[catagits/Catalyst-Authentication-Credential-OpenID.git] / lib / Catalyst / Authentication / Credential / OpenID.pm

package Catalyst::Authentication::Credential::OpenID;
use base "Class::Accessor::Fast";

BEGIN {
    __PACKAGE__->mk_accessors(qw/ _config realm debug secret /);
}

use strict;
use warnings;
no warnings "uninitialized";

our $VERSION = '0.01';

use Net::OpenID::Consumer;
use UNIVERSAL::require;
use Catalyst::Exception ();

sub new : method {
    my ( $class, $config, $c, $realm ) = @_;
    my $self = { _config => { %{ $config },
                              %{ $realm->{config} }
                          }
                 };
    bless $self, $class;

    # 2.0 "SHOULD"
    $self->_config->{openid_field} ||= "openid_identifier";

    $self->debug( $self->_config->{debug} );

    my $secret = $self->_config->{consumer_secret} ||= join("+",
                                                            __PACKAGE__,
                                                            $VERSION,
                                                            sort keys %{ $c->config }
                                                            );

    $secret = substr($secret,0,255) if length $secret > 255;
    $self->secret( $secret );

    eval {
        ( $self->_config->{ua_class} ||= "LWPx::ParanoidAgent" )->require;
    }
    or Catalyst::Exception->throw("Could not 'require' user agent class " . $self->_config->{ua_class});

    $c->log->debug("Setting consumer secret: " . $secret) if $self->debug;

    return $self;
}

sub authenticate : method {
    my ( $self, $c, $realm, $authinfo ) = @_;

    $c->log->debug("authenticate() called from " . $c->request->uri) if $self->debug;

    my $field = $self->{_config}->{openid_field};

    my $claimed_uri = $authinfo->{ $field };

    # Its security related so we want to be explicit about GET/POST param retrieval.
    $claimed_uri ||= $c->req->method eq 'GET' ? 
        $c->req->query_params->{ $field } : $c->req->body_params->{ $field };

    my $csr = Net::OpenID::Consumer->new(
        ua => $self->_config->{ua_class}->new(%{$self->_config->{ua_args} || {}}),
        args => $c->req->params,
        consumer_secret => sub { $self->secret },
    );

    if ( $claimed_uri )
    {
        my $current = $c->uri_for($c->req->uri->path); # clear query/fragment...

        my $identity = $csr->claimed_identity($claimed_uri)
            or Catalyst::Exception->throw($csr->err);

        my $check_url = $identity->check_url(
            return_to  => $current . '?openid-check=1',
            trust_root => $current,
            delayed_return => 1,
        );
        $c->res->redirect($check_url);
        return;
    }
    elsif ( $c->req->params->{'openid-check'} )
    {
        if ( my $setup_url = $csr->user_setup_url )
        {
            $c->res->redirect($setup_url);
            return;
        }
        elsif ( $csr->user_cancel )
        {
            return;
        }
        elsif ( my $identity = $csr->verified_identity )
        {
            # This is where we ought to build an OpenID user and verify against the spec.
            my $user = +{ map { $_ => scalar $identity->$_ }
                qw( url display rss atom foaf declared_rss declared_atom declared_foaf foafmaker ) };

            my $user_obj = $realm->find_user($user, $c);

            if ( ref $user_obj )
            {
                return $user_obj;
            }
            else
            {
                $c->log->debug("Verified OpenID identity failed to load with find_user; bad user_class? Try 'Null.'") if $c->debug;
                return;
            }
        }
        else
        {
            Catalyst::Exception->throw("Error validating identity: " .
                                       $csr->err);
        }
    }
    else
    {
        return;
    }
}

1;

__END__

=pod

=head1 NAME

Catalyst::Authentication::Credential::OpenID - OpenID credential for Catalyst::Authentication framework.

=head1 SYNOPSIS

 # MyApp
 use Catalyst qw/
    Authentication
    Session
    Session::Store::FastMmap
    Session::State::Cookie
 /;

 # MyApp.yaml --
 Plugin::Authentication:
   default_realm: openid
   realms:
     openid:
       credential:
         class: OpenID

  # Root::openid().
  sub openid : Local {
      my($self, $c) = @_;

      if ( $c->authenticate() )
      {
          $c->flash(message => "You signed in with OpenID!");
          $c->res->redirect( $c->uri_for('/') );
      }
      else
      {
          # Present OpenID form.
      }
  }

  # openid.tt
  <form action="[% c.uri_for('/openid') %]" method="GET" name="openid">
  <input type="text" name="openid_identifier" class="openid" />
  <input type="submit" value="Sign in with OpenID" />
  </form>


=head1 DESCRIPTION

This is the B<third> OpenID related authentication piece for
L<Catalyst>. The first -- L<Catalyst::Plugin::Authentication::OpenID>
by Benjamin Trott -- was deprecated by the second --
L<Catalyst::Plugin::Authentication::Credential::OpenID> by Tatsuhiko
Miyagawa -- and this is an attempt to deprecate both by conforming to
the newish, at the time of this module's inception, realm-based
authentication in L<Catalyst::Plugin::Authentication>.

 * Catalyst::Plugin::Authentication::OpenID (first)
 * Catalyst::Plugin::Authentication::Credential::OpenID (second)
 * Catalyst::Authentication::Credential::OpenID (this, the third)

The benefit of this version is that you can use an arbitrary number of
authentication systems in your L<Catalyst> application and configure
and call all of them in the same way.

Note, both earlier versions of OpenID authentication use the method
C<authenticate_openid()>. This module uses C<authenticate()> and
relies on you to specify the realm. You can specify the realm as the
default in the configuration or inline with each
C<authenticate()> call; more below.

This module functions quite differently internally from the others.
See L<Catalyst::Plugin::Authentication::Internals> for more about this
implementation.

=head1 METHOD

=over 4

=item * Catalyst::Authentication::Credential::OpenID->new()

You will never call this. Catalyst does it for you. The only important
thing you might like to know about it is that it merges its realm
configuration with its configuration proper. If this doesn't mean
anything to you, don't worry.

=item * $c->authenticate({},"your_openid_realm");

Call to authenticate the user via OpenID. Returns false if
authorization is unsuccessful. Sets the user into the session and
returns the user object if authentication succeeds.

You can see in the call above that the authentication hash is empty.
The implicit OpenID parameter is, as the 2.0 specification says it
SHOULD be, B<openid_identifier>. You can set it anything you like in
your realm configuration, though, under the key C<openid_field>. If
you call C<authenticate()> with the empty info hash and no configured
C<openid_field> then only C<openid_identifier> is checked.

It implicitly does this (sort of, it checks the request method too)-

 my $claimed_uri = $c->req->params->{openid_identifier};
 $c->authenticate({openid_identifier => $claimed_uri});

=back


=head2 USER METHODS

Currently the only supported user class is L<Catalyst::Plugin::Authentication::User::Hash>.

=over 8

=item url

=item display

=item rss

=item atom

=item foaf

=item declared_rss

=item declared_atom

=item declared_foaf

=item foafmaker

=back

See L<Net::OpenID::VerifiedIdentity> for details.

=head1 CONFIGURATION

Catalyst authentication is now configured entirely from your
application's configuration. Do not, for example, put
C<Credential::OpenID> into your C<use Catalyst ...> statement.
Instead, tell your application that in one of your authentication
realms you will use the credential.

In your application the following will give you two different
authentication realms. One called "members" which authenticates with
clear text passwords and one called "openid" which uses... uh, OpenID.

 __PACKAGE__->config
    ( name => "MyApp",
      "Plugin::Authentication" => {
          default_realm => "members",
          realms => {
              members => {
                  credential => {
                      class => "Password",
                      password_field => "password",
                      password_type => "clear"
                      },
                          store => {
                              class => "Minimal",
                              users => {
                                  paco => {
                                      password => "l4s4v3n7ur45",
                                  },
                              }
                          }
              },
              openid => {
                  ua_class => "LWPx::ParanoidAgent",
                  ua_args => {
                      whitelisted_hosts => [qw/ 127.0.0.1 localhost /],
                  },
                  credential => {
                      class => "OpenID",
                      store => {
                          class => "OpenID",
                      },
                  },
              },
          },
      },
      );

And now, the same configuration in YAML.

 name: MyApp
 Plugin::Authentication:
   default_realm: members
   realms:
     members:
       credential:
         class: Password
         password_field: password
         password_type: clear
       store:
         class: Minimal
         users:
           paco:
             password: l4s4v3n7ur45
     openid:
       credential:
         class: OpenID
         store:
           class: OpenID
       ua_class: LWPx::ParanoidAgent
       ua_args:
         whitelisted_hosts:
           - 127.0.0.1
           - localhost

B<NB>: There is no OpenID store yet. Trying for next release.
L<LWPx::ParanoidAgent> is the default agent. You don't have to set it.
I recommend that you do B<not> override it. You can with any well
behaved L<LWP::UserAgent>. You probably should not.
L<LWPx::ParanoidAgent> buys you many defenses and extra security
checks. When you allow your application users freedom to initiate
external requests, you open a big avenue for DoS (denial of service)
attacks. L<LWPx::ParanoidAgent> defends against this.
L<LWP::UserAgent> and any regular subclass of it will not.


=head1 TODO

There are some interesting implications with this sort of setup. Does
a user aggregate realms or can a user be signed in under more than one
realm? The documents could contain a recipe of the self-answering
OpenID end-point that is in the tests.

Debug statements need to be both expanded and limited via realm
configuration.

Better diagnostics in errors.


=head1 LICENSE AND COPYRIGHT

Copyright (c) 2008, Ashley Pond V C<< <ashley@cpan.org> >>. Some of
Tatsuhiko Miyagawa's work is reused here.

This module is free software; you can redistribute it and modify it
under the same terms as Perl itself. See L<perlartistic>.


=head1 DISCLAIMER OF WARRANTY

Because this software is licensed free of charge, there is no warranty
for the software, to the extent permitted by applicable law. Except when
otherwise stated in writing the copyright holders and other parties
provide the software "as is" without warranty of any kind, either
expressed or implied, including, but not limited to, the implied
warranties of merchantability and fitness for a particular purpose. The
entire risk as to the quality and performance of the software is with
you. Should the software prove defective, you assume the cost of all
necessary servicing, repair, or correction.

In no event unless required by applicable law or agreed to in writing
will any copyright holder, or any other party who may modify or
redistribute the software as permitted by the above license, be
liable to you for damages, including any general, special, incidental,
or consequential damages arising out of the use or inability to use
the software (including but not limited to loss of data or data being
rendered inaccurate or losses sustained by you or third parties or a
failure of the software to operate with any other software), even if
such holder or other party has been advised of the possibility of
such damages.

=head1 THANKS

To Benjamin Trott, Tatsuhiko Miyagawa, and Brad Fitzpatrick for the
great OpenID stuff and to Jay Kuri and everyone else who has made
Catalyst such a wonderful framework.

=head1 SEE ALSO

L<Catalyst>, L<Catalyst::Plugin::Authentication>,
L<Net::OpenID::Consumer>, and L<LWPx::ParanoidAgent>.

=head2 RELATED

L<Net::OpenID::Server>, L<http://openid.net/>, and L<http://openid.net/developers/specs/>.

L<Catalyst::Plugin::Authentication::OpenID> (Benjamin Trott) and L<Catalyst::Plugin::Authentication::Credential::OpenID> (Tatsuhiko Miyagawa).

=cut
Commit	Line	Data
e5b6823d	1	package Catalyst::Authentication::Credential::OpenID;
	2	use base "Class::Accessor::Fast";
	3
	4	BEGIN {
	5	__PACKAGE__->mk_accessors(qw/ _config realm debug secret /);
	6	}
	7
	8	use strict;
	9	use warnings;
	10	no warnings "uninitialized";
	11
	12	our $VERSION = '0.01';
	13
	14	use Net::OpenID::Consumer;
	15	use UNIVERSAL::require;
	16	use Catalyst::Exception ();
	17
	18	sub new : method {
	19	my ( $class, $config, $c, $realm ) = @_;
	20	my $self = { _config => { %{ $config },
	21	%{ $realm->{config} }
	22	}
	23	};
	24	bless $self, $class;
	25
	26	# 2.0 "SHOULD"
	27	$self->_config->{openid_field} \|\|= "openid_identifier";
	28
	29	$self->debug( $self->_config->{debug} );
	30
	31	my $secret = $self->_config->{consumer_secret} \|\|= join("+",
	32	__PACKAGE__,
	33	$VERSION,
	34	sort keys %{ $c->config }
	35	);
	36
	37	$secret = substr($secret,0,255) if length $secret > 255;
	38	$self->secret( $secret );
	39
	40	eval {
	41	( $self->_config->{ua_class} \|\|= "LWPx::ParanoidAgent" )->require;
	42	}
	43	or Catalyst::Exception->throw("Could not 'require' user agent class " . $self->_config->{ua_class});
	44
	45	$c->log->debug("Setting consumer secret: " . $secret) if $self->debug;
	46
	47	return $self;
	48	}
	49
	50	sub authenticate : method {
	51	my ( $self, $c, $realm, $authinfo ) = @_;
	52
	53	$c->log->debug("authenticate() called from " . $c->request->uri) if $self->debug;
	54
	55	my $field = $self->{_config}->{openid_field};
	56
	57	my $claimed_uri = $authinfo->{ $field };
	58
	59	# Its security related so we want to be explicit about GET/POST param retrieval.
	60	$claimed_uri \|\|= $c->req->method eq 'GET' ?
	61	$c->req->query_params->{ $field } : $c->req->body_params->{ $field };
	62
	63	my $csr = Net::OpenID::Consumer->new(
	64	ua => $self->_config->{ua_class}->new(%{$self->_config->{ua_args} \|\| {}}),
65	args => $c->req->params,
66	consumer_secret => sub { $self->secret },
67	);
68
69	if ( $claimed_uri )
70	{
71	my $current = $c->uri_for($c->req->uri->path); # clear query/fragment...
72
73	my $identity = $csr->claimed_identity($claimed_uri)
74	or Catalyst::Exception->throw($csr->err);
75
76	my $check_url = $identity->check_url(
77	return_to => $current . '?openid-check=1',
78	trust_root => $current,
79	delayed_return => 1,
80	);
81	$c->res->redirect($check_url);
82	return;
83	}
84	elsif ( $c->req->params->{'openid-check'} )
85	{
86	if ( my $setup_url = $csr->user_setup_url )
87	{
88	$c->res->redirect($setup_url);
89	return;
90	}
91	elsif ( $csr->user_cancel )
92	{
93	return;
94	}
95	elsif ( my $identity = $csr->verified_identity )
96	{
97	# This is where we ought to build an OpenID user and verify against the spec.
98	my $user = +{ map { $_ => scalar $identity->$_ }
99	qw( url display rss atom foaf declared_rss declared_atom declared_foaf foafmaker ) };
100
101	my $user_obj = $realm->find_user($user, $c);
102
103	if ( ref $user_obj )
104	{
105	return $user_obj;
106	}
107	else
108	{
109	$c->log->debug("Verified OpenID identity failed to load with find_user; bad user_class? Try 'Null.'") if $c->debug;
110	return;
111	}
112	}
113	else
114	{
115	Catalyst::Exception->throw("Error validating identity: " .
116	$csr->err);
117	}
118	}
119	else
120	{
121	return;
122	}
123	}
124
125	1;
126
127	__END__
128
129	=pod
130
131	=head1 NAME
132
133	Catalyst::Authentication::Credential::OpenID - OpenID credential for Catalyst::Authentication framework.
134
135	=head1 SYNOPSIS
136
137	# MyApp
138	use Catalyst qw/
139	Authentication
140	Session
141	Session::Store::FastMmap
142	Session::State::Cookie
143	/;
144
145	# MyApp.yaml --
146	Plugin::Authentication:
147	default_realm: openid
148	realms:
149	openid:
150	credential:
151	class: OpenID
152
153	# Root::openid().
154	sub openid : Local {
155	my($self, $c) = @_;
156
157	if ( $c->authenticate() )
158	{
159	$c->flash(message => "You signed in with OpenID!");
160	$c->res->redirect( $c->uri_for('/') );
161	}
162	else
163	{
164	# Present OpenID form.
165	}
166	}
167
168	# openid.tt
169	<form action="[% c.uri_for('/openid') %]" method="GET" name="openid">
170	<input type="text" name="openid_identifier" class="openid" />
171	<input type="submit" value="Sign in with OpenID" />
172	</form>
173
174
175	=head1 DESCRIPTION
176
177	This is the B<third> OpenID related authentication piece for
178	L<Catalyst>. The first -- L<Catalyst::Plugin::Authentication::OpenID>
179	by Benjamin Trott -- was deprecated by the second --
180	L<Catalyst::Plugin::Authentication::Credential::OpenID> by Tatsuhiko
181	Miyagawa -- and this is an attempt to deprecate both by conforming to
182	the newish, at the time of this module's inception, realm-based
183	authentication in L<Catalyst::Plugin::Authentication>.
184
185	* Catalyst::Plugin::Authentication::OpenID (first)
186	* Catalyst::Plugin::Authentication::Credential::OpenID (second)
187	* Catalyst::Authentication::Credential::OpenID (this, the third)
188
189	The benefit of this version is that you can use an arbitrary number of
190	authentication systems in your L<Catalyst> application and configure
191	and call all of them in the same way.
192
193	Note, both earlier versions of OpenID authentication use the method
194	C<authenticate_openid()>. This module uses C<authenticate()> and
195	relies on you to specify the realm. You can specify the realm as the
196	default in the configuration or inline with each
197	C<authenticate()> call; more below.
198
199	This module functions quite differently internally from the others.
200	See L<Catalyst::Plugin::Authentication::Internals> for more about this
201	implementation.
202
203	=head1 METHOD
204
205	=over 4
206
207	=item * Catalyst::Authentication::Credential::OpenID->new()
208
209	You will never call this. Catalyst does it for you. The only important
210	thing you might like to know about it is that it merges its realm
211	configuration with its configuration proper. If this doesn't mean
212	anything to you, don't worry.
213
214	=item * $c->authenticate({},"your_openid_realm");
215
216	Call to authenticate the user via OpenID. Returns false if
217	authorization is unsuccessful. Sets the user into the session and
218	returns the user object if authentication succeeds.
219
220	You can see in the call above that the authentication hash is empty.
221	The implicit OpenID parameter is, as the 2.0 specification says it
222	SHOULD be, B<openid_identifier>. You can set it anything you like in
223	your realm configuration, though, under the key C<openid_field>. If
224	you call C<authenticate()> with the empty info hash and no configured
225	C<openid_field> then only C<openid_identifier> is checked.
226
227	It implicitly does this (sort of, it checks the request method too)-
228
229	my $claimed_uri = $c->req->params->{openid_identifier};
230	$c->authenticate({openid_identifier => $claimed_uri});
231
232	=back
233
234
235	=head2 USER METHODS
236
237	Currently the only supported user class is L<Catalyst::Plugin::Authentication::User::Hash>.
238
239	=over 8
240
241	=item url
242
243	=item display
244
245	=item rss
246
247	=item atom
248
249	=item foaf
250
251	=item declared_rss
252
253	=item declared_atom
254
255	=item declared_foaf
256
257	=item foafmaker
258
259	=back
260
261	See L<Net::OpenID::VerifiedIdentity> for details.
262
263	=head1 CONFIGURATION
264
265	Catalyst authentication is now configured entirely from your
266	application's configuration. Do not, for example, put
267	C<Credential::OpenID> into your C<use Catalyst ...> statement.
268	Instead, tell your application that in one of your authentication
269	realms you will use the credential.
270
271	In your application the following will give you two different
272	authentication realms. One called "members" which authenticates with
273	clear text passwords and one called "openid" which uses... uh, OpenID.
274
275	__PACKAGE__->config
276	( name => "MyApp",
277	"Plugin::Authentication" => {
278	default_realm => "members",
279	realms => {
280	members => {
281	credential => {
282	class => "Password",
283	password_field => "password",
284	password_type => "clear"
285	},
286	store => {
287	class => "Minimal",
288	users => {
289	paco => {
290	password => "l4s4v3n7ur45",
291	},
292	}
293	}
294	},
295	openid => {
296	ua_class => "LWPx::ParanoidAgent",
297	ua_args => {
298	whitelisted_hosts => [qw/ 127.0.0.1 localhost /],
299	},
300	credential => {
301	class => "OpenID",
302	store => {
303	class => "OpenID",
304	},
305	},
306	},
307	},
308	},
309	);
310
311	And now, the same configuration in YAML.
312
313	name: MyApp
314	Plugin::Authentication:
315	default_realm: members
316	realms:
317	members:
318	credential:
319	class: Password
320	password_field: password
321	password_type: clear
322	store:
323	class: Minimal
324	users:
325	paco:
326	password: l4s4v3n7ur45
327	openid:
328	credential:
329	class: OpenID
330	store:
331	class: OpenID
332	ua_class: LWPx::ParanoidAgent
333	ua_args:
334	whitelisted_hosts:
335	- 127.0.0.1
336	- localhost
337
338	B<NB>: There is no OpenID store yet. Trying for next release.
339	L<LWPx::ParanoidAgent> is the default agent. You don't have to set it.
340	I recommend that you do B<not> override it. You can with any well
341	behaved L<LWP::UserAgent>. You probably should not.
342	L<LWPx::ParanoidAgent> buys you many defenses and extra security
343	checks. When you allow your application users freedom to initiate
344	external requests, you open a big avenue for DoS (denial of service)
345	attacks. L<LWPx::ParanoidAgent> defends against this.
346	L<LWP::UserAgent> and any regular subclass of it will not.
347
348
349	=head1 TODO
350
351	There are some interesting implications with this sort of setup. Does
352	a user aggregate realms or can a user be signed in under more than one
353	realm? The documents could contain a recipe of the self-answering
354	OpenID end-point that is in the tests.
355
356	Debug statements need to be both expanded and limited via realm
357	configuration.
358
359	Better diagnostics in errors.
360
361
362	=head1 LICENSE AND COPYRIGHT
363
364	Copyright (c) 2008, Ashley Pond V C<< <ashley@cpan.org> >>. Some of
365	Tatsuhiko Miyagawa's work is reused here.
366
367	This module is free software; you can redistribute it and modify it
368	under the same terms as Perl itself. See L<perlartistic>.
369
370
371	=head1 DISCLAIMER OF WARRANTY
372
373	Because this software is licensed free of charge, there is no warranty
374	for the software, to the extent permitted by applicable law. Except when
375	otherwise stated in writing the copyright holders and other parties
376	provide the software "as is" without warranty of any kind, either
377	expressed or implied, including, but not limited to, the implied
378	warranties of merchantability and fitness for a particular purpose. The
379	entire risk as to the quality and performance of the software is with
380	you. Should the software prove defective, you assume the cost of all
381	necessary servicing, repair, or correction.
382
383	In no event unless required by applicable law or agreed to in writing
384	will any copyright holder, or any other party who may modify or
385	redistribute the software as permitted by the above license, be
386	liable to you for damages, including any general, special, incidental,
387	or consequential damages arising out of the use or inability to use
388	the software (including but not limited to loss of data or data being
389	rendered inaccurate or losses sustained by you or third parties or a
390	failure of the software to operate with any other software), even if
391	such holder or other party has been advised of the possibility of
392	such damages.
393
394	=head1 THANKS
395
396	To Benjamin Trott, Tatsuhiko Miyagawa, and Brad Fitzpatrick for the
397	great OpenID stuff and to Jay Kuri and everyone else who has made
398	Catalyst such a wonderful framework.
399
400	=head1 SEE ALSO
401
402	L<Catalyst>, L<Catalyst::Plugin::Authentication>,
403	L<Net::OpenID::Consumer>, and L<LWPx::ParanoidAgent>.
404
405	=head2 RELATED
406
407	L<Net::OpenID::Server>, L<http://openid.net/>, and L<http://openid.net/developers/specs/>.
408
409	L<Catalyst::Plugin::Authentication::OpenID> (Benjamin Trott) and L<Catalyst::Plugin::Authentication::Credential::OpenID> (Tatsuhiko Miyagawa).
410
411	=cut