Not, its not really odd at all. DevZone accepts articles from PHP developers world wide, many ofwhom dont work with Zend Framework. This article was not written from a Zend Frameworkperspective. (Although I would love to have an article about implementing OpenId in a ZendFramework projectwanna write it?) :)


12/13

But you are correct that Zend Framework does have an OpenId implementation, here is the link toit.Zend_OpenId

Thanks for the comment.

=C=

Friday, June 6, 2008

HOW SECURE IS IT?3:17PM GMT Alihan Etin [unregistered]

OpenID is greate world wide application gor websites. And thank you for this article. But there is aquestion : How secure is it?

I think it can't be used in very secure sites. There is always a chance to get the password. And it'seasy to know someones openID because it's public...

And a handicap : when you'll get the password, you'll own all accounts for the user in internet...

Sunday, June 8, 2008

ADOPTION RATE FOR OPENID12:56PM GMT farrelley

The adoption rate for OpenId is very slow. When I first came out I thought it would be awesomebut many sites are reluctant to move to an OpenID strategy. Don't get me wrong there are manypopular sites that are using it! I just don't know if it's worth spending time to get it up and running.Right now OpenID doesn't carry that mentality that says "Oh yeah, I'll comment because I can usemy OpenID." It's not stopping people from doing things yet. What's everyone else think?

Tuesday, June 17, 2008

ADOPTION AND SECURITY6:24AM GMT vvaswani

Alihan:

Thanks for the comment. I think security is something that would need to be enforced by yourapplication, and you would probably also need to trust that the OpenID provider has the necessarysecurity systems in place.

Take your analogy a bit further: if we take Yahoo as an example, Yahoo usernames are equallypublic (every time you send an email from Yahoo, the recipient knows your Yahoo username).However in general (most) users trust Yahoo with their data and assume that Yahoo is holding theirpasswords securely. You would need to extend the same level of trust to whoever holds yourOpenID, IMO.

farrelley:

I take your point, but my own take on this is that OpenID is still fairly new and not many casualWeb users even know that it exists. The big OpenID supporters probably also need to do a littlemore in terms of educating users about the benefits of OpenID (single user name being the keybenefit). Keep the faith: adoption has been increasing gradually and will continue to do so until itreaches a t ipping point.

Wednesday, January 28, 2009

WHICH LIBRARY DO THE EXAMPLES USE?5:30PM GMT pkiula

Sorry, you mention JanRain and that experimental PEAR class. Your examples have this line:

require('Auth/...');

Which ones is this? If it is JanRain's library, then I don't see their stuff "included" in the codebefore? Where is the "Auth" file located, isn't that a PEAR thing, and if so, is that NOT the JanRainlibrary? Your entire tutorial in the beginning is based on this Auth thing. How to get it to work?

Tuesday, April 14, 2009

GETTING A ERROR "SERVER DENIED CHECK_AUTHENTICATION"7:08AM GMT tatva13

i am using openid 2.0.i made simple application in php using code given by u.i include all openidlibs.but when i try to login with my any openid,i get response "failure" with a message "Serverdenied check_authentication" in oid_return.php.

thanks for help in adavance...

Friday, September 4, 2009

OPENID11:19AM GMT raghuirukulla

Though the concept of OpenID is good not many user's know the full potential of this service. Thereare hundreds and thousands of services which accepts openID for login and shorten the process ofregistration. http://www.ekoob.com/10-cool-sites-to-get-your-own-openid-4058/ this article hasclearly mentioned the benefits and resources to get a oepnID.

Monday, December 14, 2009

$RESPONSE OBJECT IS VOID2:30PM GMT bubastix0

Hey , great article !i was trying to implement it , but when i evaluate the line :if ($response->status == Auth_OpenID_SUCCESS)


13/13

the object seems to be null , maybe its a change on some of the packages ...you think that i could validate the user using another method?Many Thanks!

openid y php

Documents