Initially I used the stable release of Clonezilla to back up my laptop’s entire hard drive to a USB external hard drive. No problems at all. However, I hit a minor snag when restoring the system with the stable release in that it failed to re-install grub. Oops. Not to worry though, Clonezilla has an “alternative” release based off Ubuntu (the stable release is built on standard Debian). Since I happen to be running Ubuntu, I made a new Live CD with the alternative Ubuntu release and once again tried the system restore. This time it worked perfectly and my system is exactly as it was at the time I backed it up.

The upgrade was simple as always and I experienced no issues … until I tried to boot up my Ubuntu VM. It appeared to hang during boot up, and finally ended in a kernel panic. Every time.

There’s an easy fix, however, which I found here after a quick Google search. The solution is to change the VM settings for the network adapter from “PCnet-FAST III” to “Intel PRO/1000 MT Desktop”.

What do you need to install Flex on Ubuntu?

1. The Flex SDK
2. Sun Java (needed for compiling the SWF binaries)

Set up and install Flex

Step 1. If you haven’t already, install Java. (If you aren’t sure, go ahead and try this step anyway.) First open up a terminal (Accessories menu > Terminal) and type the following:

sudo apt-get install java-package sun-java6-jdk

This will take several minutes while the packages download and install. You’ll also need to agree to Sun’s license.

Step 2. Download the Flex SDK. The rest of this guide will assume you saved the SDK to your desktop: ~/Desktop.

Step 3. We need to create a directory for the Flex SDK. In a terminal window, enter the following:

sudo mkdir /opt/flex

The “opt” directory is generally where optional application software packages live. (More info on the linux file system.) All we did here is make a new “flex” directory inside “opt”.

Step 4. Now we need to unzip the Flex SDK. Type the following in a terminal window:

cd ~/Desktop
unzip flex_sdk_4.zip -d tempflex

What this does is unzip the contents of your download into a new and temporary directory on your Desktop called “tempflex”.

Step 5. After that’s complete, we need to move these files to “opt/flex” which we’ve already prepared for the SDK. Type the following in a terminal window:

sudo mv tempflex/* /opt/flex/

This will move the contents of “tempflex” into “opt/flex”. If you want to make sure you moved everything, you can type the following into a terminal window:

cd /opt/flex
ls

You should see a list of all the files in the directory.

Step 6. Last step. All we need to do now is let Ubuntu know where the new Flex compiler lives. Type the following in a terminal window to open up “~/.bashrc” in a text editor:

gedit ~/.bashrc

The text editor will open your ~/.bashrc profile and we only need to add one line (I added it at the bottom of the file, but I’m not sure it matters).

export PATH=/opt/flex/bin:$PATH

Save the file and close the text editor. Then exit all open terminal windows before opening a new one. This should ensure that your terminal loads the path that we just added.

You should now be able to compile your Flex projects with the “mxmlc” compiler command. To make sure, type the following in a terminal window to bring up the “help”:

mxmlc --help

Looks good? Great. You’re all set. Happy Flex-developing.

I’ve been working on OpenID a lot lately and I’ve latched on to a great starter PHP class called, obviously enough, Simple OpenID PHP Class (Simple OpenID). It’s easy enough to implement, but I quickly noticed that it didn’t work with Yahoo (among others). Basically it would return an error saying it couldn’t find an OpenID server at Yahoo.

At this point, I thought about switching to the very full featured JanRain PHP OpenID library but it’s way more than I need right now. So I decided to stick it out with Simple OpenID and see if I couldn’t get it working like it should. In the end, I was able to get it working with Yahoo. I’ll show you how. If you find things aren’t coming together like they should, you can download the version of Simple OpenID that I’m now using.

What You’ll Need:

• Simple OpenID (requires cURL) Link points to the original file. Download my updated version here.
• The PHP Yadis Library. This tutorial assumes you’re using the stand-alone download here.

Summary:
As it currently stands, Simple OpenID is built more or less to OpenID 1.1 specifications. What we’re going to do is add support for the 2.0 specifications, which Yahoo requires.

It is assumed that you already have Simple OpenID installed and working with at least a few providers (Technorati and AOL seem to work right out of the box). If you need help getting it installed, look at the comments in the class itself, or check out the example included with the class.

Caveat:
To be honest, I haven’t read the 2.0 specifications in full, so I may have missed some requirements here and there. I’ve added in the ones that I noticed and knew wouldn’t take much time to implement in a somewhat proper manner. The scope of this tutorial is only to get Simple OpenID working with Yahoo, not filling out every detail the class currently lacks.

Setup:
First up is Yadis (if you’re interested, there’s more info here and here). Extract the Yadis library that you downloaded. Find the Services directory and copy it to the same directory on your server where you have Simple OpenID. Something like this:

www/Services/
www/class.openid.php

All done? Okay, let’s get started!

At the time of this writing, the latest version of Simple OpenID is class.openid.v3.php, so we’ll be working with that. Open it up in your editor of choice now.

Stop right there at line 1. We’re interested in compatibility here, people. Not only could that PHP short tag be mistaken for an XML opening tag, but it won’t work on a PHP installation that has short tags disabled. Change it to the full tag. It’s just three extra characters. Do it.

<?php

Now let’s add in the Yadis classes by adding the following on line 66.

require_once 'Services/Yadis/Yadis.php';

Simple OpenID is currently equipped to locate an OpenID server by sending a request to the identity URL provided by the user and parsing the HTML response that’s returned. Yahoo doesn’t work this way. We have to use Yadis discovery to locate the server. Edit the GetOpenIDServer method so that it looks like the code below.

function GetOpenIDServer(){

    //Try Yadis Protocol discovery first
    $http_response = array();
    $fetcher = Services_Yadis_Yadis::getHTTPFetcher();
    $yadis_object = Services_Yadis_Yadis::discover($this->openid_url_identity,
                                                $http_response, $fetcher);

    // Yadis object is returned if discovery is successful
    if($yadis_object != null){
        $service_list = $yadis_object->services();
        $types = $service_list[0]->getTypes();
        $servers = $service_list[0]->getURIs();
        $delegates = $service_list[0]->getElements('openid:Delegate');
    }else{ // Else try HTML discovery
        $response = $this->CURL_Request($this->openid_url_identity);
        list($servers, $delegates) = $this->HTML2OpenIDServer($response);
    }
    if (count($servers) == 0){
        $this->ErrorStore('OPENID_NOSERVERSFOUND');
        return false;
    }
    if (isset($types[0])
      && ($types[0] != "")){
	$this->SetServiceType($types[0]);
    }
    if (isset($delegates[0])
      && ($delegates[0] != "")){
        $this->SetIdentity($delegates[0]);
    }
    $this->SetOpenIDServer($servers[0]);
    return $servers[0];
}

If you look at line 278 now, you’ll see we added a call to a method named SetServiceType. Since there are still providers out there using OpenID 1.1 (i.e. livejournal.com) we need to make sure we can handle the specifications for whatever we come across. We’ll have to set the service type based on the version being used. Let’s add the SetServiceType method at line 85.

function SetServiceType($a){
    // Hopefully the provider is using OpenID 2.0 but let's check
    // the protocol version in order to handle backwards compatibility.
    // Probably not the best method, but it works for now.
    if(stristr($a, "2.0")){
        $ns = "http://specs.openid.net/auth/2.0";
        $version = "2.0";
    }
    else if(stristr($a, "1.1")){
        $ns = "http://openid.net/signon/1.1";
        $version = "1.1";
    }else{
        $ns = "http://openid.net/signon/1.0";
        $version = "1.0";
    }
    $this->openid_ns = $ns;
    $this->version   = $version;
}

What this does is check the service type we found during discovery and set the namespace (openid.ns) and version appropriately. At this point, if we test what we have, we’ll be able to find Yahoo’s OpenID server address and redirect our user there to authenticate. But instead of being asked to login, our user will get this message from Yahoo:

Sorry! You will not be able to login to this website as it is using an older version of the the OpenID technology. Yahoo! only supports OpenID 2.0 because it is more secure. For more information, check out the OpenID documentation at Yahoo! Developer Network.

So it seems there’s more to OpenID 2.0 support than just adding in Yadis discovery. Don’t bother checking out the OpenID documentation at Yahoo! Developer Network, though. The only useful thing there is a link to the specifications for OpenID 2.0. After glancing through the specs, we find out we need to send some information to Yahoo as part of the URL query string.

If you look at the GetRedirectURL method, you’ll see on lines 307-311 we’re setting up our parameters array with the following: openid.return_to, openid.mode, openid.identity, openid.trust_root. Lines 313-320 add the request for any sreg info you want to get back from the OpenID provider.

That’s enough for the 1.1 specs, but not for 2.0. If, as is the case with Yahoo, we’re dealing with a 2.0 provider, we also need to send openid.ns and openid.claimed_id. In addition, the specs say that openid.trusted_root has been renamed openid.realm for 2.0. Let’s add our conditional code and change the GetRedirectURL method to the following.

function GetRedirectURL(){
    $params = array();
    $params['openid.return_to'] = urlencode($this->URLs['approved']);
    if($this->version == "2.0"){
        $params['openid.ns'] = urlencode($this->openid_ns);
        $params['openid.claimed_id'] = urlencode($this->openid_url_identity);
        $params['openid.realm'] = urlencode($this->URLs['trust_root']);
    }else{
        $params['openid.trust_root'] = urlencode($this->URLs['trust_root']);
    }
    $params['openid.mode'] = 'checkid_setup';
    $params['openid.identity'] = urlencode($this->openid_url_identity);

    if (isset($this->fields['required'])
      && (count($this->fields['required']) > 0)) {
        $params['openid.sreg.required'] = implode(',',$this->fields['required']);
    }
    if (isset($this->fields['optional'])
      && (count($this->fields['optional']) > 0)) {
        $params['openid.sreg.optional'] = implode(',',$this->fields['optional']);
    }
    return $this->URLs['openid_server'] . "?". $this->array2url($params);
}

As you can see above, the value of openid.claimed_id is the same as openid.identity.

If you try our code now, you should be able to reach Yahoo’s OpenID login server. Great! Log in if you’re not already, and you’ll see a button that says “Let Me In.” (You’ll probably also see a scary warning message that says your website hasn’t confirmed its identity with Yahoo. Don’t worry about this for now; we’ll take care of it later.)

Click the “Let Me In” button and you’ll be taken back to the URL you specified as the return_to address. But for some reason, there’s an error message that says “Could not validate the OpenID at http://yahoo.com/”. This message comes from the ValidateWithServer method, so something must be going wrong here.

When we made our first request to Yahoo, we sent some parameters in the URL. When the user clicks “Let Me In”, Yahoo sends its own parameters appended to the return_to address. You can see them if you look at the URL where you got the error message. If you look closely, you’ll see one of the parameters returned is openid.signed. The value is a comma-separated list of parameters that Yahoo wants us to validate. Basically, Yahoo wants us to send these data back so they can let us know if anything has been tampered with in transit.

If you look at lines 341-345, you can see that we’re building another array of parameters that we’re going to validate with Yahoo. openid.assoc_handle, openid.signed and openid.sig are all declared outright. Then beginning on line 347, you can see we’re taking the comma-separated list, the signed parameters returned with openid_signed, and replacing all instances of “sreg.” with “sreg_“, then storing it as an array ($arr_signed). Since the comma-separated list contains variables that are passed in the URL, PHP will automatically add them in our global $_GET array. But anything like openid.sreg.fullname will become $_GET['openid_sreg_fullname'] when PHP parses the variables.

On line 348, there’s a for loop that goes through each of the signed parameters and uses logic to grab the value from $_GET['openid_sreg_fullname'] and store it as $params['openid.sreg.fullname'].

And finally line 355 sets openid.mode to “check_authentication” and adds it to our array of parameters.

So if the for loop adds all of the signed parameters that Yahoo gives us, why are we getting an error? Well, let’s look at the signed parameters Yahoo is asking for.

• assoc_handle
• claimed_id
• identity
• mode
• ns
• ns.pape
• op_endpoint
• pape.auth_policies
• pape.nist_auth_level
• response_nonce
• return_to
• signed

If you recall, the variable names containing periods or dots are going to be converted to underscores when added to the $_GET array. Line 347 takes care of any names taking the form “sreg.” but as you can see, we need to do something with names containing “ns.” and “pape.” as well. Let’s rewrite the ValidateWithServer method to reflect this.

function ValidateWithServer(){

    $params             = array();
    $arr_underscores    = array('ns_', 'pape_', 'sreg_');
    $arr_periods        = array('ns.', 'pape.', 'sreg.');
    $arr_getSignedKeys  = explode(",",str_replace($arr_periods, $arr_underscores, $_GET['openid_signed']));

    // Send only required parameters to confirm validity
    foreach($arr_getSignedKeys as $key){
        $paramKey = str_replace($arr_underscores, $arr_periods, $key);
        $params["openid.$paramKey"] = urlencode($_GET["openid_$key"]);
    }
    if($this->openid_version != "2.0"){
        $params['openid.assoc_handle'] = urlencode($_GET['openid_assoc_handle']);
        $params['openid.signed'] = urlencode($_GET['openid_signed']);
    }
    $params['openid.sig'] = urlencode($_GET['openid_sig']);
    $params['openid.mode'] = "check_authentication";

    $openid_server = $this->GetOpenIDServer();
    if ($openid_server == false){
        return false;
    }
    $response = $this->CURL_Request($openid_server,'POST',$params);
    $data = $this->splitResponse($response);

    if ($data['is_valid'] == "true") {
        return true;
    }else{
        return false;
    }
}

If you try the code now, you should have a successful validation. Excellent!

But … what about that scary warning message we saw on the Yahoo OpenID endpoint?

To get rid of that, you need to create an XRDF file to let Yahoo know who you are. Create a file called “yadis.xrdf” and place it somewhere on your server. The important part of this file is that you tell it where your return_to URL is. The file should look like this.

<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS
    xmlns:xrds="xri://$xrds"
    xmlns:openid="http://openid.net/xmlns/1.0"
    xmlns="xri://$xrd*($v*2.0)">
    <XRD>
        <Service priority="0">
            <Type>http://specs.openid.net/auth/2.0/return_to</Type>
            <URI>http://yourdomain.com:80/path-to/your_return_to.php</URI>
        </Service>
    </XRD>
</xrds:XRDS>

All you need to do now is send a header from your site that reveals the location of your XRDF file. I’m not certain on this, but it appears that you need to send this header from the index page of your OpenID login area. For example, if your login form is at http://example.com/openid/login.php, the header should be sent from http://example.com/openid/index.php in order for Yahoo to find it. Add the following code to the top of your index page. This header must be sent from the root of the URL you specified as your “trust root”. There cannot be any output before this header or it won’t work. It must be the very first thing, probably just after the opening PHP tag.

header('X-XRDS-Location:http://yourdomain.com/path-to/yadis.xrdf');

What’s next?

There’s plenty more to do for the 2.0 specs. For example, while an OpenID could take the form of “http://example.com/user“, it could also look like “xri://=john.smith” or something equally strange. XRI support is something else that has been added to the 2.0 specs. All we need to do is add some logic to handle these types of identities. Since this kind of logic already exists in the SetIdentity method, let’s add it there.

function SetIdentity($a){ 	// Set Identity URL

    $xriIdentifiers = array('=', '$', '!', '@', '+');
    $xriProxy = 'http://xri.net/';

    // Is this an XRI string?
    // Check for "xri://" prefix or XRI Global Constant Symbols
    if (stripos($a, 'xri://') || in_array($a[0], $xriIdentifiers)){
        // Attempts to convert an XRI into a URI by removing the "xri://" prefix and
        // appending the remainder to the URI of an XRI proxy such as "http://xri.net"
        if (stripos($a, 'xri://') == 0) {
            if (stripos($a, 'xri://$ip*') == 0) {
                $a = substr($a, 10);
            } elseif (stripos($a, 'xri://$dns*') == 0) {
                $a = substr($a, 11);
            } else {
                $a = substr($a, 6);
            }
        }
            $a = $xriProxy.$a;
    }

    if ((stripos($a, 'http://') === false)
      && (stripos($a, 'https://') === false)){
        $a = 'http://'.$a;
    }

    $this->openid_url_identity = $a;
}

Also, during Yadis discovery, we may discover more than one provider redirect URL. The reason for this, as far as I can tell, is for load balancing or providing alternatives in case the first one we try returns an error. We’ll need to modify the code to check each endpoint’s priority level, and be prepared to retry several times in case one or more endpoints return an error response. However, that’s something for another tutorial.

Simple OpenID also seems to have a problem with Wordpress.com identities. It’s easy enough to solve, and you can find my solution here.

Download the version of Simple OpenID that I’m now using.