At that time, I’d only ever set up a personal OpenID endpoint so I started looking around on what it would take to become an OpenID consumer in order to authenticate our users. After trying various things, I settled on the Simple OpenID class that I found on PHPClasses.org. The only problem was that it wasn’t OpenID 2.0 compliant, and therefore wouldn’t work with Yahoo. So I worked my way through the OpenID specifications and got it functioning the way I wanted, even releasing the new code as Dope OpenID. Still, we never saw more than a few hundred people taking advantage of OpenID on our site (out of a million or so active users).

Since then, all I can say is that OpenID has become significantly less exciting. I haven’t updated the code in a long while, though someone will occasionally post a modification in the comments. I actually put the source up on GitHub hoping the modifications would get merged in that way.

Anyway, all that to say for the last several months I’ve been intending to announce that I’m no longer going to be doing any development on Dope OpenID. Today’s announcement of the PHPClasses Zeitgeist was the kick in the pants I needed. While OpenID was the top search on PHPClasses in 2007, it didn’t even make the list in 2008 or 2009. In my opinion, the average user still has no idea what OpenID is and they’re just more trusting of things that sound familiar to them, like Facebook Connect.

So, to sum up, I’m no longer doing any development on Dope OpenID. I will leave the project page up for a while and continue to allow comments, but I’d much rather let someone else take over the project if they have an interest in it. Or else just fork it on GitHub.

In addition, because Dope OpenID is an open source project, I’ve made the source code available on github. Collaborators are welcome! Or take the code and go in a completely different direction.

After a couple months, Google is finally publishing its XRDS document (like Yahoo does) from www.gmail.com. So what I’ve done is add a line that checks for “google” or “gmail” in the user’s OpenID, and if found, standardizes the input as “http://gmail.com”, at which point we can use Yadis to discover the server location. I implemented it this way because I figure users might be confused whether their provider URL is “http://google.com” or “http://gmail.com”. As an added bonus, it also allows people to enter “username@gmail.com” and it will still work. I don’t know of any clear guidelines on this, so if anyone knows of a better way to implement it, please let me know.

This brings us to Attribute Exchange (AX) and Simple Registration (SREG) info. Simple OpenID now supports both. Just use the SetRequiredFields and SetOptionalFields methods as before. Some OpenID providers use AX info, some use SREG, and some ignore both. Google, for example, will only return the user’s email address, and only if you specify it as a required field.

Other changes: I’ve added the ability to set PAPE auth policies and a time limit on authentication (max_auth_age). I haven’t tested these to see if they work though. If you’re interested, try it out and let me know the results. I commented out the section that deals with standardizing XRI strings after I noticed it’s only half implemented. I’ll work on both of these parts as time permits.

In my previous post, I told you how to get the Simple OpenID PHP Class working with Yahoo. Now we’re going to focus on WordPress.com. This turned out to be very easy once I realized the problem.

The Problem:
When you try to authenticate a WordPress OpenID using Simple OpenID you’re redirected to the correct URL, but it just displays your blog page rather than asking you to log in.

The Solution:
After a closer look at the URL we find the problem. The WordPress OpenID server URL takes the form http://username.wordpress.com/?openidserver=1. Fair enough. But the query string that we’ve appended with our request parameters also begins with a ? to set it apart from the rest of the URL. So, all we need to do is check the OpenID server URL we found during discovery for an existing query string. If it already has one, we’ll append our parameters with an &, otherwise we’ll use the ? as usual.

Let’s change the GetRedirectURL method to the following.

[php]
function GetRedirectURL(){
$params = array();
$params['openid.return_to'] = urlencode($this->URLs['approved']);
if($this->version == "2.0"){
$params['openid.ns'] = urlencode($this->openid_ns);
$params['openid.claimed_id'] = urlencode($this->openid_url_identity);
$params['openid.realm'] = urlencode($this->URLs['trust_root']);
}else{
$params['openid.trust_root'] = urlencode($this->URLs['trust_root']);
}
$params['openid.mode'] = ‘checkid_setup’;
$params['openid.identity'] = urlencode($this->openid_url_identity);

if (isset($this->fields['required'])
&& (count($this->fields['required']) > 0)) {
$params['openid.sreg.required'] = implode(‘,’,$this->fields['required']);
}
if (isset($this->fields['optional'])
&& (count($this->fields['optional']) > 0)) {
$params['openid.sreg.optional'] = implode(‘,’,$this->fields['optional']);
}
if(strstr($this->URLs['openid_server'], "?")){
$urlJoiner = "&";
}else{
$urlJoiner = "?";
}
return $this->URLs['openid_server'] . $urlJoiner . $this->array2url($params);
}
[/php]

And that’s it! Our WordPress OpenID should now authenticate properly with Simple OpenID. If it still doesn’t seem to work right, you can download the version that I’m using and see if that helps.

I’ve been working on OpenID a lot lately and I’ve latched on to a great starter PHP class called, obviously enough, Simple OpenID PHP Class (Simple OpenID). It’s easy enough to implement, but I quickly noticed that it didn’t work with Yahoo (among others). Basically it would return an error saying it couldn’t find an OpenID server at Yahoo.

At this point, I thought about switching to the very full featured JanRain PHP OpenID library but it’s way more than I need right now. So I decided to stick it out with Simple OpenID and see if I couldn’t get it working like it should. In the end, I was able to get it working with Yahoo. I’ll show you how. If you find things aren’t coming together like they should, you can download the version of Simple OpenID that I’m now using.

What You’ll Need:

• Simple OpenID (requires cURL) Link points to the original file. Download my updated version here.
• The PHP Yadis Library. This tutorial assumes you’re using the stand-alone download here.

Summary:
As it currently stands, Simple OpenID is built more or less to OpenID 1.1 specifications. What we’re going to do is add support for the 2.0 specifications, which Yahoo requires.

It is assumed that you already have Simple OpenID installed and working with at least a few providers (Technorati and AOL seem to work right out of the box). If you need help getting it installed, look at the comments in the class itself, or check out the example included with the class.

Caveat:
To be honest, I haven’t read the 2.0 specifications in full, so I may have missed some requirements here and there. I’ve added in the ones that I noticed and knew wouldn’t take much time to implement in a somewhat proper manner. The scope of this tutorial is only to get Simple OpenID working with Yahoo, not filling out every detail the class currently lacks.

Setup:
First up is Yadis (if you’re interested, there’s more info here and here). Extract the Yadis library that you downloaded. Find the Services directory and copy it to the same directory on your server where you have Simple OpenID. Something like this:

www/Services/
www/class.openid.php

All done? Okay, let’s get started!

At the time of this writing, the latest version of Simple OpenID is class.openid.v3.php, so we’ll be working with that. Open it up in your editor of choice now.

Stop right there at line 1. We’re interested in compatibility here, people. Not only could that PHP short tag be mistaken for an XML opening tag, but it won’t work on a PHP installation that has short tags disabled. Change it to the full tag. It’s just three extra characters. Do it.

[php]
<?php
[/php]

Now let’s add in the Yadis classes by adding the following on line 66.

[php]
require_once ‘Services/Yadis/Yadis.php’;
[/php]

Simple OpenID is currently equipped to locate an OpenID server by sending a request to the identity URL provided by the user and parsing the HTML response that’s returned. Yahoo doesn’t work this way. We have to use Yadis discovery to locate the server. Edit the GetOpenIDServer method so that it looks like the code below.

[php]
function GetOpenIDServer(){

//Try Yadis Protocol discovery first
$http_response = array();
$fetcher = Services_Yadis_Yadis::getHTTPFetcher();
$yadis_object = Services_Yadis_Yadis::discover($this->openid_url_identity,
$http_response, $fetcher);

// Yadis object is returned if discovery is successful
if($yadis_object != null){
$service_list = $yadis_object->services();
$types = $service_list[0]->getTypes();
$servers = $service_list[0]->getURIs();
$delegates = $service_list[0]->getElements(‘openid:Delegate’);
}else{ // Else try HTML discovery
$response = $this->CURL_Request($this->openid_url_identity);
list($servers, $delegates) = $this->HTML2OpenIDServer($response);
}
if (count($servers) == 0){
$this->ErrorStore(‘OPENID_NOSERVERSFOUND’);
return false;
}
if (isset($types[0])
&& ($types[0] != "")){
$this->SetServiceType($types[0]);
}
if (isset($delegates[0])
&& ($delegates[0] != "")){
$this->SetIdentity($delegates[0]);
}
$this->SetOpenIDServer($servers[0]);
return $servers[0];
}
[/php]

If you look at line 278 now, you’ll see we added a call to a method named SetServiceType. Since there are still providers out there using OpenID 1.1 (i.e. livejournal.com) we need to make sure we can handle the specifications for whatever we come across. We’ll have to set the service type based on the version being used. Let’s add the SetServiceType method at line 85.

[php]
function SetServiceType($a){
// Hopefully the provider is using OpenID 2.0 but let’s check
// the protocol version in order to handle backwards compatibility.
// Probably not the best method, but it works for now.
if(stristr($a, "2.0")){
$ns = "http://specs.openid.net/auth/2.0";
$version = "2.0";
}
else if(stristr($a, "1.1")){
$ns = "http://openid.net/signon/1.1";
$version = "1.1";
}else{
$ns = "http://openid.net/signon/1.0";
$version = "1.0";
}
$this->openid_ns = $ns;
$this->version = $version;
}
[/php]

What this does is check the service type we found during discovery and set the namespace (openid.ns) and version appropriately. At this point, if we test what we have, we’ll be able to find Yahoo’s OpenID server address and redirect our user there to authenticate. But instead of being asked to login, our user will get this message from Yahoo:

Sorry! You will not be able to login to this website as it is using an older version of the the OpenID technology. Yahoo! only supports OpenID 2.0 because it is more secure. For more information, check out the OpenID documentation at Yahoo! Developer Network.

So it seems there’s more to OpenID 2.0 support than just adding in Yadis discovery. Don’t bother checking out the OpenID documentation at Yahoo! Developer Network, though. The only useful thing there is a link to the specifications for OpenID 2.0. After glancing through the specs, we find out we need to send some information to Yahoo as part of the URL query string.

If you look at the GetRedirectURL method, you’ll see on lines 307-311 we’re setting up our parameters array with the following: openid.return_to, openid.mode, openid.identity, openid.trust_root. Lines 313-320 add the request for any sreg info you want to get back from the OpenID provider.

That’s enough for the 1.1 specs, but not for 2.0. If, as is the case with Yahoo, we’re dealing with a 2.0 provider, we also need to send openid.ns and openid.claimed_id. In addition, the specs say that openid.trusted_root has been renamed openid.realm for 2.0. Let’s add our conditional code and change the GetRedirectURL method to the following.

[php]
function GetRedirectURL(){
$params = array();
$params['openid.return_to'] = urlencode($this->URLs['approved']);
if($this->version == "2.0"){
$params['openid.ns'] = urlencode($this->openid_ns);
$params['openid.claimed_id'] = urlencode($this->openid_url_identity);
$params['openid.realm'] = urlencode($this->URLs['trust_root']);
}else{
$params['openid.trust_root'] = urlencode($this->URLs['trust_root']);
}
$params['openid.mode'] = ‘checkid_setup’;
$params['openid.identity'] = urlencode($this->openid_url_identity);

if (isset($this->fields['required'])
&& (count($this->fields['required']) > 0)) {
$params['openid.sreg.required'] = implode(‘,’,$this->fields['required']);
}
if (isset($this->fields['optional'])
&& (count($this->fields['optional']) > 0)) {
$params['openid.sreg.optional'] = implode(‘,’,$this->fields['optional']);
}
return $this->URLs['openid_server'] . "?". $this->array2url($params);
}
[/php]

As you can see above, the value of openid.claimed_id is the same as openid.identity.

If you try our code now, you should be able to reach Yahoo’s OpenID login server. Great! Log in if you’re not already, and you’ll see a button that says “Let Me In.” (You’ll probably also see a scary warning message that says your website hasn’t confirmed its identity with Yahoo. Don’t worry about this for now; we’ll take care of it later.)

Click the “Let Me In” button and you’ll be taken back to the URL you specified as the return_to address. But for some reason, there’s an error message that says “Could not validate the OpenID at http://yahoo.com/”. This message comes from the ValidateWithServer method, so something must be going wrong here.

When we made our first request to Yahoo, we sent some parameters in the URL. When the user clicks “Let Me In”, Yahoo sends its own parameters appended to the return_to address. You can see them if you look at the URL where you got the error message. If you look closely, you’ll see one of the parameters returned is openid.signed. The value is a comma-separated list of parameters that Yahoo wants us to validate. Basically, Yahoo wants us to send these data back so they can let us know if anything has been tampered with in transit.

If you look at lines 341-345, you can see that we’re building another array of parameters that we’re going to validate with Yahoo. openid.assoc_handle, openid.signed and openid.sig are all declared outright. Then beginning on line 347, you can see we’re taking the comma-separated list, the signed parameters returned with openid_signed, and replacing all instances of “sreg.” with “sreg_“, then storing it as an array ($arr_signed). Since the comma-separated list contains variables that are passed in the URL, PHP will automatically add them in our global $_GET array. But anything like openid.sreg.fullname will become $_GET['openid_sreg_fullname'] when PHP parses the variables.

On line 348, there’s a for loop that goes through each of the signed parameters and uses logic to grab the value from $_GET['openid_sreg_fullname'] and store it as $params['openid.sreg.fullname'].

And finally line 355 sets openid.mode to “check_authentication” and adds it to our array of parameters.

So if the for loop adds all of the signed parameters that Yahoo gives us, why are we getting an error? Well, let’s look at the signed parameters Yahoo is asking for.

• assoc_handle
• claimed_id
• identity
• mode
• ns
• ns.pape
• op_endpoint
• pape.auth_policies
• pape.nist_auth_level
• response_nonce
• return_to
• signed

If you recall, the variable names containing periods or dots are going to be converted to underscores when added to the $_GET array. Line 347 takes care of any names taking the form “sreg.” but as you can see, we need to do something with names containing “ns.” and “pape.” as well. Let’s rewrite the ValidateWithServer method to reflect this.

[php]
function ValidateWithServer(){

$params = array();
$arr_underscores = array(‘ns_’, ‘pape_’, ‘sreg_’);
$arr_periods = array(‘ns.’, ‘pape.’, ‘sreg.’);
$arr_getSignedKeys = explode(",",str_replace($arr_periods, $arr_underscores, $_GET['openid_signed']));

// Send only required parameters to confirm validity
foreach($arr_getSignedKeys as $key){
$paramKey = str_replace($arr_underscores, $arr_periods, $key);
$params["openid.$paramKey"] = urlencode($_GET["openid_$key"]);
}
if($this->openid_version != "2.0"){
$params['openid.assoc_handle'] = urlencode($_GET['openid_assoc_handle']);
$params['openid.signed'] = urlencode($_GET['openid_signed']);
}
$params['openid.sig'] = urlencode($_GET['openid_sig']);
$params['openid.mode'] = "check_authentication";

$openid_server = $this->GetOpenIDServer();
if ($openid_server == false){
return false;
}
$response = $this->CURL_Request($openid_server,’POST’,$params);
$data = $this->splitResponse($response);

if ($data['is_valid'] == "true") {
return true;
}else{
return false;
}
}
[/php]

If you try the code now, you should have a successful validation. Excellent!

But … what about that scary warning message we saw on the Yahoo OpenID endpoint?

To get rid of that, you need to create an XRDF file to let Yahoo know who you are. Create a file called “yadis.xrdf” and place it somewhere on your server. The important part of this file is that you tell it where your return_to URL is. The file should look like this.

[xml]
<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS
xmlns:xrds="xri://$xrds"
xmlns:openid="http://openid.net/xmlns/1.0"
xmlns="xri://$xrd*($v*2.0)">
<XRD>
<Service priority="0">
<Type>http://specs.openid.net/auth/2.0/return_to</Type>
<URI>http://yourdomain.com:80/path-to/your_return_to.php</URI>
</Service>
</XRD>
</xrds:XRDS>
[/xml]

All you need to do now is send a header from your site that reveals the location of your XRDF file. I’m not certain on this, but it appears that you need to send this header from the index page of your OpenID login area. For example, if your login form is at http://example.com/openid/login.php, the header should be sent from http://example.com/openid/index.php in order for Yahoo to find it. Add the following code to the top of your index page. This header must be sent from the root of the URL you specified as your “trust root”. There cannot be any output before this header or it won’t work. It must be the very first thing, probably just after the opening PHP tag.

[php]
header(‘X-XRDS-Location:http://yourdomain.com/path-to/yadis.xrdf’);
[/php]

What’s next?

There’s plenty more to do for the 2.0 specs. For example, while an OpenID could take the form of “http://example.com/user“, it could also look like “xri://=john.smith” or something equally strange. XRI support is something else that has been added to the 2.0 specs. All we need to do is add some logic to handle these types of identities. Since this kind of logic already exists in the SetIdentity method, let’s add it there.

[php]
function SetIdentity($a){ // Set Identity URL

$xriIdentifiers = array(‘=’, ‘$’, ‘!’, ‘@’, ‘+’);
$xriProxy = ‘http://xri.net/’;

// Is this an XRI string?
// Check for "xri://" prefix or XRI Global Constant Symbols
if (stripos($a, ‘xri://’) || in_array($a[0], $xriIdentifiers)){
// Attempts to convert an XRI into a URI by removing the "xri://" prefix and
// appending the remainder to the URI of an XRI proxy such as "http://xri.net"
if (stripos($a, ‘xri://’) == 0) {
if (stripos($a, ‘xri://$ip*’) == 0) {
$a = substr($a, 10);
} elseif (stripos($a, ‘xri://$dns*’) == 0) {
$a = substr($a, 11);
} else {
$a = substr($a, 6);
}
}
$a = $xriProxy.$a;
}

if ((stripos($a, ‘http://’) === false)
&& (stripos($a, ‘https://’) === false)){
$a = ‘http://’.$a;
}

$this->openid_url_identity = $a;
}
[/php]

Also, during Yadis discovery, we may discover more than one provider redirect URL. The reason for this, as far as I can tell, is for load balancing or providing alternatives in case the first one we try returns an error. We’ll need to modify the code to check each endpoint’s priority level, and be prepared to retry several times in case one or more endpoints return an error response. However, that’s something for another tutorial.

Simple OpenID also seems to have a problem with WordPress.com identities. It’s easy enough to solve, and you can find my solution here.

Download the version of Simple OpenID that I’m now using.