From a web site developer's point of view, the OpenID authentication process consists of three steps:
Show OpenID authentication form
Accept OpenID identity and pass it to the OpenID provider
Verify response from the OpenID provider
The OpenID authentication protocol actually requires more
steps, but many of them are encapsulated inside
Zend_OpenId_Consumer and are therefore transparent to the
developer.
The end user initiates the OpenID authentication process by submitting his or her identification credentials with the appropriate form. The following example shows a simple form that accepts an OpenID identifier. Note that the example only demonstrates a login.
Example 622. The Simple OpenID Login form
<?php
<html><body>
<form method="post" action="example-1_2.php"><fieldset>
<legend>OpenID Login</legend>
<input type="text" name="openid_identifier">
<input type="submit" name="openid_action" value="login">
</fieldset></form></body></html>
This form passes the OpenID identity on submission to the following
PHP script that performs the second step of authentication. The
PHP script need only call the
Zend_OpenId_Consumer::login() method in this step. The first
argument of this method is an accepted OpenID identity, and the second is the
URL of a script that handles the third and last step of
authentication.
Example 623. The Authentication Request Handler
<?php
$consumer = new Zend_OpenId_Consumer();
if (!$consumer->login($_POST['openid_identifier'], 'example-1_3.php')) {
die("OpenID login failed.");
}
The Zend_OpenId_Consumer::login() method performs discovery on
a given identifier, and, if successful, obtains the address of the identity
provider and its local identifier. It then creates an association to the
given provider so that both the site and provider share a secret
that is used to sign the subsequent messages. Finally, it passes an
authentication request to the provider. This request redirects the
end user's web browser to an OpenID server site, where the user can
continue the authentication process.
An OpenID provider usually asks users for their password (if they weren't previously logged-in), whether the user trusts this site and what information may be returned to the site. These interactions are not visible to the OpenID consumer, so it can not obtain the user's password or other information that the user did not has not directed the OpenID provider to share with it.
On success, Zend_OpenId_Consumer::login() does not
return, instead performing an HTTP redirection. However, if there is
an error it may return FALSE. Errors may occur due to an invalid
identity, unresponsive provider, communication error, etc.
The third step of authentication is initiated by the response from the OpenID provider, after it has authenticated the user's password. This response is passed indirectly, as an HTTP redirection using the end user's web browser. The consumer must now simply check that this response is valid.
Example 624. The Authentication Response Verifier
<?php
$consumer = new Zend_OpenId_Consumer();
if ($consumer->verify($_GET, $id)) {
echo "VALID " . htmlspecialchars($id);
} else {
echo "INVALID " . htmlspecialchars($id);
}
This check is performed using the Zend_OpenId_Consumer::verify
method, which takes an array of
the HTTP request's arguments and checks that this response is
properly signed by the OpenID provider. It may assign
the claimed OpenID identity that was entered by end user in the
first step using a second, optional argument.