Become Zend Certified

Prepare for the ZCE exam using our quizzes (web or iPad/iPhone). More info...

When you're ready get 7.5% off your exam voucher using voucher CJQNOV23 at the Zend Store

OpenID Authentication

From a web site developer's point of view, the OpenID authentication process consists of three steps:

  1. Show OpenID authentication form

  2. Accept OpenID identity and pass it to the OpenID provider

  3. Verify response from the OpenID provider

The OpenID authentication protocol actually requires more steps, but many of them are encapsulated inside Zend_OpenId_Consumer and are therefore transparent to the developer.

The end user initiates the OpenID authentication process by submitting his or her identification credentials with the appropriate form. The following example shows a simple form that accepts an OpenID identifier. Note that the example only demonstrates a login.

Example 640. The Simple OpenID Login form

form method="post" action="example-1_2.php"><fieldset>
legend>OpenID Login</legend>
input type="text" name="openid_identifier">
input type="submit" name="openid_action" value="login">

This form passes the OpenID identity on submission to the following PHP script that performs the second step of authentication. The PHP script need only call the Zend_OpenId_Consumer::login() method in this step. The first argument of this method is an accepted OpenID identity, and the second is the URL of a script that handles the third and last step of authentication.

Example 641. The Authentication Request Handler

= new Zend_OpenId_Consumer();
if (!
$consumer->login($_POST['openid_identifier'], 'example-1_3.php')) {
"OpenID login failed.");

The Zend_OpenId_Consumer::login() method performs discovery on a given identifier, and, if successful, obtains the address of the identity provider and its local identifier. It then creates an association to the given provider so that both the site and provider share a secret that is used to sign the subsequent messages. Finally, it passes an authentication request to the provider. This request redirects the end user's web browser to an OpenID server site, where the user can continue the authentication process.

An OpenID provider usually asks users for their password (if they weren't previously logged-in), whether the user trusts this site and what information may be returned to the site. These interactions are not visible to the OpenID consumer, so it can not obtain the user's password or other information that the user did not has not directed the OpenID provider to share with it.

On success, Zend_OpenId_Consumer::login() does not return, instead performing an HTTP redirection. However, if there is an error it may return FALSE. Errors may occur due to an invalid identity, unresponsive provider, communication error, etc.

The third step of authentication is initiated by the response from the OpenID provider, after it has authenticated the user's password. This response is passed indirectly, as an HTTP redirection using the end user's web browser. The consumer must now simply check that this response is valid.

Example 642. The Authentication Response Verifier

= new Zend_OpenId_Consumer();
if (
$consumer->verify($_GET$id)) {
"VALID " htmlspecialchars($id);
} else {
"INVALID " htmlspecialchars($id);

This check is performed using the Zend_OpenId_Consumer::verify method, which takes an array of the HTTP request's arguments and checks that this response is properly signed by the OpenID provider. It may assign the claimed OpenID identity that was entered by end user in the first step using a second, optional argument.

Zend Framework