[catagits/Catalyst-Authentication-Credential-OpenID.git] / lib / Catalyst / Authentication / Credential / OpenID.pm

package Catalyst::Authentication::Credential::OpenID;
use parent "Class::Accessor::Fast";

BEGIN {
    __PACKAGE__->mk_accessors(qw/ _config realm debug secret /);
}

use strict;
use warnings;
no warnings "uninitialized";

our $VERSION = "0.02";

use Net::OpenID::Consumer;
use UNIVERSAL::require;
use Catalyst::Exception ();

sub new : method {
    my ( $class, $config, $c, $realm ) = @_;
    my $self = { _config => { %{ $config },
                              %{ $realm->{config} }
                          }
                 };
    bless $self, $class;

    # 2.0 spec says "SHOULD" be named "openid_identifier."
    $self->_config->{openid_field} ||= "openid_identifier";

    $self->debug( $self->_config->{debug} );

    my $secret = $self->_config->{consumer_secret} ||= join("+",
                                                            __PACKAGE__,
                                                            $VERSION,
                                                            sort keys %{ $c->config }
                                                            );

    $secret = substr($secret,0,255) if length $secret > 255;
    $self->secret( $secret );
    $self->_config->{ua_class} ||= "LWPx::ParanoidAgent";

    eval {
        $self->_config->{ua_class}->require;
    }
    or Catalyst::Exception->throw("Could not 'require' user agent class " .
                                  $self->_config->{ua_class});

    $c->log->debug("Setting consumer secret: " . $secret) if $self->debug;

    return $self;
}

sub authenticate : method {
    my ( $self, $c, $realm, $authinfo ) = @_;

    $c->log->debug("authenticate() called from " . $c->request->uri) if $self->debug;

    my $field = $self->{_config}->{openid_field};

    my $claimed_uri = $authinfo->{ $field };

    # Its security related so we want to be explicit about GET/POST param retrieval.
    $claimed_uri ||= $c->req->method eq 'GET' ? 
        $c->req->query_params->{ $field } : $c->req->body_params->{ $field };

    my $csr = Net::OpenID::Consumer->new(
        ua => $self->_config->{ua_class}->new(%{$self->_config->{ua_args} || {}}),
        args => $c->req->params,
        consumer_secret => $self->secret,
    );

    if ( $claimed_uri )
    {
        my $current = $c->uri_for($c->req->uri->path); # clear query/fragment...

        my $identity = $csr->claimed_identity($claimed_uri)
            or Catalyst::Exception->throw($csr->err);

        my $check_url = $identity->check_url(
            return_to  => $current . '?openid-check=1',
            trust_root => $current,
            delayed_return => 1,
        );
        $c->res->redirect($check_url);
        return;
    }
    elsif ( $c->req->params->{'openid-check'} )
    {
        if ( my $setup_url = $csr->user_setup_url )
        {
            $c->res->redirect($setup_url);
            return;
        }
        elsif ( $csr->user_cancel )
        {
            return;
        }
        elsif ( my $identity = $csr->verified_identity )
        {
            # This is where we ought to build an OpenID user and verify against the spec.
            my $user = +{ map { $_ => scalar $identity->$_ }
                qw( url display rss atom foaf declared_rss declared_atom declared_foaf foafmaker ) };

            my $user_obj = $realm->find_user($user, $c);

            if ( ref $user_obj )
            {
                return $user_obj;
            }
            else
            {
                $c->log->debug("Verified OpenID identity failed to load with find_user; bad user_class? Try 'Null.'") if $c->debug;
                return;
            }
        }
        else
        {
            Catalyst::Exception->throw("Error validating identity: " .
                                       $csr->err);
        }
    }
    else
    {
        return;
    }
}

1;

__END__

=pod

=head1 NAME

Catalyst::Authentication::Credential::OpenID - OpenID credential for L<Catalyst::Plugin::Authentication> framework.

=head1 SYNOPSIS

 # MyApp
 use Catalyst qw/
    Authentication
    Session
    Session::Store::FastMmap
    Session::State::Cookie
 /;

 # MyApp.yaml --
 Plugin::Authentication:
   default_realm: openid
   realms:
     openid:
       credential:
         class: OpenID

 # Root::openid().
 sub openid : Local {
      my($self, $c) = @_;

      if ( $c->authenticate() )
      {
          $c->flash(message => "You signed in with OpenID!");
          $c->res->redirect( $c->uri_for('/') );
      }
      else
      {
          # Present OpenID form.
      }
 }

 # openid.tt
 <form action="[% c.uri_for('/openid') %]" method="GET" name="openid">
 <input type="text" name="openid_identifier" class="openid" />
 <input type="submit" value="Sign in with OpenID" />
 </form>


=head1 DESCRIPTION

This is the B<third> OpenID related authentication piece for
L<Catalyst>. The first -- L<Catalyst::Plugin::Authentication::OpenID>
by Benjamin Trott -- was deprecated by the second --
L<Catalyst::Plugin::Authentication::Credential::OpenID> by Tatsuhiko
Miyagawa -- and this is an attempt to deprecate both by conforming to
the newish, at the time of this module's inception, realm-based
authentication in L<Catalyst::Plugin::Authentication>.

 * Catalyst::Plugin::Authentication::OpenID (first)
 * Catalyst::Plugin::Authentication::Credential::OpenID (second)
 * Catalyst::Authentication::Credential::OpenID (this, the third)

The benefit of this version is that you can use an arbitrary number of
authentication systems in your L<Catalyst> application and configure
and call all of them in the same way.

Note, both earlier versions of OpenID authentication use the method
C<authenticate_openid()>. This module uses C<authenticate()> and
relies on you to specify the realm. You can specify the realm as the
default in the configuration or inline with each
C<authenticate()> call; more below.

This module functions quite differently internally from the others.
See L<Catalyst::Plugin::Authentication::Internals> for more about this
implementation.

=head1 METHOD

=over 4

=item * $c->authenticate({},"your_openid_realm");

Call to authenticate the user via OpenID. Returns false if
authorization is unsuccessful. Sets the user into the session and
returns the user object if authentication succeeds.

You can see in the call above that the authentication hash is empty.
The implicit OpenID parameter is, as the 2.0 specification says it
SHOULD be, B<openid_identifier>. You can set it anything you like in
your realm configuration, though, under the key C<openid_field>. If
you call C<authenticate()> with the empty info hash and no configured
C<openid_field> then only C<openid_identifier> is checked.

It implicitly does this (sort of, it checks the request method too)-

 my $claimed_uri = $c->req->params->{openid_identifier};
 $c->authenticate({openid_identifier => $claimed_uri});

=item * Catalyst::Authentication::Credential::OpenID->new()

You will never call this. Catalyst does it for you. The only important
thing you might like to know about it is that it merges its realm
configuration with its configuration proper. If this doesn't mean
anything to you, don't worry.

=back

=head2 USER METHODS

Currently the only supported user class is L<Catalyst::Plugin::Authentication::User::Hash>.

=over 4

=item * $c->user->url

=item * $c->user->display

=item * $c->user->rss 

=item * $c->user->atom

=item * $c->user->foaf

=item * $c->user->declared_rss

=item * $c->user->declared_atom

=item * $c->user->declared_foaf

=item * $c->user->foafmaker

=back

See L<Net::OpenID::VerifiedIdentity> for details.

=head1 CONFIGURATION

Catalyst authentication is now configured entirely from your
application's configuration. Do not, for example, put
C<Credential::OpenID> into your C<use Catalyst ...> statement.
Instead, tell your application that in one of your authentication
realms you will use the credential.

In your application the following will give you two different
authentication realms. One called "members" which authenticates with
clear text passwords and one called "openid" which uses... uh, OpenID.

 __PACKAGE__->config
    ( name => "MyApp",
      "Plugin::Authentication" => {
          default_realm => "members",
          realms => {
              members => {
                  credential => {
                      class => "Password",
                      password_field => "password",
                      password_type => "clear"
                      },
                          store => {
                              class => "Minimal",
                              users => {
                                  paco => {
                                      password => "l4s4v3n7ur45",
                                  },
                              }
                          }
              },
              openid => {
                  consumer_secret => "Don't bother setting",
                  ua_class => "LWPx::ParanoidAgent",
                  ua_args => {
                      whitelisted_hosts => [qw/ 127.0.0.1 localhost /],
                  },
                  credential => {
                      class => "OpenID",
                      store => {
                          class => "OpenID",
                      },
                  },
              },
          },
      },
      );

And now, the same configuration in YAML.

 name: MyApp
 Plugin::Authentication:
   default_realm: members
   realms:
     members:
       credential:
         class: Password
         password_field: password
         password_type: clear
       store:
         class: Minimal
         users:
           paco:
             password: l4s4v3n7ur45
     openid:
       credential:
         class: OpenID
         store:
           class: OpenID
       consumer_secret: Don't bother setting
       ua_class: LWPx::ParanoidAgent
       ua_args:
         whitelisted_hosts:
           - 127.0.0.1
           - localhost

B<NB>: There is no OpenID store yet. Trying for next release.

=head1 CONFIGURATION

These are set in your realm. See above.

=over 4

=item * ua_args and ua_class

L<LWPx::ParanoidAgent> is the default agent -- C<ua_class>. You don't
have to set it. I recommend that you do B<not> override it. You can
with any well behaved L<LWP::UserAgent>. You probably should not.
L<LWPx::ParanoidAgent> buys you many defenses and extra security
checks. When you allow your application users freedom to initiate
external requests, you open a big avenue for DoS (denial of service)
attacks. L<LWPx::ParanoidAgent> defends against this.
L<LWP::UserAgent> and any regular subclass of it will not.

=item * consumer_secret

The underlying L<Net::OpenID::Consumer> object is seeded with a
secret. If it's important to you to set your own, you can. The default
uses this package name + its version + the sorted configuration keys
of your Catalyst application (chopped at 255 characters if it's
longer). This should generally be superior to any fixed string.

=back


=head1 TODO

There are some interesting implications with this sort of setup. Does
a user aggregate realms or can a user be signed in under more than one
realm? The documents could contain a recipe of the self-answering
OpenID end-point that is in the tests.

Debug statements need to be both expanded and limited via realm
configuration.

Better diagnostics in errors. Debug info at all consumer calls.

Roles from provider domains? Mapped? Direct? A generic "openid" auto_role?

=head1 LICENSE AND COPYRIGHT

Copyright (c) 2008, Ashley Pond V C<< <ashley@cpan.org> >>. Some of
Tatsuhiko Miyagawa's work is reused here.

This module is free software; you can redistribute it and modify it
under the same terms as Perl itself. See L<perlartistic>.


=head1 DISCLAIMER OF WARRANTY

Because this software is licensed free of charge, there is no warranty
for the software, to the extent permitted by applicable law. Except when
otherwise stated in writing the copyright holders and other parties
provide the software "as is" without warranty of any kind, either
expressed or implied, including, but not limited to, the implied
warranties of merchantability and fitness for a particular purpose. The
entire risk as to the quality and performance of the software is with
you. Should the software prove defective, you assume the cost of all
necessary servicing, repair, or correction.

In no event unless required by applicable law or agreed to in writing
will any copyright holder, or any other party who may modify or
redistribute the software as permitted by the above license, be
liable to you for damages, including any general, special, incidental,
or consequential damages arising out of the use or inability to use
the software (including but not limited to loss of data or data being
rendered inaccurate or losses sustained by you or third parties or a
failure of the software to operate with any other software), even if
such holder or other party has been advised of the possibility of
such damages.


=head1 THANKS

To Benjamin Trott, Tatsuhiko Miyagawa, and Brad Fitzpatrick for the
great OpenID stuff and to Jay Kuri and everyone else who has made
Catalyst such a wonderful framework.

=head1 SEE ALSO

L<Catalyst>, L<Catalyst::Plugin::Authentication>,
L<Net::OpenID::Consumer>, and L<LWPx::ParanoidAgent>.

=head2 RELATED

L<Net::OpenID::Server>, L<Net::OpenID::VerifiedIdentity>,
L<http://openid.net/>, and L<http://openid.net/developers/specs/>.

L<Catalyst::Plugin::Authentication::OpenID> (Benjamin Trott) and L<Catalyst::Plugin::Authentication::Credential::OpenID> (Tatsuhiko Miyagawa).

=cut
Commit	Line	Data
e5b6823d	1	package Catalyst::Authentication::Credential::OpenID;
bf16184a	2	use parent "Class::Accessor::Fast";
e5b6823d	3
	4	BEGIN {
	5	__PACKAGE__->mk_accessors(qw/ _config realm debug secret /);
	6	}
	7
	8	use strict;
	9	use warnings;
	10	no warnings "uninitialized";
	11
bf16184a	12	our $VERSION = "0.02";
e5b6823d	13
	14	use Net::OpenID::Consumer;
	15	use UNIVERSAL::require;
	16	use Catalyst::Exception ();
	17
	18	sub new : method {
	19	my ( $class, $config, $c, $realm ) = @_;
	20	my $self = { _config => { %{ $config },
	21	%{ $realm->{config} }
	22	}
	23	};
	24	bless $self, $class;
	25
bf16184a	26	# 2.0 spec says "SHOULD" be named "openid_identifier."
e5b6823d	27	$self->_config->{openid_field} \|\|= "openid_identifier";
	28
	29	$self->debug( $self->_config->{debug} );
	30
	31	my $secret = $self->_config->{consumer_secret} \|\|= join("+",
	32	__PACKAGE__,
	33	$VERSION,
	34	sort keys %{ $c->config }
	35	);
	36
	37	$secret = substr($secret,0,255) if length $secret > 255;
	38	$self->secret( $secret );
bf16184a	39	$self->_config->{ua_class} \|\|= "LWPx::ParanoidAgent";
e5b6823d	40
e5b6823d	41	eval {
bf16184a	42	$self->_config->{ua_class}->require;
e5b6823d	43	}
bf16184a	44	or Catalyst::Exception->throw("Could not 'require' user agent class " .
bf16184a	45	$self->_config->{ua_class});
e5b6823d	46
	47	$c->log->debug("Setting consumer secret: " . $secret) if $self->debug;
	48
	49	return $self;
	50	}
	51
	52	sub authenticate : method {
	53	my ( $self, $c, $realm, $authinfo ) = @_;
	54
	55	$c->log->debug("authenticate() called from " . $c->request->uri) if $self->debug;
	56
	57	my $field = $self->{_config}->{openid_field};
	58
	59	my $claimed_uri = $authinfo->{ $field };
	60
	61	# Its security related so we want to be explicit about GET/POST param retrieval.
	62	$claimed_uri \|\|= $c->req->method eq 'GET' ?
	63	$c->req->query_params->{ $field } : $c->req->body_params->{ $field };
	64
	65	my $csr = Net::OpenID::Consumer->new(
	66	ua => $self->_config->{ua_class}->new(%{$self->_config->{ua_args} \|\| {}}),
	67	args => $c->req->params,
bf16184a	68	consumer_secret => $self->secret,
e5b6823d	69	);
	70
	71	if ( $claimed_uri )
	72	{
	73	my $current = $c->uri_for($c->req->uri->path); # clear query/fragment...
	74
	75	my $identity = $csr->claimed_identity($claimed_uri)
	76	or Catalyst::Exception->throw($csr->err);
	77
	78	my $check_url = $identity->check_url(
	79	return_to => $current . '?openid-check=1',
	80	trust_root => $current,
	81	delayed_return => 1,
	82	);
	83	$c->res->redirect($check_url);
	84	return;
	85	}
	86	elsif ( $c->req->params->{'openid-check'} )
	87	{
	88	if ( my $setup_url = $csr->user_setup_url )
	89	{
	90	$c->res->redirect($setup_url);
	91	return;
	92	}
	93	elsif ( $csr->user_cancel )
	94	{
	95	return;
	96	}
	97	elsif ( my $identity = $csr->verified_identity )
	98	{
	99	# This is where we ought to build an OpenID user and verify against the spec.
	100	my $user = +{ map { $_ => scalar $identity->$_ }
	101	qw( url display rss atom foaf declared_rss declared_atom declared_foaf foafmaker ) };
	102
	103	my $user_obj = $realm->find_user($user, $c);
	104
	105	if ( ref $user_obj )
	106	{
	107	return $user_obj;
	108	}
	109	else
	110	{
	111	$c->log->debug("Verified OpenID identity failed to load with find_user; bad user_class? Try 'Null.'") if $c->debug;
	112	return;
	113	}
	114	}
	115	else
	116	{
	117	Catalyst::Exception->throw("Error validating identity: " .
	118	$csr->err);
	119	}
	120	}
	121	else
	122	{
	123	return;
	124	}
	125	}
	126
	127	1;
	128
	129	__END__
	130
	131	=pod
	132
133	=head1 NAME
134
bf16184a	135	Catalyst::Authentication::Credential::OpenID - OpenID credential for L<Catalyst::Plugin::Authentication> framework.
e5b6823d	136
	137	=head1 SYNOPSIS
	138
	139	# MyApp
	140	use Catalyst qw/
	141	Authentication
	142	Session
	143	Session::Store::FastMmap
	144	Session::State::Cookie
	145	/;
	146
	147	# MyApp.yaml --
	148	Plugin::Authentication:
	149	default_realm: openid
	150	realms:
	151	openid:
	152	credential:
	153	class: OpenID
	154
bf16184a	155	# Root::openid().
bf16184a	156	sub openid : Local {
e5b6823d	157	my($self, $c) = @_;
	158
	159	if ( $c->authenticate() )
	160	{
	161	$c->flash(message => "You signed in with OpenID!");
	162	$c->res->redirect( $c->uri_for('/') );
	163	}
	164	else
	165	{
	166	# Present OpenID form.
	167	}
bf16184a	168	}
e5b6823d	169
bf16184a	170	# openid.tt
	171	<form action="[% c.uri_for('/openid') %]" method="GET" name="openid">
	172	<input type="text" name="openid_identifier" class="openid" />
	173	<input type="submit" value="Sign in with OpenID" />
	174	</form>
e5b6823d	175
	176
	177	=head1 DESCRIPTION
	178
	179	This is the B<third> OpenID related authentication piece for
	180	L<Catalyst>. The first -- L<Catalyst::Plugin::Authentication::OpenID>
	181	by Benjamin Trott -- was deprecated by the second --
	182	L<Catalyst::Plugin::Authentication::Credential::OpenID> by Tatsuhiko
	183	Miyagawa -- and this is an attempt to deprecate both by conforming to
	184	the newish, at the time of this module's inception, realm-based
	185	authentication in L<Catalyst::Plugin::Authentication>.
	186
	187	* Catalyst::Plugin::Authentication::OpenID (first)
	188	* Catalyst::Plugin::Authentication::Credential::OpenID (second)
	189	* Catalyst::Authentication::Credential::OpenID (this, the third)
	190
	191	The benefit of this version is that you can use an arbitrary number of
	192	authentication systems in your L<Catalyst> application and configure
	193	and call all of them in the same way.
	194
	195	Note, both earlier versions of OpenID authentication use the method
	196	C<authenticate_openid()>. This module uses C<authenticate()> and
	197	relies on you to specify the realm. You can specify the realm as the
	198	default in the configuration or inline with each
	199	C<authenticate()> call; more below.
	200
	201	This module functions quite differently internally from the others.
	202	See L<Catalyst::Plugin::Authentication::Internals> for more about this
	203	implementation.
	204
	205	=head1 METHOD
	206
	207	=over 4
	208
e5b6823d	209	=item * $c->authenticate({},"your_openid_realm");
	210
	211	Call to authenticate the user via OpenID. Returns false if
	212	authorization is unsuccessful. Sets the user into the session and
	213	returns the user object if authentication succeeds.
	214
	215	You can see in the call above that the authentication hash is empty.
	216	The implicit OpenID parameter is, as the 2.0 specification says it
	217	SHOULD be, B<openid_identifier>. You can set it anything you like in
	218	your realm configuration, though, under the key C<openid_field>. If
	219	you call C<authenticate()> with the empty info hash and no configured
	220	C<openid_field> then only C<openid_identifier> is checked.
	221
	222	It implicitly does this (sort of, it checks the request method too)-
	223
	224	my $claimed_uri = $c->req->params->{openid_identifier};
	225	$c->authenticate({openid_identifier => $claimed_uri});
	226
bf16184a	227	=item * Catalyst::Authentication::Credential::OpenID->new()
	228
	229	You will never call this. Catalyst does it for you. The only important
	230	thing you might like to know about it is that it merges its realm
	231	configuration with its configuration proper. If this doesn't mean
	232	anything to you, don't worry.
e5b6823d	233
bf16184a	234	=back
e5b6823d	235
	236	=head2 USER METHODS
	237
	238	Currently the only supported user class is L<Catalyst::Plugin::Authentication::User::Hash>.
	239
bf16184a	240	=over 4
e5b6823d	241
bf16184a	242	=item * $c->user->url
e5b6823d	243
bf16184a	244	=item * $c->user->display
e5b6823d	245
bf16184a	246	=item * $c->user->rss
e5b6823d	247
bf16184a	248	=item * $c->user->atom
e5b6823d	249
bf16184a	250	=item * $c->user->foaf
e5b6823d	251
bf16184a	252	=item * $c->user->declared_rss
e5b6823d	253
bf16184a	254	=item * $c->user->declared_atom
e5b6823d	255
bf16184a	256	=item * $c->user->declared_foaf
e5b6823d	257
bf16184a	258	=item * $c->user->foafmaker
e5b6823d	259
	260	=back
	261
	262	See L<Net::OpenID::VerifiedIdentity> for details.
	263
	264	=head1 CONFIGURATION
	265
	266	Catalyst authentication is now configured entirely from your
	267	application's configuration. Do not, for example, put
	268	C<Credential::OpenID> into your C<use Catalyst ...> statement.
	269	Instead, tell your application that in one of your authentication
	270	realms you will use the credential.
	271
	272	In your application the following will give you two different
	273	authentication realms. One called "members" which authenticates with
	274	clear text passwords and one called "openid" which uses... uh, OpenID.
	275
	276	__PACKAGE__->config
	277	( name => "MyApp",
	278	"Plugin::Authentication" => {
	279	default_realm => "members",
	280	realms => {
	281	members => {
	282	credential => {
	283	class => "Password",
	284	password_field => "password",
	285	password_type => "clear"
	286	},
	287	store => {
	288	class => "Minimal",
	289	users => {
	290	paco => {
	291	password => "l4s4v3n7ur45",
	292	},
	293	}
	294	}
	295	},
	296	openid => {
bf16184a	297	consumer_secret => "Don't bother setting",
e5b6823d	298	ua_class => "LWPx::ParanoidAgent",
	299	ua_args => {
	300	whitelisted_hosts => [qw/ 127.0.0.1 localhost /],
	301	},
	302	credential => {
	303	class => "OpenID",
	304	store => {
	305	class => "OpenID",
	306	},
	307	},
	308	},
	309	},
	310	},
	311	);
	312
	313	And now, the same configuration in YAML.
	314
	315	name: MyApp
	316	Plugin::Authentication:
	317	default_realm: members
	318	realms:
	319	members:
	320	credential:
	321	class: Password
	322	password_field: password
	323	password_type: clear
	324	store:
	325	class: Minimal
	326	users:
	327	paco:
	328	password: l4s4v3n7ur45
	329	openid:
	330	credential:
	331	class: OpenID
	332	store:
	333	class: OpenID
bf16184a	334	consumer_secret: Don't bother setting
e5b6823d	335	ua_class: LWPx::ParanoidAgent
	336	ua_args:
	337	whitelisted_hosts:
	338	- 127.0.0.1
	339	- localhost
	340
	341	B<NB>: There is no OpenID store yet. Trying for next release.
bf16184a	342
	343	=head1 CONFIGURATION
	344
	345	These are set in your realm. See above.
	346
	347	=over 4
	348
	349	=item * ua_args and ua_class
	350
	351	L<LWPx::ParanoidAgent> is the default agent -- C<ua_class>. You don't
	352	have to set it. I recommend that you do B<not> override it. You can
	353	with any well behaved L<LWP::UserAgent>. You probably should not.
e5b6823d	354	L<LWPx::ParanoidAgent> buys you many defenses and extra security
	355	checks. When you allow your application users freedom to initiate
	356	external requests, you open a big avenue for DoS (denial of service)
	357	attacks. L<LWPx::ParanoidAgent> defends against this.
	358	L<LWP::UserAgent> and any regular subclass of it will not.
	359
bf16184a	360	=item * consumer_secret
	361
	362	The underlying L<Net::OpenID::Consumer> object is seeded with a
	363	secret. If it's important to you to set your own, you can. The default
	364	uses this package name + its version + the sorted configuration keys
	365	of your Catalyst application (chopped at 255 characters if it's
	366	longer). This should generally be superior to any fixed string.
	367
	368	=back
	369
e5b6823d	370
	371	=head1 TODO
	372
	373	There are some interesting implications with this sort of setup. Does
	374	a user aggregate realms or can a user be signed in under more than one
	375	realm? The documents could contain a recipe of the self-answering
	376	OpenID end-point that is in the tests.
	377
	378	Debug statements need to be both expanded and limited via realm
	379	configuration.
	380
bf16184a	381	Better diagnostics in errors. Debug info at all consumer calls.
e5b6823d	382
bf16184a	383	Roles from provider domains? Mapped? Direct? A generic "openid" auto_role?
e5b6823d	384
	385	=head1 LICENSE AND COPYRIGHT
	386
	387	Copyright (c) 2008, Ashley Pond V C<< <ashley@cpan.org> >>. Some of
	388	Tatsuhiko Miyagawa's work is reused here.
	389
	390	This module is free software; you can redistribute it and modify it
	391	under the same terms as Perl itself. See L<perlartistic>.
	392
	393
	394	=head1 DISCLAIMER OF WARRANTY
	395
	396	Because this software is licensed free of charge, there is no warranty
	397	for the software, to the extent permitted by applicable law. Except when
	398	otherwise stated in writing the copyright holders and other parties
	399	provide the software "as is" without warranty of any kind, either
	400	expressed or implied, including, but not limited to, the implied
	401	warranties of merchantability and fitness for a particular purpose. The
	402	entire risk as to the quality and performance of the software is with
	403	you. Should the software prove defective, you assume the cost of all
	404	necessary servicing, repair, or correction.
	405
	406	In no event unless required by applicable law or agreed to in writing
	407	will any copyright holder, or any other party who may modify or
	408	redistribute the software as permitted by the above license, be
	409	liable to you for damages, including any general, special, incidental,
	410	or consequential damages arising out of the use or inability to use
	411	the software (including but not limited to loss of data or data being
	412	rendered inaccurate or losses sustained by you or third parties or a
	413	failure of the software to operate with any other software), even if
	414	such holder or other party has been advised of the possibility of
	415	such damages.
	416
bf16184a	417
e5b6823d	418	=head1 THANKS
	419
	420	To Benjamin Trott, Tatsuhiko Miyagawa, and Brad Fitzpatrick for the
	421	great OpenID stuff and to Jay Kuri and everyone else who has made
	422	Catalyst such a wonderful framework.
	423
	424	=head1 SEE ALSO
	425
	426	L<Catalyst>, L<Catalyst::Plugin::Authentication>,
	427	L<Net::OpenID::Consumer>, and L<LWPx::ParanoidAgent>.
	428
	429	=head2 RELATED
	430
bf16184a	431	L<Net::OpenID::Server>, L<Net::OpenID::VerifiedIdentity>,
bf16184a	432	L<http://openid.net/>, and L<http://openid.net/developers/specs/>.
e5b6823d	433
	434	L<Catalyst::Plugin::Authentication::OpenID> (Benjamin Trott) and L<Catalyst::Plugin::Authentication::Credential::OpenID> (Tatsuhiko Miyagawa).
	435
	436	=cut