While updating some security training materials, I thought I’d include some more information on OpenId – with the hope of demonstrating how the typical username/password mess which web applications create can be countered (for example see here )
So, being a PHP type, and having seen that the Zend Framework supports OpenId, I thought I’d create a simple demo. The documentation looked good, and I quickly got a test script online (see below). So – to test it, I thought I’d try using Google as my OpenID provider (afterall StackOverflow does) and I obviously have a Google account.
So, the Zend Framework gives the following test code :
<?php
require_once(dirname(__FILE__) . '/Zend/OpenId/Consumer.php');
require_once(dirname(__FILE__) . '/Zend/OpenId/Extension/Sreg.php');
$sreg = new Zend_OpenId_Extension_Sreg(array(
'nickname'=>false,
'email'=>false,
'fullname'=>false), null, 1.1);
//echo file_get_contents('https://www.google.com/accounts/o8/id');
$status = "";
$consumer = new Zend_OpenId_Consumer();
if (isset($_POST['openid_action']) && $_POST['openid_action'] == "login" && !empty($_POST['openid_identifier'])) {
if (!$consumer->login($_POST['openid_identifier'], null, 'http://*.palepurple.co.uk', $sreg)) {
//echo $consumer->getError();
$status = "OpenID login failed.";
}
} else if (isset($_GET['openid_mode'])) {
if ($_GET['openid_mode'] == "id_res") {
if ($consumer->verify($_GET, $id, $sreg)) {
$status = "VALID " . htmlspecialchars($id);
var_dump($sreg->getProperties());
} else {
$status = "INVALID " . htmlspecialchars($id);
}
} else if ($_GET['openid_mode'] == "cancel") {
$status = "CANCELLED";
}
}
?>
<html><body>
<?php echo "$status<br>" ?>
<form method="post">
<fieldset>
<legend>OpenID Login</legend>
<input type="text" name="openid_identifier" value=""/>
<input type="submit" name="openid_action" value="login"/>
</fieldset>
</form>
</body></html>
Which doesn’t work if you try to use https://www.google.com/accounts/o8/id [Google’s OpenID provider URL]. It just fails with a hopeless “Discovery Failed” error message. I spent an hour or two poking it, and making fruitless Google searches (or so it seemed). Then I gave up and tried using a different provider – success.. it all works.
Various postings imply there is/was a problem with the Zend Framework’s OpenId consumer – although to start with I thought it might have been due to my local PHP configuration (E.g. lacking support for openssl/mhash or something else, but this wasn’t the case). See also this and this
Thankfully the code does work when using other providers – e.g. MyOpenId. One nice feature of OpenId, which I wasn’t aware of, is that you (the web client application) can also request e.g. nickname, name, date of birth and country of residence from the OpenID provider (which is what the Zend_OpenId_Extension_Sreg stuff is all about – I’ve made the request parameters all optional, otherwise you get an auth failure when the provider doesn’t return the data you require).
Anyway, it’s really, really, easy to do. Shame about the poor support for Google though.
Leave a Reply