2 Catalyst::Authentication::Credential::OpenID - OpenID credential for
3 Catalyst::Plugin::Authentication framework.
8 BACKWARDS COMPATIBILITY CHANGE
9 NB: The extenstions were previously configured under the key
10 "extension_args". They are now configured under "extensions". This
11 prevents the need for double configuration but it breaks extensions in
12 your application if you do not change the name. The old version is
13 supported for now but may be phased out at any time.
15 As previously noted, "EXTENSIONS TO OPENID", I have not tested the
16 extensions. I would be grateful for any feedback or, better, tests.
24 Session::Store::FastMmap
25 Session::State::Cookie
28 Somewhere in myapp.conf-
30 <Plugin::Authentication>
37 ua_class LWP::UserAgent
40 </Plugin::Authentication>
42 Or in your myapp.yml if you're using YAML instead-
44 Plugin::Authentication:
50 ua_class: LWP::UserAgent
52 In a controller, perhaps "Root::openid"-
57 if ( $c->authenticate() )
59 $c->flash(message => "You signed in with OpenID!");
60 $c->res->redirect( $c->uri_for('/') );
64 # Present OpenID form.
68 And a Template to match in "openid.tt"-
70 <form action="[% c.uri_for('/openid') %]" method="GET" name="openid">
71 <input type="text" name="openid_identifier" class="openid" />
72 <input type="submit" value="Sign in with OpenID" />
76 This is the third OpenID related authentication piece for Catalyst. The
77 first — Catalyst::Plugin::Authentication::OpenID by Benjamin Trott — was
78 deprecated by the second —
79 Catalyst::Plugin::Authentication::Credential::OpenID by Tatsuhiko
80 Miyagawa — and this is an attempt to deprecate both by conforming to the
81 newish, at the time of this module's inception, realm-based
82 authentication in Catalyst::Plugin::Authentication.
84 1. Catalyst::Plugin::Authentication::OpenID
85 2. Catalyst::Plugin::Authentication::Credential::OpenID
86 3. Catalyst::Authentication::Credential::OpenID
88 The benefit of this version is that you can use an arbitrary number of
89 authentication systems in your Catalyst application and configure and
90 call all of them in the same way.
92 Note that both earlier versions of OpenID authentication use the method
93 "authenticate_openid()". This module uses "authenticate()" and relies on
94 you to specify the realm. You can specify the realm as the default in
95 the configuration or inline with each "authenticate()" call; more below.
97 This module functions quite differently internally from the others. See
98 Catalyst::Plugin::Authentication::Internals for more about this
102 $c->authenticate({},"your_openid_realm");
103 Call to authenticate the user via OpenID. Returns false if
104 authorization is unsuccessful. Sets the user into the session and
105 returns the user object if authentication succeeds.
107 You can see in the call above that the authentication hash is empty.
108 The implicit OpenID parameter is, as the 2.0 specification says it
109 SHOULD be, openid_identifier. You can set it anything you like in
110 your realm configuration, though, under the key "openid_field". If
111 you call "authenticate()" with the empty info hash and no configured
112 "openid_field" then only "openid_identifier" is checked.
114 It implicitly does this (sort of, it checks the request method too)-
116 my $claimed_uri = $c->req->params->{openid_identifier};
117 $c->authenticate({openid_identifier => $claimed_uri});
119 Catalyst::Authentication::Credential::OpenID->new()
120 You will never call this. Catalyst does it for you. The only
121 important thing you might like to know about it is that it merges
122 its realm configuration with its configuration proper. If this
123 doesn't mean anything to you, don't worry.
126 Currently the only supported user class is
127 Catalyst::Plugin::Authentication::User::Hash.
134 $c->user->declared_rss
135 $c->user->declared_atom
136 $c->user->declared_foaf
139 See Net::OpenID::VerifiedIdentity for details.
142 Catalyst authentication is now configured entirely from your
143 application's configuration. Do not, for example, put
144 "Credential::OpenID" into your "use Catalyst ..." statement. Instead,
145 tell your application that in one of your authentication realms you will
148 In your application the following will give you two different
149 authentication realms. One called "members" which authenticates with
150 clear text passwords and one called "openid" which uses... uh, OpenID.
154 "Plugin::Authentication" => {
155 default_realm => "members",
160 password_field => "password",
161 password_type => "clear"
167 password => "l4s4v3n7ur45",
173 consumer_secret => "Don't bother setting",
174 ua_class => "LWP::UserAgent",
176 whitelisted_hosts => [qw/ 127.0.0.1 localhost /],
185 'http://openid.net/extensions/sreg/1.1',
188 optional => 'fullname,nickname,timezone',
196 This is the same configuration in the default Catalyst configuration
197 format from Config::General.
200 <Plugin::Authentication>
201 default_realm members
208 password l4s4v3n7ur45
213 password_field password
220 whitelisted_hosts 127.0.0.1
221 whitelisted_hosts localhost
223 consumer_secret Don't bother setting
224 ua_class LWP::UserAgent
232 http://openid.net/extensions/sreg/1.1
234 optional fullname,nickname,timezone
238 </Plugin::Authentication>
240 And now, the same configuration in YAML. NB: YAML is whitespace
244 Plugin::Authentication:
245 default_realm: members
250 password_field: password
256 password: l4s4v3n7ur45
262 consumer_secret: Don't bother setting
263 ua_class: LWP::UserAgent
269 - http://openid.net/extensions/sreg/1.1
271 optional: fullname,nickname,timezone
273 NB: There is no OpenID store yet.
276 The Simple Registration--<http://openid.net/extensions/sreg/1.1>--(SREG)
277 extension to OpenID is supported in the Net::OpenID family now.
278 Experimental support for it is included here as of v0.12. SREG is the
279 only supported extension in OpenID 1.1. It's experimental in the sense
280 it's a new interface and barely tested. Support for OpenID extensions is
283 MORE ON CONFIGURATION
284 These are set in your realm. See above.
287 LWPx::ParanoidAgent is the default agent — "ua_class" — if it's
288 available, LWP::UserAgent if not. You don't have to set it. I
289 recommend that you do not override it. You can with any well behaved
290 LWP::UserAgent. You probably should not. LWPx::ParanoidAgent buys
291 you many defenses and extra security checks. When you allow your
292 application users freedom to initiate external requests, you open an
293 avenue for DoS (denial of service) attacks. LWPx::ParanoidAgent
294 defends against this. LWP::UserAgent and any regular subclass of it
298 The underlying Net::OpenID::Consumer object is seeded with a secret.
299 If it's important to you to set your own, you can. The default uses
300 this package name + its version + the sorted configuration keys of
301 your Catalyst application (chopped at 255 characters if it's
302 longer). This should generally be superior to any fixed string.
305 Option to suppress fatals.
307 Support more of the new methods in the Net::OpenID kit.
309 There are some interesting implications with this sort of setup. Does a
310 user aggregate realms or can a user be signed in under more than one
311 realm? The documents could contain a recipe of the self-answering OpenID
312 end-point that is in the tests.
314 Debug statements need to be both expanded and limited via realm
317 Better diagnostics in errors. Debug info at all consumer calls.
319 Roles from provider domains? Mapped? Direct? A generic "openid"
323 To Benjamin Trott (Catalyst::Plugin::Authentication::OpenID), Tatsuhiko
324 Miyagawa (Catalyst::Plugin::Authentication::Credential::OpenID), Brad
325 Fitzpatrick for the great OpenID stuff, Martin Atkins for picking up the
326 code to handle OpenID 2.0, and Jay Kuri and everyone else who has made
327 Catalyst such a wonderful framework.
329 Menno Blom provided a bug fix and the hook to use OpenID extensions.
331 LICENSE AND COPYRIGHT
332 Copyright (c) 2008-2009, Ashley Pond V "<ashley@cpan.org>". Some of
333 Tatsuhiko Miyagawa's work is reused here.
335 This module is free software; you can redistribute it and modify it
336 under the same terms as Perl itself. See perlartistic.
338 DISCLAIMER OF WARRANTY
339 Because this software is licensed free of charge, there is no warranty
340 for the software, to the extent permitted by applicable law. Except when
341 otherwise stated in writing the copyright holders and other parties
342 provide the software "as is" without warranty of any kind, either
343 expressed or implied, including, but not limited to, the implied
344 warranties of merchantability and fitness for a particular purpose. The
345 entire risk as to the quality and performance of the software is with
346 you. Should the software prove defective, you assume the cost of all
347 necessary servicing, repair, or correction.
349 In no event unless required by applicable law or agreed to in writing
350 will any copyright holder, or any other party who may modify or
351 redistribute the software as permitted by the above license, be liable
352 to you for damages, including any general, special, incidental, or
353 consequential damages arising out of the use or inability to use the
354 software (including but not limited to loss of data or data being
355 rendered inaccurate or losses sustained by you or third parties or a
356 failure of the software to operate with any other software), even if
357 such holder or other party has been advised of the possibility of such
362 Net::OpenID::Server, Net::OpenID::VerifiedIdentity,
363 Net::OpenID::Consumer, <http://openid.net/>,
364 <http://openid.net/developers/specs/>, and
365 <http://openid.net/extensions/sreg/1.1>.
367 Catalyst Authentication
368 Catalyst, Catalyst::Plugin::Authentication,
369 Catalyst::Manual::Tutorial::Authorization, and
370 Catalyst::Manual::Tutorial::Authentication.
372 Catalyst Configuration
373 Catalyst::Plugin::ConfigLoader, Config::General, and YAML.
376 Catalyst::Manual::Tutorial, Template, LWPx::ParanoidAgent.