ENABLE YOUR WEB APPLICATION FOR OPEN ID TO LET YOUR USERS LOG IN WITHOUT HAVING TO REMEMBER YET ANOTHER PASSWORD
Think about the number of username and password combinations you have to remember on a daily basis - bank logins, social networking sites, Flickr, Twitter, Basecamp and so on. The more security-conscious of us will accept that using the same username and password isn’t a great idea, as if you use that combination on an untrusted site, they could use it to log in as you into everywhere else. We would rather be storing more useful things than passwords in our brains, so we’re very happy that Open ID is becoming a popular way for websites to authenticate users. So what is an Open ID? You can get an Open ID by various methods; the simplest is to choose a trusted Open ID provider and sign up with them. You might also find that one of the sites you already sign into is an Open ID provider - AOL, LiveJournal and most recently Yahoo! can all act as your Open ID. You will then be given a username, something like http://yourname.myOpen ID.com. When you log in on an Open ID-enabled site, you simply enter this URL into their login box. The site will then redirect out to your Open ID provider where you will log in and the provider then checks that you are happy to give the other site your details. You will then be sent back to the website and are logged in. The benefits to users are that they don’t need to remember lots of different sets of login details, and can also keep the actual password details on one trusted site. For the site owner, you don’t need to store password details on your site and deal with forgotten passwords and so on. If you have built a password login system for a site before, then enabling Open ID just means a small shift in thinking - for storing a username and password on your site and writing a script to check them, to firing out a request to an external site and getting information back as to whether your user is logged in or not. You can still tie any information specific to your site to a user, by linking that information to their Open ID in your database. So now you know what Open ID is, this tutorial will have a look at how you might enable your site for Open ID logins. We’ll be using PHP and MySQL, although the principles are the same whichever language you choose.
1. Get your Open ID
The first step is to have an Open ID to use to test your sign-on. If you already have an Open ID or are signed up for a site that gives you one, then you are all set. Otherwise, sign up at a provider such as www.myopenid.com and get your own Open ID URL.
2. Download the PHP class
We will use a PHP class in order to simplify the process of communicating with the Open ID provider. The class we are going to use is the Simple Open ID Class that is available from www.phpclasses.org/browse/package/3290.html. The version of the class we have used is available in the code sample, however, if you are going to use this in a live application, check the site for any updates to it. In the zip that you have downloaded, the file you will need is class.openid.v2.php. Save this into your site, naming it anything you like.
3. Create a form
In a new PHP file, add a form; all we need is a field for the user to enter their Open ID URL and a Submit button. Set the form to post back to itself for this example. We’ve also added a link to myopenid.com so the user can go and get an Open ID if they don’t have one yet.
4. Posting the form
We now need to deal with what happens when the user posts the form containing their Open ID. At the very top of this script inside PHP tags, include the class we downloaded earlier and create a new instance of that class.
require(‘class.openid.v2.php’);
if ($_POST) {
$openid = new OpenIDService();
5. Set up the request
In addition to checking whether the user is valid, we can ask the Open ID server to send us back some information about the user, such as their email address, full name and gender. The user needs to have already entered this information into their profile and agree to send it to you when they get to the Open ID site. The following lines of code set the user’s identity (this is the URL they entered into the text box), the site that is asking to be authorised, some required fields that we need and some optional fields.
$openid->SetIdentity($_POST[‘Open ID_url’]);
$openid->SetTrustRoot(‘http://’ . $_SERVER[“HTTP_HOST”]);
$openid->SetRequiredFields(array(‘email’,’fullname’));
$openid->SetOptionalFields(array(‘dob’,’gender’,’country’));
6. Redirect to the Open ID provider
We redirect out to the provider setting, the URL that we want the user to be brought back to after completing their sign-on process. In our case, that is this same script we are posting out from but you might also have a different script to handle logins in a full application. If anything goes wrong at this stage, just write out the error information to variables so we can see what happens.
if ($Open ID->GetOpenIDServer()){
$openid->SetApprovedURL(‘http://’ . $_SERVER[“HTTP_
HOST”] . $_SERVER[“PATH_INFO”]);
$openid->Redirect();
}else{
$error = $openid->GetError();
$error_code = $error[‘code’] ;
$error_string = $error[‘description’];
}
}
7. Testing the redirect
You should now be able to enter your Open ID into your form and be taken to the Open ID server to perform the login. After logging in, the server will let you decide whether to authorise this site once, always or cancel the request. We can also choose what information we send back to this site.
8. After login
If you allow the authorisation on the Open ID server, you should find yourself back at your script. In the address, there will be a query string containing information sent back from the Open ID server. This information will inform us whether the login was successful and if it gives us some information about the user.
9. Checking for successful authentication
The below code goes after the closing bracket of the if statement, checking to see if we have a Post. It runs when the user is redirected back from the Open ID server. If we have the parameter openid_mode in our Get, then we check to see if it has a value of id_res. This means that we have an authentication. The first thing to do is to create a new instance of the Open ID object to check that this really is a valid user and not just someone forming a correct query string to try and log into our site. We do this using the ValidateWithServer method, which will return true or false. Put that value into a variable to check.
elseif($_GET[‘openid_mode’] == ‘id_res’){
$showform = false;
$openid = new OpenIDService();
$openid->SetIdentity($_GET[‘openid_identity’]);
$openid_validation_result = $openid->ValidateWithServer();
10. A valid login
If our variable $openid_validation_result is equal to true, then we have a valid login – hooray! Now we can do whatever we want to do with the information we get back from the server. In our case, we are just going to get the details from the Get and write them out into variables. If you were integrating Open ID into your site authentication, you would now insert this information into your database and continue exactly as if you had authorised using a username and password on your own site – except that you don’t need to worry about storing passwords. We are setting a variable named ‘status’ to VALID so that we can check this later on our page when we display the result of the authentication.
if ($openid_validation_result == true) {
//get the users details from the GET
$country = $_GET[openid_sreg_country];
$dob = $_GET[openid_sreg_dob];
$email = $_GET[openid_sreg_email];
$fullname = $_GET[openid_sreg_fullname];
$gender = $_GET[openid_sreg_gender];
$identity = $openid->GetIdentity();
$error_code = ‘’;
$error_string = ‘’;
$status = ‘VALID’;
}
11. Dealing with errors
We need to deal with any errors that might occur, such as an invalid authorisation or some error generated by the server. If we write these to variables, we can find out what happened. In a live site, you need to make sure your user knows what to do if the error is caused by an incorrect login. You might also want to log errors to a database table or text file so you can see if anything is happening often. If the error has been caught by the object, then it can be retrieved with the GetError() method that returns an array.
elseif($openid->IsError() == true){
$error = $openid->GetError();
$error_code = $error[‘code’];
$error_string = $error[‘description’];
$status = ‘ERROR’;
}else{
$error_code = ‘’;
$error_string = ‘INVALID AUTHORIZATION’;
$status = ‘INVALID’;
}
12. User cancelled request
If you deny the authorisation on the Open ID server, then the value of openid_mode will be ‘cancel’. In this situation, the user has cancelled the request and so you cannot then log in. You would need to give the user some information in this situation, perhaps giving them contact details if they have concerns about the information that you want to access.
else if ($_GET[‘openid_mode’] == ‘cancel’){
$showform = false;
$error_string = ‘USER CANCELLED REQUEST’;
$error_code = ‘’;
$status = ‘CANCELLED’;
}
13. Showing the information
For the purposes of this article, we will just display the information that has been returned – or the error message generated – so you can see that the login has worked. At the top of your script (just below the include of the class), add $showform = true;. Then wrap the form in your page with an if statement checking for $showform.
if($showform) {
?>
}
?>
14. Display the returned information
If our status variable is set to Valid, then we have the user details. Echo them out to the page as proof of the successful authentication.
15. Error display
The following code will print out the error messages that have been received. These messages are more for debug purposes, so don’t forget to display more friendly and helpful error messages to your users, in case they are having problems logging in.
elseif ($status == ‘INVALID’) { ’. $error_code .’: ‘.$error_string .’ ’.$error_string .’
echo ‘Sorry, we could not log you in
’;
echo ‘
} elseif ($status == ‘CANCELLED’) {
echo ‘Sorry, we could not log you in
’;
echo ‘
}
}
Click here to download the tutorial files
No comments:
Post a Comment