PhpRiot
Become Zend Certified

Prepare for the ZCE exam using our quizzes (web or iPad/iPhone). More info...


When you're ready get 7.5% off your exam voucher using voucher CJQNOV23 at the Zend Store

Quick start

The following example includes code for creating a user account using Zend_OpenId_Provider::register. The link element with rel="openid.server" points to our own server script. If you submit this identity to an OpenID-enabled site, it will perform authentication on this server.

The code before the <html> tag is just a trick that automatically creates a user account. You won't need such code when using real identities.

Example 650. The Identity


<?php
// Set up test identity
define("TEST_SERVER"Zend_OpenId::absoluteURL("example-8.php"));
define("TEST_ID"Zend_OpenId::selfURL());
define("TEST_PASSWORD""123");
$server = new Zend_OpenId_Provider();
if (!
$server->hasUser(TEST_ID)) {
    
$server->register(TEST_IDTEST_PASSWORD);
}
?>
<html><head>
<link rel="openid.server" href="<?php echo TEST_SERVER;?>" />
</head><body>
<?php echo TEST_ID;?>
</body></html>

The following identity server script handles two kinds of requests from OpenID-enabled sites (for association and authentication). Both of them are handled by the same method: Zend_OpenId_Provider::handle. The two arguments to the Zend_OpenId_Provider constructor are URLs of login and trust pages, which ask for input from the end user.

On success, the method Zend_OpenId_Provider::handle returns a string that should be passed back to the OpenID-enabled site. On failure, it returns FALSE. This example will return an HTTP 403 response if Zend_OpenId_Provider::handle fails. You will get this response if you open this script with a web browser, because it sends a non-OpenID conforming request.

Example 651. Simple Identity Provider

<?php
$server 
= new Zend_OpenId_Provider("example-8-login.php",
                                   
"example-8-trust.php");
$ret $server->handle();
if (
is_string($ret)) {
    echo 
$ret;
} else if (
$ret !== true) {
    
header('HTTP/1.0 403 Forbidden');
    echo 
'Forbidden';
}

Note

It is a good idea to use a secure connection (HTTPS) for these scripts- especially for the following interactive scripts- to prevent password disclosure.

The following script implements a login screen for an identity server using Zend_OpenId_Provider and redirects to this page when a required user has not yet logged in. On this page, a user will enter his password to login.

You should use the password "123" that was used in the identity script above.

On submit, the script calls Zend_OpenId_Provider::login with the accepted user's identity and password, then redirects back to the main identity provider's script. On success, the Zend_OpenId_Provider::login establishes a session between the user and the identity provider and stores the information about the user, who is now logged in. All following requests from the same user won't require a login procedure- even if they come from another OpenID enabled web site.

Note

Note that this session is between end-user and identity provider only. OpenID enabled sites know nothing about it.

Example 652. Simple Login Screen


<?php
$server 
= new Zend_OpenId_Provider();

if (
$_SERVER['REQUEST_METHOD'] == 'POST' &&
    isset(
$_POST['openid_action']) &&
    
$_POST['openid_action'] === 'login' &&
    isset(
$_POST['openid_identifier']) &&
    isset(
$_POST['openid_password'])) {
    
$server->login($_POST['openid_identifier'],
                   
$_POST['openid_password']);
    
Zend_OpenId::redirect("example-8.php"$_GET);
}
?>
<html>
<body>
<form method="post">
<fieldset>
<legend>OpenID Login</legend>
<table border=0>
<tr>
<td>Name:</td>
<td>
<input type="text"
       name="openid_identifier"
       value="<?php echo htmlspecialchars($_GET['openid_identity']);?>">
</td>
</tr>
<tr>
<td>Password:</td>
<td>
<input type="text"
       name="openid_password"
       value="">
</td>
</tr>
<tr>
<td>&nbsp;</td>
<td>
<input type="submit"
       name="openid_action"
       value="login">
</td>
</tr>
</table>
</fieldset>
</form>
</body>
</html>

The fact that the user is now logged in doesn't mean that the authentication must necessarily succeed. The user may decide not to trust particular OpenID enabled sites. The following trust screen allows the end user to make that choice. This choice may either be made only for current requests or forever. In the second case, information about trusted/untrusted sites is stored in an internal database, and all following authentication requests from this site will be handled automatically without user interaction.

Example 653. Simple Trust Screen


<?php
$server 
= new Zend_OpenId_Provider();

if (
$_SERVER['REQUEST_METHOD'] == 'POST' &&
    isset(
$_POST['openid_action']) &&
    
$_POST['openid_action'] === 'trust') {

    if (isset(
$_POST['allow'])) {
        if (isset(
$_POST['forever'])) {
            
$server->allowSite($server->getSiteRoot($_GET));
        }
        
$server->respondToConsumer($_GET);
    } else if (isset(
$_POST['deny'])) {
        if (isset(
$_POST['forever'])) {
            
$server->denySite($server->getSiteRoot($_GET));
        }
        
Zend_OpenId::redirect($_GET['openid_return_to'],
                              array(
'openid.mode'=>'cancel'));
    }
}
?>
<html>
<body>
<p>A site identifying as
<a href="<?php echo htmlspecialchars($server->getSiteRoot($_GET));?>">
<?php echo htmlspecialchars($server->getSiteRoot($_GET));?>
</a>
has asked us for confirmation that
<a href="<?php echo htmlspecialchars($server->getLoggedInUser());?>">
<?php echo htmlspecialchars($server->getLoggedInUser());?>
</a>
is your identity URL.
</p>
<form method="post">
<input type="checkbox" name="forever">
<label for="forever">forever</label><br>
<input type="hidden" name="openid_action" value="trust">
<input type="submit" name="allow" value="Allow">
<input type="submit" name="deny" value="Deny">
</form>
</body>
</html>

Production OpenID servers usually support the Simple Registration Extension that allows consumers to request some information about the user from the provider. In this case, the trust page can be extended to allow entering requested fields or selecting a specific user profile.

Zend Framework