I have an existing website that I want to turn into an OpenID provider. All my user accounts are stored in a mysql table.
I figured since an OpenID is represented as a URL, I am going to do something like: http://login.mydomain.com/username
I've setup a subdomain, and created an htaccess that redirects all URLs to /login.php?username=[username]
The way I see it, and tell me if I'm wrong, someone goes to let's say StackOverflow, they enter http://login.mydomain.com/myUsername. They get to a page on my server that asks for their password (since I already know their username), I check that it matches, and return the key?
People online recommended using Zend_OpenId_Provider. I've been reading their documentation (http://framework.zend.com/manual/en/zend.openid.provider.html), but I find it very confusing. They have no real world example where the user login/password are stored in a database.
I've also seen php-open-id (http://github.com/openid/php-openid), but no help there either.
It seems to be a pretty common thing to do. Is there a tutorial out there or an example I can easily adapt?
As you tagged this question with zend-framework I think you want to implement this with ZF.
Look at the constructor of the Zend_OpenId_Provider
public function __construct($loginUrl = null,
$trustUrl = null,
Zend_OpenId_Provider_User $user = null,
Zend_OpenId_Provider_Storage $storage = null,
$sessionTtl = 3600)
The important one is the $storage parameter.
In the example on http://framework.zend.com/manual/en/zend.openid.provider.html they do not pass any parameters. That means by default the Zend_OpenId_Provider_Storage_File provider is used. Again this one would store per default in files in your TEMP directory (/tmp on Linux).
Basically the example should be fully functional. You could register some more users by calling $server->register($someid, $somepassword);
But as it stores accounts per default in the temporary directory, you should replace that line by something like this (if it is okay to store accounts in files):
$dir = "/var/lib/myopenidusers";
mkdir($dir);
$server = new Zend_OpenId_Provider(null, null, null, new Zend_OpenId_Provider_Storage($dir) );
Now, if you prefer to store your users in a database you have to implement your own Provider_Storage.
Have a look at the abstract class abstract class Zend_OpenId_Provider_Storage. This are the methods you have to implement.
I tried everything listed here, Community ID, simpleid, janrain, etc, along with all those that claim to be providers from OpenID Wiki / Libraries and failed. I then stumbled across Prairie and got it running in about an hour. A little more work of changing the queries in index.php and login.php and I was getting it to work against my user table.
You can try phpMyId. See the demo from http://phpmyid.com/. Every details about phpMyId can be found at http://siege.org/phpmyid.php.
You can try JanRain Engage (http://www.janrain.com/products/engage). It is a simplified interface for OpenID integration with web applications. The free version should be good enough for all practical purposes.
We use: http://source.keyboard-monkeys.org/projects/show/communityid
From their website:
"Community-ID is an OpenID implementation in PHP which is OpenID 2.0 compliant. Community-ID is build to 100% on Open Source software and is release under the BSD license. Users can keep track of their trusted sites and manage them. The login to C-ID can be username/passowrd or a One Time Password with Yubikey. A user can have multiple profiles like with privat or business contact information.
For Community-ID administrators statistics are available to track registration of new users, authorized users per day or the number of trusted sites. Administrators can set the site in maintenance mode or send emails to all registered users.
For user data and authentication, admin can choose the default db storage, or to connect to an LDAP server. Current confirmed supported is OpenLDAP. Other LDAP servers should work also fine."
SimpleID is a small and nice to use + setup OpenID provider software. I use it myself and can't complain.
Related
Been googling for a couple of days and haven't really come across any answers as to how facebook / google plus or other websites authenticates their applications (maybe it's because it may be a risk, not sure but still can't find any answers.)
I'm looking to run a website where users can 'install' web applications - Like facebook / google plus does.
E.g: User visits a stack overflow application, it requests permission and get's authenticated.
How would I go about doing this?
I.e how to cross check whether the application is authenticated to the user and the application ID matches the actual application being used to prevent rogue applications using the same ID which is known to be authenticated.
The only way I can think of is checking whether the user has allowed the application or not.
Pseudo: "SELECT * FROM authorised_applications WHERE user_id = '123' AND app_id = '234'"
If they have, allow the application to access some data (i.e user name etc).
if(mysql_num_rows(pseudo_above)=="1") { allow }
However, what if a rogue application uses the same application ID (which, if we presume, is authenticated) and thus can access the data.
I may be over thinking things and confusing myself but I can't really think of how to do this.
To authenticate with those services, they use OAuth. I suggest reading this great article:
http://hueniverse.com/2007/10/beginners-guide-to-oauth-part-ii-protocol-workflow/
From what I understand you are looking to set up something similar to that for your web application. I have not used OAuth in conjuction with PHP but I am positive that there are lots of resources out there for using it.
So what im trying to do is save myself coding a forum... I've got a members table already with their passwords, username etc etc... and I want a forum system that can possibly be linked with my members table.
So then they don't have to re-signup if they want to use the forum? Ive used PHPBB before but again, that doesn't allow me to link my members table & forum members table.
Site uses PHP/MySQL
Thanks :)
Vanilla Forums pioneered the Proxy Connect method for single sign on -
http://vanillaforums.org/docs/singlesignon
I think an SSO bridge is better than syncing/maintaining two separate user tables (one for the main site and one for the forum). If you can map the existing table to the new one you still might run into encryption problems when it comes to encoding or deciphering user passwords.
I've studied forums with SSO and with a separate log in. The perfectionist in me loves the clean bridge that SSO can provide. However, practically speaking, I've found that a forum's popularity hinges on (1) the number of unique visitors per day; (2) the freshness of the content; and (3) the quality of the content. In other words, SSO is way less of a factor than you might expect.
If you run a popular, high quality site, users will sign up even if it means jumping through an extra hoop to register. I know that seems counter intuitive but that's been my experience. My recommendation is to launch your forum without SSO --- and once you confirm that it will succeed and remain popular, then consider merging the user tables using Proxy Connect.
There is a community contributed code snippet which can be used to authenticate users against an external database: http://www.phpbb.com/community/viewtopic.php?t=1598865 (It is an abandoned thread, so not sure whether it will work)
You can also write own authentication plugins using PHPBB API: http://wiki.phpbb.com/Authentication_plugins
I don't think you'll be able to simply "plug" your current, bespoke user table into some existing forum.
Perhaps I'm misunderstanding the question, but it sounds like you're going to need to write some sort of script that transfers the information out of your database and into a new database in the format that the forum software understands.
I'm trying to build a personal OpenID-based online identity using my domain name as identifier. I want to be able to accomplish all this:
Make http://alvaro.es/ my identifier.
Be able to switch providers transparently.
Log into any third-party site that accepts OpenID.
Be able to provide personal details (e-mail, time zone, avatar...) and get prompted whether to send them or not to sites that request them.
Accept OpenID in my own (PHP-powered) sites without the need of purchasing SSL hosting.
I've read the usual doc and I've been evaluating several OpenID providers (Google, Yahoo, myOpenID... and even running my own server). The fact is that I've been using OpenID for a while and:
Providers offer very scarce documentation or none at all.
No matter what provider I choose, there are always sites where log-in fails (typically without an error message).
I have little control (or none at all) on the identifier returned by the provider.
I still can't understand how all this really works.
I'm looking for general advice but I understand that can be subjective so I'll make a few specific questions.
So far, I'm trying out myOpenId as provider and LightOpenID as consumer. My questions are:
My URL provides an HTTP header:
X-XRDS-Location: http://kalvaro.myopenid.com/?xrds=1
... and the following HTML tags:
<link rel="openid.server openid2.provider" href="http://www.myopenid.com/server">
<link rel="openid.delegate openid2.local_id" href="http://kalvaro.myopenid.com">
Is it correct? Is it enough?
myOpenID provides Your Domains, a feature to register your own domain name but I haven't dared to test it (it needs changes to the DNS) and the configuration form suggests I have to choose between http://openid.alvaro.es/username and http://username.alvaro.es/ as identifier (not http://alvaro.es/). However, Stackoverflow still reports alvaro.es as my identifier without this feature. Do I need to use it?
When implementing LightOpenID, I match the local user against $openid->identity (where $openid is the instance of the LightOpenID object). This attribute appears to be the URL supplied by the user. Is it correct?
Are there more adequate providers or consumer libraries than the ones I chose?
It is correct. It is more than enough. While providing an X-XRDS-Location is a good thing, as it sepeeds up the discovery process, it isn't sctrictly necessary.
As far as I understand it, "Your Domains" is useful when you want to have multiple accounts in your domain. Anyway, you don't need to use it at all.
It is correct. The url is also called a Claimed Identifier, i.e. what the user claims to be.
As the author of LightOpenID, my answer is obvious and possibly biased -- I've created it, because I couldn't find a good, existing library.
Other things you might want to know:
Delegation won't work with Google, and any other provider who uses select_identifier (i.e. each account has the same url, and then the provider asks you for your login).
Your delegation, as shown in 1., will let you switch providers transparently and log in to any site that supports OpenID, just as you want.
As for the personal details, it depends completely on the provider, whether it sends them or not, what kind of personal information it supports, etc.. For example, Google doesn't let you choose what to send, only whether to send something (and everything the website claims to require) at all.
Some implementations are buggy and indeed fail. Try logging in for a second time, it works sometimes.
The identifier returned by your provider shouldn't matter if you use delegation. The website you're logging into should use your claimed identifier.
As for how the openid works, see some answers to that question on SO.
i have 2 sites (example.com, ex2.com). Fisical is a 1 site with 1 db. When user sing in ex2.com, he was sing in example.com too. How do this?
P.S. Can do this with ZF?
I found a very interesting article on this topic. The author gives some ideas how to implement Multidomain authentication.
http://codeutopia.net/blog/2008/09/25/sharing-authentication-over-multiple-sites-single-sign-on/
Have you looked into OpenID? You could lock OpenID consumer "ex2" to allow logins only from your "example.com" OpenID provider.
I am also digging the subject. Some time ago, I already did my own implementation and got it terribly wrong.
At the moment I am wondering whether to setup an own OpenID provider and locking consumer sites to accept only it. Another alternative would be yet another own implementation with a CAS style setup, where only a hash is passed via the browser, and the user verification is done server-to-server in the background using the hash as a disposable key.
I am not yet sure which one to pick or would some third alternative be better.
You could take a look into something like http://cosign.sourceforge.net/. Cosign enables you to create a single point of login for multiple sites. It's not specific to Zend but should work.
In my host, I currently have installed 2 wordpress applications, 1 phpBB forum and one MediaWiki.
Is there a way to merge the login so that all applications share the same credentials?
For instance, I want to register only in my phpBB and then I want to access all other applications with the given username and password.
Even if you don't know a unified way, what other login integration do you know of? Pros and cons of each?
when you integrate the system. Just remember 2 things:
Login to system
Check username/password with both systems.
Change of Password
Update the password on both systems.
I don't know how to share the session cookies, but you can easily share the same login.
i.e. People will need to log separately into both sites, but will be able to use the same username and password.
In the mediawiki file "LocalSettings.PHP", you can tell it to use a different (wordpress) database for authentication:
e.g.
require_once('includes/AuthPlugin.php');
require_once('extensions/AuthPress.php');
$wgAuth = new AuthPress();
$wgAuth->setAuthPressTablePrefix('evo_');
# Only include the following if you aren't using the same db as MediaWiki
$wgAuth->setAuthPressDBServer ('localhost');
$wgAuth->setAuthPressDBName('yourWordPressDB');
$wgAuth->setAuthPressUser('mySQL user for same');
$wgAuth->setAuthPressPassword('The password');
See http://bbpress.org/forums/topic/mediawiki-bbpress-and-wordpress-integration
One option is OpenID, which you can integrate into phpBB, WordPress, and MediaWiki.
A second option is to set up an LDAP server, which you can also integrate into phpBB, WordPress, and MediaWiki.
If the sites are all on the same root domain, a third option is to modify the registration, login, and logout code so that these actions are replicated on every site at the same time. This gets messy, but it may be the easiest short-term solution if you're in a hurry. Once you track down the account code in each site, it's just a matter of copying and pasting and changing a few cookie parameters.
If you're integrating a bunch of different apps, and you really just want a bridge, I've had good success with the bridge from Single-Signon.com. You can see there supported apps here:
http://www.single-signon.com/en/applications.html
I've also used a MediaWiki extension for phpBB integration:
http://www.mediawiki.org/wiki/Extension:PHPBB/Users_Integration
I once did a phpBB/MediaWiki login integration from the phpBB end.
Check it out.
Having tried to do this some years ago I remember it not being very easy.
The way I did it was to create totally new table to user/pass and then replace these columns in the respective software with foreign keys to your new table - this required a lot of custom tweaking of core files in each application - mainly making sure all SQL requests to this data have the extra join needed for your new table. If I find the time I will maybe try and provide a step by step of the changes needed.
There are some pretty big drawbacks to this approach though. The main one being from now on your gonna have to hand update any patches
If you have no content or users yet look at http://bbpress.org/documentation/integration-with-wordpress/ which will make things a lot simpler for you.
I can't quite remember but I believe that I big problem I had was that MediaWiki requires usernames formatted a certain that conflicted with phpBB.
Of course, a totally different approach would be to mod each piece of software to use OpenID _ I believe plugins/extensions are readily available for all the applications you mentioned.
I personally think that integration login systems is one of, if not the, hardest job when utilizing multiple prebuilt applications. As a fan of reuse and modularity, I find this disappointing. If anyone knows of any easy ways to handle this problem between random app X and random app Y, I would love to know.
You can write a custom login hook for mediaWiki. I've done it for LibraryThing so that login credentials from our main site are carried over to our mediaWiki installation. The authentication hook extends mediaWiki's AuthPlugin.
There are several small issues:
mediaWiki usernames must start with initial caps (so if you allow case sensitive user names it could be a problem if two users have colliding wiki names)
underscores in usernames are converted to spaces in mediaWiki
But if you can deal with those then it is certainly possible to use your own user/password data with mediaWiki.
Advantages:
The user doesn't have to login to each area separately. Once they login to the main site they are logged into the wiki also.
You know that usernames are the same across the systems and can leverage that in links, etc.