1 package Catalyst::Authentication::Credential::OpenID;
2 use base "Class::Accessor::Fast";
5 __PACKAGE__->mk_accessors(qw/ _config realm debug secret /);
10 no warnings "uninitialized";
12 our $VERSION = '0.01';
14 use Net::OpenID::Consumer;
15 use UNIVERSAL::require;
16 use Catalyst::Exception ();
19 my ( $class, $config, $c, $realm ) = @_;
20 my $self = { _config => { %{ $config },
27 $self->_config->{openid_field} ||= "openid_identifier";
29 $self->debug( $self->_config->{debug} );
31 my $secret = $self->_config->{consumer_secret} ||= join("+",
34 sort keys %{ $c->config }
37 $secret = substr($secret,0,255) if length $secret > 255;
38 $self->secret( $secret );
41 ( $self->_config->{ua_class} ||= "LWPx::ParanoidAgent" )->require;
43 or Catalyst::Exception->throw("Could not 'require' user agent class " . $self->_config->{ua_class});
45 $c->log->debug("Setting consumer secret: " . $secret) if $self->debug;
50 sub authenticate : method {
51 my ( $self, $c, $realm, $authinfo ) = @_;
53 $c->log->debug("authenticate() called from " . $c->request->uri) if $self->debug;
55 my $field = $self->{_config}->{openid_field};
57 my $claimed_uri = $authinfo->{ $field };
59 # Its security related so we want to be explicit about GET/POST param retrieval.
60 $claimed_uri ||= $c->req->method eq 'GET' ?
61 $c->req->query_params->{ $field } : $c->req->body_params->{ $field };
63 my $csr = Net::OpenID::Consumer->new(
64 ua => $self->_config->{ua_class}->new(%{$self->_config->{ua_args} || {}}),
65 args => $c->req->params,
66 consumer_secret => sub { $self->secret },
71 my $current = $c->uri_for($c->req->uri->path); # clear query/fragment...
73 my $identity = $csr->claimed_identity($claimed_uri)
74 or Catalyst::Exception->throw($csr->err);
76 my $check_url = $identity->check_url(
77 return_to => $current . '?openid-check=1',
78 trust_root => $current,
81 $c->res->redirect($check_url);
84 elsif ( $c->req->params->{'openid-check'} )
86 if ( my $setup_url = $csr->user_setup_url )
88 $c->res->redirect($setup_url);
91 elsif ( $csr->user_cancel )
95 elsif ( my $identity = $csr->verified_identity )
97 # This is where we ought to build an OpenID user and verify against the spec.
98 my $user = +{ map { $_ => scalar $identity->$_ }
99 qw( url display rss atom foaf declared_rss declared_atom declared_foaf foafmaker ) };
101 my $user_obj = $realm->find_user($user, $c);
109 $c->log->debug("Verified OpenID identity failed to load with find_user; bad user_class? Try 'Null.'") if $c->debug;
115 Catalyst::Exception->throw("Error validating identity: " .
133 Catalyst::Authentication::Credential::OpenID - OpenID credential for Catalyst::Authentication framework.
141 Session::Store::FastMmap
142 Session::State::Cookie
146 Plugin::Authentication:
147 default_realm: openid
157 if ( $c->authenticate() )
159 $c->flash(message => "You signed in with OpenID!");
160 $c->res->redirect( $c->uri_for('/') );
164 # Present OpenID form.
169 <form action="[% c.uri_for('/openid') %]" method="GET" name="openid">
170 <input type="text" name="openid_identifier" class="openid" />
171 <input type="submit" value="Sign in with OpenID" />
177 This is the B<third> OpenID related authentication piece for
178 L<Catalyst>. The first -- L<Catalyst::Plugin::Authentication::OpenID>
179 by Benjamin Trott -- was deprecated by the second --
180 L<Catalyst::Plugin::Authentication::Credential::OpenID> by Tatsuhiko
181 Miyagawa -- and this is an attempt to deprecate both by conforming to
182 the newish, at the time of this module's inception, realm-based
183 authentication in L<Catalyst::Plugin::Authentication>.
185 * Catalyst::Plugin::Authentication::OpenID (first)
186 * Catalyst::Plugin::Authentication::Credential::OpenID (second)
187 * Catalyst::Authentication::Credential::OpenID (this, the third)
189 The benefit of this version is that you can use an arbitrary number of
190 authentication systems in your L<Catalyst> application and configure
191 and call all of them in the same way.
193 Note, both earlier versions of OpenID authentication use the method
194 C<authenticate_openid()>. This module uses C<authenticate()> and
195 relies on you to specify the realm. You can specify the realm as the
196 default in the configuration or inline with each
197 C<authenticate()> call; more below.
199 This module functions quite differently internally from the others.
200 See L<Catalyst::Plugin::Authentication::Internals> for more about this
207 =item * Catalyst::Authentication::Credential::OpenID->new()
209 You will never call this. Catalyst does it for you. The only important
210 thing you might like to know about it is that it merges its realm
211 configuration with its configuration proper. If this doesn't mean
212 anything to you, don't worry.
214 =item * $c->authenticate({},"your_openid_realm");
216 Call to authenticate the user via OpenID. Returns false if
217 authorization is unsuccessful. Sets the user into the session and
218 returns the user object if authentication succeeds.
220 You can see in the call above that the authentication hash is empty.
221 The implicit OpenID parameter is, as the 2.0 specification says it
222 SHOULD be, B<openid_identifier>. You can set it anything you like in
223 your realm configuration, though, under the key C<openid_field>. If
224 you call C<authenticate()> with the empty info hash and no configured
225 C<openid_field> then only C<openid_identifier> is checked.
227 It implicitly does this (sort of, it checks the request method too)-
229 my $claimed_uri = $c->req->params->{openid_identifier};
230 $c->authenticate({openid_identifier => $claimed_uri});
237 Currently the only supported user class is L<Catalyst::Plugin::Authentication::User::Hash>.
261 See L<Net::OpenID::VerifiedIdentity> for details.
265 Catalyst authentication is now configured entirely from your
266 application's configuration. Do not, for example, put
267 C<Credential::OpenID> into your C<use Catalyst ...> statement.
268 Instead, tell your application that in one of your authentication
269 realms you will use the credential.
271 In your application the following will give you two different
272 authentication realms. One called "members" which authenticates with
273 clear text passwords and one called "openid" which uses... uh, OpenID.
277 "Plugin::Authentication" => {
278 default_realm => "members",
283 password_field => "password",
284 password_type => "clear"
290 password => "l4s4v3n7ur45",
296 ua_class => "LWPx::ParanoidAgent",
298 whitelisted_hosts => [qw/ 127.0.0.1 localhost /],
311 And now, the same configuration in YAML.
314 Plugin::Authentication:
315 default_realm: members
320 password_field: password
326 password: l4s4v3n7ur45
332 ua_class: LWPx::ParanoidAgent
338 B<NB>: There is no OpenID store yet. Trying for next release.
339 L<LWPx::ParanoidAgent> is the default agent. You don't have to set it.
340 I recommend that you do B<not> override it. You can with any well
341 behaved L<LWP::UserAgent>. You probably should not.
342 L<LWPx::ParanoidAgent> buys you many defenses and extra security
343 checks. When you allow your application users freedom to initiate
344 external requests, you open a big avenue for DoS (denial of service)
345 attacks. L<LWPx::ParanoidAgent> defends against this.
346 L<LWP::UserAgent> and any regular subclass of it will not.
351 There are some interesting implications with this sort of setup. Does
352 a user aggregate realms or can a user be signed in under more than one
353 realm? The documents could contain a recipe of the self-answering
354 OpenID end-point that is in the tests.
356 Debug statements need to be both expanded and limited via realm
359 Better diagnostics in errors.
362 =head1 LICENSE AND COPYRIGHT
364 Copyright (c) 2008, Ashley Pond V C<< <ashley@cpan.org> >>. Some of
365 Tatsuhiko Miyagawa's work is reused here.
367 This module is free software; you can redistribute it and modify it
368 under the same terms as Perl itself. See L<perlartistic>.
371 =head1 DISCLAIMER OF WARRANTY
373 Because this software is licensed free of charge, there is no warranty
374 for the software, to the extent permitted by applicable law. Except when
375 otherwise stated in writing the copyright holders and other parties
376 provide the software "as is" without warranty of any kind, either
377 expressed or implied, including, but not limited to, the implied
378 warranties of merchantability and fitness for a particular purpose. The
379 entire risk as to the quality and performance of the software is with
380 you. Should the software prove defective, you assume the cost of all
381 necessary servicing, repair, or correction.
383 In no event unless required by applicable law or agreed to in writing
384 will any copyright holder, or any other party who may modify or
385 redistribute the software as permitted by the above license, be
386 liable to you for damages, including any general, special, incidental,
387 or consequential damages arising out of the use or inability to use
388 the software (including but not limited to loss of data or data being
389 rendered inaccurate or losses sustained by you or third parties or a
390 failure of the software to operate with any other software), even if
391 such holder or other party has been advised of the possibility of
396 To Benjamin Trott, Tatsuhiko Miyagawa, and Brad Fitzpatrick for the
397 great OpenID stuff and to Jay Kuri and everyone else who has made
398 Catalyst such a wonderful framework.
402 L<Catalyst>, L<Catalyst::Plugin::Authentication>,
403 L<Net::OpenID::Consumer>, and L<LWPx::ParanoidAgent>.
407 L<Net::OpenID::Server>, L<http://openid.net/>, and L<http://openid.net/developers/specs/>.
409 L<Catalyst::Plugin::Authentication::OpenID> (Benjamin Trott) and L<Catalyst::Plugin::Authentication::Credential::OpenID> (Tatsuhiko Miyagawa).