OpenID for Programmers and Dummies

December 13th, 2008, 2:17 pm

Open ID

Well, I have spent several days working on learning the OpenID system (in PHP) and I am still wondering about some things. The following is a rant, resource collection, and cry for help. Read at your own risk.

I figured I would start with the specs for authentication version 1.1. As OpenID 2.0 is more complex. However, after reading this great getting started guide and watching some movies on youtube and else where I started downloading API’s/Scripts and looking at them.

These Classes have helped me the most:

However, in the spec for OpenID 1.1, there are only FOUR functions - and they seem to be Consumer or Provider specific. This Logic flow chart shows the order that the API’s are to be called - but I am having trouble wrapping my mind around the whole thing when some of the PHP classes I download are 20 files and over 300k! Surely a two page spec shouldn’t need to be 20 files long!?

Why is the Spec for 1.1 so simple but the libraries so complex? Can anyone map the function names to the logic flow? - that would REALLY help me! If someone could just help me get into the right way of looking at this I could finish my understanding. I feel like I am re-learning OOP.

Pseudo Code

Here is the basic pseudo-code I have so far. I would love it if someone would add/subtract info to help me get this down better.


<?php
/////////////////////////////////// LEGEND
//Relying Party = Consumer
//OP Endpoint   = Provider/IDP/Identity Provider
//User          = Person on their computer (USER-AGENT)
//////////////////////////////////////////

/*
An association between the Relying Party and the OpenID Provider
establishes a shared secret between them, which is used to verify
subsequent protocol messages and reduce round trips.

An association session is initiated by a direct request from a
Relying Party to an OP Endpoint URL with the "openid.mode" key
having the value of "associate".

Establish a shared secret between Consumer and Identity Provider.

Flow:
Consumer Sends Assoc request to -> IDP via POST
IDP Prints response in KEY:VALUE for Consumer to read
*/
Consumer -> $_POST {
openid.ns
openid.mode
openid.assoc_type
openid.session_type

//IF session_type= Diffie-Hellman
//openid.dh_modulus
//openid.dh_gen
//openid.dh_consumer_public
}

//Perform an association with a consumer
function associate_mode () {

// Create a secret and store it
// -> Either plain text or Diffie-Hellman

//print outcome of function ----\/

if(good request) return {
ns:VALUE
assoc_handle:VALUE
session_type:openid.session_type
assoc_type:openid.assoc_type
expires_in:VALUE

//IF (session_type= Diffie-Hellman) {
dh_server_public:VALUE
enc_mac_key:VALUE
//} else {
mac_key:(shared secret) for this association

}

If(BAD request) return {
ns:VALUE
error:message telling why the association failed
error_code:"unsupported-type"
session_type:(optional) A valid association session type
assoc_type:(optional) An association type supported by the IDP
}

}

// At this point the Consumer now can trust this IDP. And requests
// that USERS make for THIS IDP to verify them, can happen
// (the consumer will trust them now that it has a shared secret)




////////////////////////////
// PART 2: Checking the user
////////////////////////////

/*
Once the Relying Party has successfully performed discovery and (optionally)
created an association (shared secret) with the discovered OP Endpoint URL,
it can send an authentication request to the OP to obtain an assertion.

An authentication request is an indirect request (Indirect Communication).
Which means it relies on the USER-AGENT sending the data (it can be hacked).
*/


/*
Description: Ask an Identity Provider if a End User owns the Claimed Identifier,
but be willing to wait for the reply. The Consumer will pass the User-Agent
to the Identity Provider for a short period of time which will return either
a "yes" or "cancel" answer.

Flow:
Consumer Sends -> USER to -> IDP via GET
(IDP ask user to trust site/login/etc..)
IDP Sends -> USER back to -> Consumer with response in query string
*/
Consumer-> $_GET {
openid.ns
openid.mode         = checkid_immediate or checkid_setup
openid.claimed_id   = The Claimed Identifier
openid.identity     = The IDP Local Identifier (URL://username.site.com)
openid.assoc_handle = A handle used to sign the response (handle to secret)
openid.return_to    = URL which the IDP SHOULD return the User to with the response.
openid.realm        = Consumer Given URL pattern the IDP SHOULD ask the USER to trust
}

//The IDP checks to see if it will allow user
function checkid_setup() {

//Is the claimed ID even on this server?
//Is the Claimed ID the users?
//Is the ID to trust a part of the site requesting it?
//realm = URL ?

//Is the user logged?
//

}
?>

Comments

No comments yet! Be the first to add one!

Add Your Insight

Please keep your comments clean and helpful. Those cool images you see next to people are their gravatars. You can use obvious HTML. Wrap Code with <code> and </code> (PHP needs the opening an closing tags too!). No substitutions, extensions, or refunds. Void where IE is used. Cash not accepted. I make the rules. Se habla espanol, marko numeral uno.