I went looking for a simple PHP class to handle Google Federated Login
and found some that claimed to be "simple" but weren't. So, I decided
to write my own.
I know there are lots of generic OpenID libraries out there, but I
didn't feel like lugging around all the extra functionality when all I
needed to do was work with the Google API. So, that's all my class
does! It's dirt simple.
Cool think but I guest that if you don't use PHP OpenidEnabled it
could be really simple to fake your library ?
I look at your code and don't find the signature verification or something else.
Perhaps it's not very important but do you plan to add it ?
PS : Good initiative. It's easier to make critic thant to build your code.
> I went looking for a simple PHP class to handle Google Federated Login
> and found some that claimed to be "simple" but weren't. So, I decided
> to write my own.
> I know there are lots of generic OpenID libraries out there, but I
> didn't feel like lugging around all the extra functionality when all I
> needed to do was work with the Google API. So, that's all my class
> does! It's dirt simple.
Yeah, I do plan to add signature verification. Right now the class
only makes it easy to go through the motions of the API with a few
function calls. Once sig verification is there, though, I believe it
will support all the functionality of the Google API. Thanks for the
comment! :D
On Dec 11, 12:26 pm, "David TREBOSC" <david.treb...@macoda.com> wrote:
> Cool think but I guest that if you don't use PHP OpenidEnabled it
> could be really simple to fake your library ?
> I look at your code and don't find the signature verification or something else.
> Perhaps it's not very important but do you plan to add it ?
> PS : Good initiative. It's easier to make critic thant to build your code.
> > I went looking for a simple PHP class to handle Google Federated Login
> > and found some that claimed to be "simple" but weren't. So, I decided
> > to write my own.
> > I know there are lots of generic OpenID libraries out there, but I
> > didn't feel like lugging around all the extra functionality when all I
> > needed to do was work with the Google API. So, that's all my class
> > does! It's dirt simple.
We appreciate your effort to help other developers at this forum. A few
suggestions:
1. Add the realm parameter to the function that creates the function.
Because Google's OpenID URLs are a function of the realm, we prefer that
developers set it consciously to the root of their site, instead of getting
it implicitly as the value of return_to, which is likely to change.
2. Since adding signature verification takes a bit more work, you could in
meanwhile have a secure version without signatures by making it work in
"dumb mode" where you don't make the association request, but verify the
response simply by playing it back to our endpoint /accounts/o8/ud (via
POST) where the only parameter that changes is that "mode" changes from
"id_res" to "check_authentication". We will then simply tell you if the
signature verifies or not, and because our endpoint is HTTPs, this is a
secure mechanism.
3. When you get the signature code to work, you can re-introduce the code
that makes association requests. That will decrease latency of the entire
flow if the caller is saving the association keys and handles properly.
On Sat, Dec 13, 2008 at 11:57 AM, apeace <ape...@gmail.com> wrote:
> Yeah, I do plan to add signature verification. Right now the class
> only makes it easy to go through the motions of the API with a few
> function calls. Once sig verification is there, though, I believe it
> will support all the functionality of the Google API. Thanks for the
> comment! :D
> On Dec 11, 12:26 pm, "David TREBOSC" <david.treb...@macoda.com> wrote:
> > Cool think but I guest that if you don't use PHP OpenidEnabled it
> > could be really simple to fake your library ?
> > I look at your code and don't find the signature verification or
> something else.
> > Perhaps it's not very important but do you plan to add it ?
> > PS : Good initiative. It's easier to make critic thant to build your
> code.
> > > I went looking for a simple PHP class to handle Google Federated Login
> > > and found some that claimed to be "simple" but weren't. So, I decided
> > > to write my own.
> > > I know there are lots of generic OpenID libraries out there, but I
> > > didn't feel like lugging around all the extra functionality when all I
> > > needed to do was work with the Google API. So, that's all my class
> > > does! It's dirt simple.
> We appreciate your effort to help other developers at this forum. A few
> suggestions:
> 1. Add the realm parameter to the function that creates the function.
> Because Google's OpenID URLs are a function of the realm, we prefer that
> developers set it consciously to the root of their site, instead of getting
> it implicitly as the value of return_to, which is likely to change.
> 2. Since adding signature verification takes a bit more work, you could in
> meanwhile have a secure version without signatures by making it work in
> "dumb mode" where you don't make the association request, but verify the
> response simply by playing it back to our endpoint /accounts/o8/ud (via
> POST) where the only parameter that changes is that "mode" changes from
> "id_res" to "check_authentication". We will then simply tell you if the
> signature verifies or not, and because our endpoint is HTTPs, this is a
> secure mechanism.
> 3. When you get the signature code to work, you can re-introduce the code
> that makes association requests. That will decrease latency of the entire
> flow if the caller is saving the association keys and handles properly.
> Thanks!
> Breno (Google).
> On Sat, Dec 13, 2008 at 11:57 AM, apeace <ape...@gmail.com> wrote:
> > Yeah, I do plan to add signature verification. Right now the class
> > only makes it easy to go through the motions of the API with a few
> > function calls. Once sig verification is there, though, I believe it
> > will support all the functionality of the Google API. Thanks for the
> > comment! :D
> > On Dec 11, 12:26 pm, "David TREBOSC" <david.treb...@macoda.com> wrote:
> > > Cool think but I guest that if you don't use PHP OpenidEnabled it
> > > could be really simple to fake your library ?
> > > I look at your code and don't find the signature verification or
> > something else.
> > > Perhaps it's not very important but do you plan to add it ?
> > > PS : Good initiative. It's easier to make critic thant to build your
> > code.
> > > > I went looking for a simple PHP class to handle Google Federated Login
> > > > and found some that claimed to be "simple" but weren't. So, I decided
> > > > to write my own.
> > > > I know there are lots of generic OpenID libraries out there, but I
> > > > didn't feel like lugging around all the extra functionality when all I
> > > > needed to do was work with the Google API. So, that's all my class
> > > > does! It's dirt simple.
hi!
please can you tell me how i can get userid, last name first name?
i dont get it. plz help me
or if any1 know plz help me out.
i redirect the page to welcome but it dont get userid .....
thanks in advance.
On Mon, Dec 15, 2008 at 12:48 AM, apeace <ape...@gmail.com> wrote:
> Hey, great feedback! Thanks a bunch. Exams this week....but I'll post
> next week when I do some work on it.
> On Dec 13, 4:14 pm, Breno <breno.demedei...@gmail.com> wrote:
> > Hi Andrew,
> > We appreciate your effort to help other developers at this forum. A few
> > suggestions:
> > 1. Add the realm parameter to the function that creates the function.
> > Because Google's OpenID URLs are a function of the realm, we prefer that
> > developers set it consciously to the root of their site, instead of
> getting
> > it implicitly as the value of return_to, which is likely to change.
> > 2. Since adding signature verification takes a bit more work, you could
> in
> > meanwhile have a secure version without signatures by making it work in
> > "dumb mode" where you don't make the association request, but verify the
> > response simply by playing it back to our endpoint /accounts/o8/ud (via
> > POST) where the only parameter that changes is that "mode" changes from
> > "id_res" to "check_authentication". We will then simply tell you if the
> > signature verifies or not, and because our endpoint is HTTPs, this is a
> > secure mechanism.
> > 3. When you get the signature code to work, you can re-introduce the code
> > that makes association requests. That will decrease latency of the entire
> > flow if the caller is saving the association keys and handles properly.
> > Thanks!
> > Breno (Google).
> > On Sat, Dec 13, 2008 at 11:57 AM, apeace <ape...@gmail.com> wrote:
> > > Yeah, I do plan to add signature verification. Right now the class
> > > only makes it easy to go through the motions of the API with a few
> > > function calls. Once sig verification is there, though, I believe it
> > > will support all the functionality of the Google API. Thanks for the
> > > comment! :D
> > > On Dec 11, 12:26 pm, "David TREBOSC" <david.treb...@macoda.com> wrote:
> > > > Cool think but I guest that if you don't use PHP OpenidEnabled it
> > > > could be really simple to fake your library ?
> > > > I look at your code and don't find the signature verification or
> > > something else.
> > > > Perhaps it's not very important but do you plan to add it ?
> > > > PS : Good initiative. It's easier to make critic thant to build your
> > > code.
> > > > > I went looking for a simple PHP class to handle Google Federated
> Login
> > > > > and found some that claimed to be "simple" but weren't. So, I
> decided
> > > > > to write my own.
> > > > > I know there are lots of generic OpenID libraries out there, but I
> > > > > didn't feel like lugging around all the extra functionality when
> all I
> > > > > needed to do was work with the Google API. So, that's all my class
> > > > > does! It's dirt simple.
Google doesn't provide the user's last name and first name. They only
provide their OpenID claimed identifier and their email address.
If you visit http://www.andrewpeace.com/php-google-login-class.html#user_email you can see example code of how to fetch the user's identifier and
email address using my library. Just note that you'll probably want to
break it down into two files, like I did in my example.
If you have any more questions, maybe you could start a new thread
here in the group and cc me. If I can, I'd like to restrict this
thread to feedback on my PHP class. But I'd love to help you out
either in another thread or via email. :D
-Andrew Peace
On Dec 14, 3:03 pm, "Saleha A Latif" <salehala...@gmail.com> wrote:
> hi!
> please can you tell me how i can get userid, last name first name?
> i dont get it. plz help me
> or if any1 know plz help me out.
> i redirect the page to welcome but it dont get userid .....
> thanks in advance.
> On Mon, Dec 15, 2008 at 12:48 AM, apeace <ape...@gmail.com> wrote:
> > Hey, great feedback! Thanks a bunch. Exams this week....but I'll post
> > next week when I do some work on it.
> > On Dec 13, 4:14 pm, Breno <breno.demedei...@gmail.com> wrote:
> > > Hi Andrew,
> > > We appreciate your effort to help other developers at this forum. A few
> > > suggestions:
> > > 1. Add the realm parameter to the function that creates the function.
> > > Because Google's OpenID URLs are a function of the realm, we prefer that
> > > developers set it consciously to the root of their site, instead of
> > getting
> > > it implicitly as the value of return_to, which is likely to change.
> > > 2. Since adding signature verification takes a bit more work, you could
> > in
> > > meanwhile have a secure version without signatures by making it work in
> > > "dumb mode" where you don't make the association request, but verify the
> > > response simply by playing it back to our endpoint /accounts/o8/ud (via
> > > POST) where the only parameter that changes is that "mode" changes from
> > > "id_res" to "check_authentication". We will then simply tell you if the
> > > signature verifies or not, and because our endpoint is HTTPs, this is a
> > > secure mechanism.
> > > 3. When you get the signature code to work, you can re-introduce the code
> > > that makes association requests. That will decrease latency of the entire
> > > flow if the caller is saving the association keys and handles properly.
> > > Thanks!
> > > Breno (Google).
> > > On Sat, Dec 13, 2008 at 11:57 AM, apeace <ape...@gmail.com> wrote:
> > > > Yeah, I do plan to add signature verification. Right now the class
> > > > only makes it easy to go through the motions of the API with a few
> > > > function calls. Once sig verification is there, though, I believe it
> > > > will support all the functionality of the Google API. Thanks for the
> > > > comment! :D
> > > > On Dec 11, 12:26 pm, "David TREBOSC" <david.treb...@macoda.com> wrote:
> > > > > Cool think but I guest that if you don't use PHP OpenidEnabled it
> > > > > could be really simple to fake your library ?
> > > > > I look at your code and don't find the signature verification or
> > > > something else.
> > > > > Perhaps it's not very important but do you plan to add it ?
> > > > > PS : Good initiative. It's easier to make critic thant to build your
> > > > code.
> > > > > > I went looking for a simple PHP class to handle Google Federated
> > Login
> > > > > > and found some that claimed to be "simple" but weren't. So, I
> > decided
> > > > > > to write my own.
> > > > > > I know there are lots of generic OpenID libraries out there, but I
> > > > > > didn't feel like lugging around all the extra functionality when
> > all I
> > > > > > needed to do was work with the Google API. So, that's all my class
> > > > > > does! It's dirt simple.
On Mon, Dec 15, 2008 at 1:51 AM, apeace <ape...@gmail.com> wrote:
> Hi Seleha,
> Google doesn't provide the user's last name and first name. They only
> provide their OpenID claimed identifier and their email address.
> If you visit
> http://www.andrewpeace.com/php-google-login-class.html#user_email > you can see example code of how to fetch the user's identifier and
> email address using my library. Just note that you'll probably want to
> break it down into two files, like I did in my example.
> If you have any more questions, maybe you could start a new thread
> here in the group and cc me. If I can, I'd like to restrict this
> thread to feedback on my PHP class. But I'd love to help you out
> either in another thread or via email. :D
> -Andrew Peace
> On Dec 14, 3:03 pm, "Saleha A Latif" <salehala...@gmail.com> wrote:
> > hi!
> > please can you tell me how i can get userid, last name first name?
> > i dont get it. plz help me
> > or if any1 know plz help me out.
> > i redirect the page to welcome but it dont get userid .....
> > thanks in advance.
> > On Mon, Dec 15, 2008 at 12:48 AM, apeace <ape...@gmail.com> wrote:
> > > Hey, great feedback! Thanks a bunch. Exams this week....but I'll post
> > > next week when I do some work on it.
> > > On Dec 13, 4:14 pm, Breno <breno.demedei...@gmail.com> wrote:
> > > > Hi Andrew,
> > > > We appreciate your effort to help other developers at this forum. A
> few
> > > > suggestions:
> > > > 1. Add the realm parameter to the function that creates the function.
> > > > Because Google's OpenID URLs are a function of the realm, we prefer
> that
> > > > developers set it consciously to the root of their site, instead of
> > > getting
> > > > it implicitly as the value of return_to, which is likely to change.
> > > > 2. Since adding signature verification takes a bit more work, you
> could
> > > in
> > > > meanwhile have a secure version without signatures by making it work
> in
> > > > "dumb mode" where you don't make the association request, but verify
> the
> > > > response simply by playing it back to our endpoint /accounts/o8/ud
> (via
> > > > POST) where the only parameter that changes is that "mode" changes
> from
> > > > "id_res" to "check_authentication". We will then simply tell you if
> the
> > > > signature verifies or not, and because our endpoint is HTTPs, this is
> a
> > > > secure mechanism.
> > > > 3. When you get the signature code to work, you can re-introduce the
> code
> > > > that makes association requests. That will decrease latency of the
> entire
> > > > flow if the caller is saving the association keys and handles
> properly.
> > > > Thanks!
> > > > Breno (Google).
> > > > On Sat, Dec 13, 2008 at 11:57 AM, apeace <ape...@gmail.com> wrote:
> > > > > Yeah, I do plan to add signature verification. Right now the class
> > > > > only makes it easy to go through the motions of the API with a few
> > > > > function calls. Once sig verification is there, though, I believe
> it
> > > > > will support all the functionality of the Google API. Thanks for
> the
> > > > > comment! :D
> > > > > On Dec 11, 12:26 pm, "David TREBOSC" <david.treb...@macoda.com>
> wrote:
> > > > > > Cool think but I guest that if you don't use PHP OpenidEnabled it
> > > > > > could be really simple to fake your library ?
> > > > > > I look at your code and don't find the signature verification or
> > > > > something else.
> > > > > > Perhaps it's not very important but do you plan to add it ?
> > > > > > PS : Good initiative. It's easier to make critic thant to build
> your
> > > > > code.
> > > > > > > I went looking for a simple PHP class to handle Google
> Federated
> > > Login
> > > > > > > and found some that claimed to be "simple" but weren't. So, I
> > > decided
> > > > > > > to write my own.
> > > > > > > I know there are lots of generic OpenID libraries out there,
> but I
> > > > > > > didn't feel like lugging around all the extra functionality
> when
> > > all I
> > > > > > > needed to do was work with the Google API. So, that's all my
> class
> > > > > > > does! It's dirt simple.
> 2. Since adding signature verification takes a bit more work, you could in
> meanwhile have a secure version without signatures by making it work in
> "dumb mode" where you don't make the association request, but verify the
> response simply by playing it back to our endpoint /accounts/o8/ud (via
> POST) where the only parameter that changes is that "mode" changes from
> "id_res" to "check_authentication". We will then simply tell you if the
> signature verifies or not, and because our endpoint is HTTPs, this is a
> secure mechanism.
But ... don't work :-(
Using the parameters of the url, I build this form
On Mon, Dec 15, 2008 at 3:44 AM, trebosc <david.treb...@gmail.com> wrote:
> Hi,
> I read you answer :
> > 2. Since adding signature verification takes a bit more work, you could
> in
> > meanwhile have a secure version without signatures by making it work in
> > "dumb mode" where you don't make the association request, but verify the
> > response simply by playing it back to our endpoint /accounts/o8/ud (via
> > POST) where the only parameter that changes is that "mode" changes from
> > "id_res" to "check_authentication". We will then simply tell you if the
> > signature verifies or not, and because our endpoint is HTTPs, this is a
> > secure mechanism.
> But ... don't work :-(
> Using the parameters of the url, I build this form
> Maybe an encoding issue? Shouldn't you be escaping these URLs?
> On Mon, Dec 15, 2008 at 3:44 AM, trebosc <david.treb...@gmail.com> wrote:
>> Hi,
>> I read you answer :
>> > 2. Since adding signature verification takes a bit more work, you could
>> > in
>> > meanwhile have a secure version without signatures by making it work in
>> > "dumb mode" where you don't make the association request, but verify the
>> > response simply by playing it back to our endpoint /accounts/o8/ud (via
>> > POST) where the only parameter that changes is that "mode" changes from
>> > "id_res" to "check_authentication". We will then simply tell you if the
>> > signature verifies or not, and because our endpoint is HTTPs, this is a
>> > secure mechanism.
>> But ... don't work :-(
>> Using the parameters of the url, I build this form
hi, i just try it and fonud a mistake that it always display "Warning:
DOMDocument::loadXML() [domdocument.loadxml]: Empty string supplied as
input in E:\PHP\GoogleOpenID\GoogleOpenID.php on line 330". this is
because could not fetch content from https://www.google.com/accounts/o8/id.
then i using curl function fetch it again and return empty content...
what does it happen?
On Dec 12 2008, 1:19 am, apeace <ape...@gmail.com> wrote:
> I went looking for a simple PHP class to handle Google Federated Login
> and found some that claimed to be "simple" but weren't. So, I decided
> to write my own.
> I know there are lots of generic OpenID libraries out there, but I
> didn't feel like lugging around all the extra functionality when all I
> needed to do was work with the Google API. So, that's all my class
> does! It's dirt simple.
Have you tried fetching that URL from the command line (i.e.,
something like "curl https://www.google.com/accounts/o8/id")? It works
for me, which makes me think it might be a problem with your PHP
setup.
On Fri, Jan 9, 2009 at 2:18 AM, icyleaf <icyleaf...@gmail.com> wrote:
> hi, i just try it and fonud a mistake that it always display "Warning:
> DOMDocument::loadXML() [domdocument.loadxml]: Empty string supplied as
> input in E:\PHP\GoogleOpenID\GoogleOpenID.php on line 330". this is
> because could not fetch content from https://www.google.com/accounts/o8/id.
> then i using curl function fetch it again and return empty content...
> what does it happen?
> On Dec 12 2008, 1:19 am, apeace <ape...@gmail.com> wrote:
>> I went looking for a simple PHP class to handle Google Federated Login
>> and found some that claimed to be "simple" but weren't. So, I decided
>> to write my own.
>> I know there are lots of generic OpenID libraries out there, but I
>> didn't feel like lugging around all the extra functionality when all I
>> needed to do was work with the Google API. So, that's all my class
>> does! It's dirt simple.
I was using xampp on windows failed, but on Dreamhost successful.
Maybe something wrong with my PHP setup, but i add some codes below
for "curl_setop" then done.
> Have you tried fetching that URL from the command line (i.e.,
> something like "curlhttps://www.google.com/accounts/o8/id")? It works
> for me, which makes me think it might be a problem with your PHP
> setup.
> Dirk Balfanz
> Software Engineer, Google Security
> On Fri, Jan 9, 2009 at 2:18 AM, icyleaf <icyleaf...@gmail.com> wrote:
> > hi, i just try it and fonud a mistake that it always display "Warning:
> > DOMDocument::loadXML() [domdocument.loadxml]: Empty string supplied as
> > input in E:\PHP\GoogleOpenID\GoogleOpenID.php on line 330". this is
> > because could not fetch content fromhttps://www.google.com/accounts/o8/id.
> > then i using curl function fetch it again and return empty content...
> > what does it happen?
> > On Dec 12 2008, 1:19 am, apeace <ape...@gmail.com> wrote:
> >> I went looking for a simple PHP class to handle Google Federated Login
> >> and found some that claimed to be "simple" but weren't. So, I decided
> >> to write my own.
> >> I know there are lots of generic OpenID libraries out there, but I
> >> didn't feel like lugging around all the extra functionality when all I
> >> needed to do was work with the Google API. So, that's all my class
> >> does! It's dirt simple.
> I went looking for a simple PHP class to handle Google Federated Login
> and found some that claimed to be "simple" but weren't. So, I decided
> to write my own.
> I know there are lots of generic OpenID libraries out there, but I
> didn't feel like lugging around all the extra functionality when all I
> needed to do was work with the Google API. So, that's all my class
> does! It's dirt simple.
CAn any of you pls give me an example of how to use andrews
class.....im in urgent need of this. Its like im confused on how to
set the parameters. So if any of you can post a complete example which
illustrates the usage of this class it would be of great help
Really easy to use, I was struggling big time to get Google Federated
Login implemented on my site www.trip2B.com , and now it will work in
no time!
2 questions:
- Can you let us know when signature verification will be implemented?
I think this is important for security reasons.
- How come the email is returned only once, i.e. the first time a user
logs in? Is there a way to have google responding every time the email
address?
Thanks a lot for your extremely easy to use code!
Regards,
Michaël
On Dec 13 2008, 10:14 pm, Breno <breno.demedei...@gmail.com> wrote:
> We appreciate your effort to help other developers at this forum. A few
> suggestions:
> 1. Add the realm parameter to the function that creates the function.
> Because Google's OpenID URLs are a function of the realm, we prefer that
> developers set it consciously to the root of their site, instead of getting
> it implicitly as the value of return_to, which is likely to change.
> 2. Since adding signature verification takes a bit more work, you could in
> meanwhile have a secure version without signatures by making it work in
> "dumb mode" where you don't make the association request, but verify the
> response simply by playing it back to our endpoint /accounts/o8/ud (via
> POST) where the only parameter that changes is that "mode" changes from
> "id_res" to "check_authentication". We will then simply tell you if the
> signature verifies or not, and because our endpoint is HTTPs, this is a
> secure mechanism.
> 3. When you get the signature code to work, you can re-introduce the code
> that makes association requests. That will decrease latency of the entire
> flow if the caller is saving the association keys and handles properly.
> Thanks!
> Breno (Google).
> On Sat, Dec 13, 2008 at 11:57 AM, apeace <ape...@gmail.com> wrote:
> > Yeah, I do plan to add signature verification. Right now the class
> > only makes it easy to go through the motions of the API with a few
> > function calls. Once sig verification is there, though, I believe it
> > will support all the functionality of the Google API. Thanks for the
> > comment! :D
> > On Dec 11, 12:26 pm, "David TREBOSC" <david.treb...@macoda.com> wrote:
> > > Cool think but I guest that if you don't use PHP OpenidEnabled it
> > > could be really simple to fake your library ?
> > > I look at your code and don't find the signature verification or
> > something else.
> > > Perhaps it's not very important but do you plan to add it ?
> > > PS : Good initiative. It's easier to make critic thant to build your
> > code.
> > > > I went looking for a simple PHP class to handle Google Federated Login
> > > > and found some that claimed to be "simple" but weren't. So, I decided
> > > > to write my own.
> > > > I know there are lots of generic OpenID libraries out there, but I
> > > > didn't feel like lugging around all the extra functionality when all I
> > > > needed to do was work with the Google API. So, that's all my class
> > > > does! It's dirt simple.
I added signature verification (both types, but my signature
calculation function is giving back the wrong answer--dumb
verification works fine though), error checking, and constants to the
original code. I also made the following changes:
- Only verified responses are returned--if a response fails
verification, then response->getMode == "cancel"
- URL's need to be absolute (we are only supplying 2 URL's so absolute
removes any possible vagueness)
- No need for signature encryption since we are already using
transport layer encryption from SSL
- Instead of creating the request then redirecting, we do it all in
one step. This should save us some processing power on the server
(prob not much, but still)
- There are several parameters needed to establish an association, so
these are returned in an array. The expires key is the time that the
key expires (calculated upon request)
- If you save the handle then you can pass it back to the login() and
getResponse() functions. I haven't figured out how to verify the
signature on the client side yet (my generated signatures do not match
those coming from google). Maybe somebody could get this working?
I have included the following below:
- my source code
- my test file source code (inline)
SOURCE CODE (openid.php)
<?php
/* Google OpenID Class. This class aims to make using Federated login
Lightweight (only this file is needed), secure, and easy to use.
------------------------------------------------------------------
HISTORY
------------------------------------------------------------------
* 12/6/2008 - Original version created
* 12/17/2008 - Code cleaned up, error handling/custom exception class
added, signature verification ("dumb validation") working
------------------------------------------------------------------
NOTES
------------------------------------------------------------------
* (PARTIALLY WORKING) Client side verification is not working yet.
The code is included (commented out), but the calculated hash is
different than the one Google returns
* Absolute URL's will be used instead of relative ones (realm value
will be shortened in the response and handle objects)
* Since Google's enndpoint is using transport layer encryption, there
is very little added benefit to additional enncryption
USAGE:
------------------------------------------------------------------
Setting Up Logins and Associations
------------------------------------------------------------------
*** To setup an association ***
try{
$assoc = GoogleOpenId::EstablishAssociation("http://
someWebsiteHere.com");
}
catch(exception $e){
// However you decide to handle the error...
}
*** To perform a login without an association ***
GoogleOpenId::login("http://myrealm.com", "http://myrealm.com/ return_to.php", NULL,email=true|false);
*** To perform a login with an association ***
try{
$assoc = GoogleOpenId::EstablishAssociation("http://
someWebsiteHere.com");
GoogleOpenId::login("http://myrealm.com", "http://myrealm.com/ return_to.php", $assoc,email=true|false);
}
catch(exception $e){
// However you decide to handle the error...
}
------------------------------------------------------------------
Return pages
------------------------------------------------------------------
You will most likely want to put the return code on the "return_to"
page (wherever that may be...)
*** To get the result of a response without an association ***
$response = GoogleOpenId::getResponse();
*** To access response with an association ***
$assoc = ...code to retrieve stored association array (perhaps in a
database, session, file, or somewhere else...)
$response = GoogleOpenId::getResponse($assoc);
------------------------------------------------------------------
Response object functions
------------------------------------------------------------------
If signature validation fails, then getMode() == "cancel", which is
defined by OpenId_2_0::MODE_CANCEL.
The object returned from GoogleOpenId::getResponse() has the
following getters functions.
/* OpenID Attribute Exchange 1.0 Specific Constants */
class OpenId_AX_1_0{
const NS = "http://openid.net/srv/ax/1.0";
const MODE_FETCH = "fetch_request";
}
/* Google OpenId Class */
class GoogleOpenID{
/* Google OpenId Specific Constants - Since these may differ by
implementation, I placed these constants here */
const DISCOVERY_ENDPOINT = "https://www.google.com/accounts/o8/id";
const EMAIL_ATTR = "email";
const EMAIL_URI = "http://schema.openid.net/contact/email";
const P_EXT_NS = "openid.ns.ext1";
const P_EXT_MODE = "openid.ext1.mode";
const P_EXT_EMAIL_TYPE = "openid.ext1.type.email";
const P_EXT_REQ = "openid.ext1.required";
const P_EXT_EMAIL_VALUE = "openid.ext1.value.email";
/* Private Members - Response Parameters. After a response has been
verified, these values will be set. A response is only created for
verified responses that worked */
private $realm = NULL; // the realm that the response refers to
private $claimed_id = NULL; // the claimed id (documented as unique
to each realm)
private $email = NULL; // the email address, if one was returned
private $mode = NULL; // the mode of the response
/* Setus up an association and return an associative array of the
results. You can refer to the fields by these keys:
OpenId_2_0::REALM => The realm of the established association
OpenId_2_0::ASSOC_TYPE => The association type (right now it seems
to be HMAC-SHA1)
OpenId_2_0::HANDLE => The handle used to refer to the association
OpenId_2_0::MAC => The MAC key. This is used to verify the
signature
OpenId_2_0::SESSION_TYPE => Since Google is on SSL, this defaults
to "no-encryption"
*/
static public function EstablishAssociation($realm){
// Realm must be valid before we continue any further
if( !GoogleOpenId::validRealm($realm) ){
throw new GoogleOpenIdException("Invalid realm used when
establishing association",GoogleOpenIdException::INVALID_URL);
}
// If cURL did not execute correctly, throw an error
if( $response == false ){
throw new GoogleOpenIdException(curl_error($ch),
GoogleOpenIdException::CURL_ERROR);
}
curl_close($ch);
switch( $params[0] ){
case OpenId_2_0::ASSOC_TYPE :
case OpenId_2_0::HANDLE :
case OpenId_2_0::MAC :
case OpenId_2_0::SESSION_TYPE :
$result[$params[0]] = $params[1];
break;
case OpenId_2_0::EXPIRES :
$result[$params[0]] = $params[1] + $now;
default:
// We don't care about other parameters right now, so do nothing
}
}
return $result;
}
/* setup the login and redirect */
static public function login($realm, $return_to, $handle=NULL,
$getEmail){
...
Have anyone successfully implemented Andrew class ? I am looking for a
way to implement this. I would appreciate if anyone shed some light on
this. Please let me know.
Thanks,
Karthi
On Jan 21, 7:50 pm, Eric Hayes <ejha...@ucdavis.edu> wrote:
> I added signature verification (both types, but my signature
> calculation function is giving back the wrong answer--dumb
> verification works fine though), error checking, and constants to the
> original code. I also made the following changes:
> - Only verified responses are returned--if a response fails
> verification, then response->getMode == "cancel"
> - URL's need to be absolute (we are only supplying 2 URL's so absolute
> removes any possible vagueness)
> - No need for signature encryption since we are already using
> transport layer encryption from SSL
> - Instead of creating the request then redirecting, we do it all in
> one step. This should save us some processing power on the server
> (prob not much, but still)
> - There are several parameters needed to establish an association, so
> these are returned in an array. The expires key is the time that the
> key expires (calculated upon request)
> - If you save the handle then you can pass it back to the login() and
> getResponse() functions. I haven't figured out how to verify the
> signature on the client side yet (my generated signatures do not match
> those coming from google). Maybe somebody could get this working?
> I have included the following below:
> - my source code
> - my test file source code (inline)
> SOURCE CODE (openid.php)
> <?php
> /* Google OpenID Class. This class aims to make using Federated login
> Lightweight (only this file is needed), secure, and easy to use.
> ------------------------------------------------------------------
> HISTORY
> ------------------------------------------------------------------
> * 12/6/2008 - Original version created
> * 12/17/2008 - Code cleaned up, error handling/custom exception class
> added, signature verification ("dumb validation") working
> ------------------------------------------------------------------
> NOTES
> ------------------------------------------------------------------
> * (PARTIALLY WORKING) Client side verification is not working yet.
> The code is included (commented out), but the calculated hash is
> different than the one Google returns
> * Absolute URL's will be used instead of relative ones (realm value
> will be shortened in the response and handle objects)
> * Since Google's enndpoint is using transport layer encryption, there
> is very little added benefit to additional enncryption
> USAGE:
> ------------------------------------------------------------------
> Setting Up Logins and Associations
> ------------------------------------------------------------------
> *** To setup an association ***
> try{
> $assoc = GoogleOpenId::EstablishAssociation("http://
> someWebsiteHere.com");
> }
> catch(exception $e){
> // However you decide to handle the error...
> }
> *** To perform a login without an association ***
> GoogleOpenId::login("http://myrealm.com", "http://myrealm.com/ > return_to.php", NULL,email=true|false);
> *** To perform a login with an association ***
> try{
> $assoc = GoogleOpenId::EstablishAssociation("http://
> someWebsiteHere.com");
> GoogleOpenId::login("http://myrealm.com", "http://myrealm.com/ > return_to.php", $assoc,email=true|false);
> }
> catch(exception $e){
> // However you decide to handle the error...
> }
> ------------------------------------------------------------------
> Return pages
> ------------------------------------------------------------------
> You will most likely want to put the return code on the "return_to"
> page (wherever that may be...)
> *** To get the result of a response without an association ***
> $response = GoogleOpenId::getResponse();
> *** To access response with an association ***
> $assoc = ...code to retrieve stored association array (perhaps in a
> database, session, file, or somewhere else...)
> $response = GoogleOpenId::getResponse($assoc);
> ------------------------------------------------------------------
> Response object functions
> ------------------------------------------------------------------
> If signature validation fails, then getMode() == "cancel", which is
> defined by OpenId_2_0::MODE_CANCEL.
> The object returned from GoogleOpenId::getResponse() has the
> following getters functions.
> /* Google OpenId Class */
> class GoogleOpenID{
> /* Google OpenId Specific Constants - Since these may differ by
> implementation, I placed these constants here */
> const DISCOVERY_ENDPOINT = "https://www.google.com/accounts/o8/id";
> const EMAIL_ATTR = "email";
> const EMAIL_URI = "http://schema.openid.net/contact/email";
> const P_EXT_NS = "openid.ns.ext1";
> const P_EXT_MODE = "openid.ext1.mode";
> const P_EXT_EMAIL_TYPE = "openid.ext1.type.email";
> const P_EXT_REQ = "openid.ext1.required";
> const P_EXT_EMAIL_VALUE = "openid.ext1.value.email";
> /* Private Members - Response Parameters. After a response has been
> verified, these values will be set. A response is only created for
> verified responses that worked */
> private $realm = NULL; // the realm that the response refers to
> private $claimed_id = NULL; // the claimed id (documented as unique
> to each realm)
> private $email = NULL; // the email address, if one was returned
> private $mode = NULL; // the mode of the response
> /* Setus up an association and return an associative array of the
> results. You can refer to the fields by these keys:
> OpenId_2_0::REALM => The realm of the established association
> OpenId_2_0::ASSOC_TYPE => The association type (right now it seems
> to be HMAC-SHA1)
> OpenId_2_0::HANDLE => The handle used to refer to the association
> OpenId_2_0::MAC => The MAC key. This is used to verify the
> signature
>
On Fri, Jan 23, 2009 at 5:37 PM, <tskarthi2...@gmail.com> wrote:
> Hi,
> Have anyone successfully implemented Andrew class ? I am looking for a
> way to implement this. I would appreciate if anyone shed some light on
> this. Please let me know.
> Thanks,
> Karthi
> On Jan 21, 7:50 pm, Eric Hayes <ejha...@ucdavis.edu> wrote:
> > I added signature verification (both types, but my signature
> > calculation function is giving back the wrong answer--dumb
> > verification works fine though), error checking, and constants to the
> > original code. I also made the following changes:
> > - Only verified responses are returned--if a response fails
> > verification, then response->getMode == "cancel"
> > - URL's need to be absolute (we are only supplying 2 URL's so absolute
> > removes any possible vagueness)
> > - No need for signature encryption since we are already using
> > transport layer encryption from SSL
> > - Instead of creating the request then redirecting, we do it all in
> > one step. This should save us some processing power on the server
> > (prob not much, but still)
> > - There are several parameters needed to establish an association, so
> > these are returned in an array. The expires key is the time that the
> > key expires (calculated upon request)
> > - If you save the handle then you can pass it back to the login() and
> > getResponse() functions. I haven't figured out how to verify the
> > signature on the client side yet (my generated signatures do not match
> > those coming from google). Maybe somebody could get this working?
> > I have included the following below:
> > - my source code
> > - my test file source code (inline)
> > SOURCE CODE (openid.php)
> > <?php
> > /* Google OpenID Class. This class aims to make using Federated login
> > Lightweight (only this file is needed), secure, and easy to use.
> ------------------------------------------------------------------
> > * (PARTIALLY WORKING) Client side verification is not working
> yet.
> > The code is included (commented out), but the calculated hash is
> > different than the one Google returns
> > * Absolute URL's will be used instead of relative ones (realm
> value
> > will be shortened in the response and handle objects)
> > * Since Google's enndpoint is using transport layer encryption,
> there
> > is very little added benefit to additional enncryption
> > USAGE:
> ------------------------------------------------------------------
> > Setting Up Logins and Associations
> ------------------------------------------------------------------
> > *** To setup an association ***
> > try{
> > $assoc =
> GoogleOpenId::EstablishAssociation("http://
> > someWebsiteHere.com");
> > }
> > catch(exception $e){
> > // However you decide to handle the error...
> > }
> > *** To perform a login without an association ***
> > GoogleOpenId::login("http://myrealm.com", "
> http://myrealm.com/ > > return_to.php", NULL,email=true|false);
> > *** To perform a login with an association ***
> > try{
> > $assoc =
> GoogleOpenId::EstablishAssociation("http://
> > someWebsiteHere.com");
> > GoogleOpenId::login("http://myrealm.com", "
> http://myrealm.com/ > > return_to.php", $assoc,email=true|false);
> > }
> > catch(exception $e){
> > // However you decide to handle the error...
> > }
> ------------------------------------------------------------------
> > You will most likely want to put the return code on the
> "return_to"
> > page (wherever that may be...)
> > *** To get the result of a response without an association ***
> > $response = GoogleOpenId::getResponse();
> > *** To access response with an association ***
> > $assoc = ...code to retrieve stored association array (perhaps in
> a
> > database, session, file, or somewhere else...)
> > $response = GoogleOpenId::getResponse($assoc);
> ------------------------------------------------------------------
> > If signature validation fails, then getMode() == "cancel", which
> is
> > defined by OpenId_2_0::MODE_CANCEL.
> > The object returned from GoogleOpenId::getResponse() has the
> > following getters functions.
> > /* Google OpenId Class */
> > class GoogleOpenID{
> > /* Google OpenId Specific Constants - Since these may differ by
> > implementation, I placed these constants here */
> > const DISCOVERY_ENDPOINT = "
> https://www.google.com/accounts/o8/id";
> > const EMAIL_ATTR = "email";
> > const EMAIL_URI = "http://schema.openid.net/contact/email";
> > const P_EXT_NS = "openid.ns.ext1";
> > const P_EXT_MODE = "openid.ext1.mode";
> > const P_EXT_EMAIL_TYPE = "openid.ext1.type.email";
> > const P_EXT_REQ = "openid.ext1.required";
> > const P_EXT_EMAIL_VALUE = "openid.ext1.value.email";
> > /* Private Members - Response Parameters. After a response has
> been
> > verified, these values will be set. A response is only created for
> > verified responses that worked */
> > private $realm = NULL; // the realm that the response refers to
> > private $claimed_id = NULL; // the claimed id (documented as
> unique
> > to each realm)
> > private $email = NULL; // the email address, if one was returned
> > private $mode = NULL; // the mode of the response
> > /* Setus up an association and return an associative array of the
> > results. You can refer to the fields by these keys:
> > OpenId_2_0::REALM => The realm of the
> established association
> > OpenId_2_0::ASSOC_TYPE => The association
> type (right now it seems
> > to be HMAC-SHA1)
> > OpenId_2_0::HANDLE => The handle used to
> refer to the association
> > OpenId_2_0::MAC => The MAC key. This is
> used to verify the
> > signature
> yes i did.
> But not for yahoo:( Is their any1 help me to get yahoo user email address.
> On Fri, Jan 23, 2009 at 5:37 PM, <tskarthi2...@gmail.com> wrote:
> > Hi,
> > Have anyone successfully implemented Andrew class ? I am looking for a
> > way to implement this. I would appreciate if anyone shed some light on
> > this. Please let me know.
> > Thanks,
> > Karthi
> > On Jan 21, 7:50 pm, Eric Hayes <ejha...@ucdavis.edu> wrote:
> > > I added signature verification (both types, but my signature
> > > calculation function is giving back the wrong answer--dumb
> > > verification works fine though), error checking, and constants to the
> > > original code. I also made the following changes:
> > > - Only verified responses are returned--if a response fails
> > > verification, then response->getMode == "cancel"
> > > - URL's need to be absolute (we are only supplying 2 URL's so absolute
> > > removes any possible vagueness)
> > > - No need for signature encryption since we are already using
> > > transport layer encryption from SSL
> > > - Instead of creating the request then redirecting, we do it all in
> > > one step. This should save us some processing power on the server
> > > (prob not much, but still)
> > > - There are several parameters needed to establish an association, so
> > > these are returned in an array. The expires key is the time that the
> > > key expires (calculated upon request)
> > > - If you save the handle then you can pass it back to the login() and
> > > getResponse() functions. I haven't figured out how to verify the
> > > signature on the client side yet (my generated signatures do not match
> > > those coming from google). Maybe somebody could get this working?
> > > I have included the following below:
> > > - my source code
> > > - my test file source code (inline)
> > > SOURCE CODE (openid.php)
> > > <?php
> > > /* Google OpenID Class. This class aims to make using Federated login
> > > Lightweight (only this file is needed), secure, and easy to use.
> > ------------------------------------------------------------------
> > > * (PARTIALLY WORKING) Client side verification is not working
> > yet.
> > > The code is included (commented out), but the calculated hash is
> > > different than the one Google returns
> > > * Absolute URL's will be used instead of relative ones (realm
> > value
> > > will be shortened in the response and handle objects)
> > > * Since Google's enndpoint is using transport layer encryption,
> > there
> > > is very little added benefit to additional enncryption
> > > USAGE:
> > ------------------------------------------------------------------
> > > Setting Up Logins and Associations
> > ------------------------------------------------------------------
> > > *** To setup an association ***
> > > try{
> > > $assoc =
> > GoogleOpenId::EstablishAssociation("http://
> > > someWebsiteHere.com");
> > > }
> > > catch(exception $e){
> > > // However you decide to handle the error...
> > > }
> > > *** To perform a login without an association ***
> > > GoogleOpenId::login("http://myrealm.com", "
> >http://myrealm.com/ > > > return_to.php", NULL,email=true|false);
> > > *** To perform a login with an association ***
> > > try{
> > > $assoc =
> > GoogleOpenId::EstablishAssociation("http://
> > > someWebsiteHere.com");
> > > GoogleOpenId::login("http://myrealm.com", "
> >http://myrealm.com/ > > > return_to.php", $assoc,email=true|false);
> > > }
> > > catch(exception $e){
> > > // However you decide to handle the error...
> > > }
> > ------------------------------------------------------------------
> > > You will most likely want to put the return code on the
> > "return_to"
> > > page (wherever that may be...)
> > > *** To get the result of a response without an association ***
> > > $response = GoogleOpenId::getResponse();
> > > *** To access response with an association ***
> > > $assoc = ...code to retrieve stored association array (perhaps in
> > a
> > > database, session, file, or somewhere else...)
> > > $response = GoogleOpenId::getResponse($assoc);
> > ------------------------------------------------------------------
> > > If signature validation fails, then getMode() == "cancel", which
> > is
> > > defined by OpenId_2_0::MODE_CANCEL.
> > > The object returned from GoogleOpenId::getResponse() has the
> > > following getters functions.
On Thursday, December 11, 2008 9:19:06 AM UTC-8, apeace wrote:
> I went looking for a simple PHP class to handle Google Federated Login > and found some that claimed to be "simple" but weren't. So, I decided > to write my own.
> I know there are lots of generic OpenID libraries out there, but I > didn't feel like lugging around all the extra functionality when all I > needed to do was work with the Google API. So, that's all my class > does! It's dirt simple.
