1 package Catalyst::Authentication::Credential::OpenID;
4 use base "Class::Accessor::Fast";
6 __PACKAGE__->mk_accessors(qw/
16 flatten_extensions_into_user
19 our $VERSION = "0.16_02";
21 use Net::OpenID::Consumer;
22 use Catalyst::Exception ();
25 my ( $class, $config, $c, $realm ) = @_;
32 # 2.0 spec says "SHOULD" be named "openid_identifier."
33 $self->{openid_field} ||= "openid_identifier";
35 my $secret = $self->{consumer_secret} ||= join("+",
38 sort keys %{ $c->config }
41 $secret = substr($secret,0,255) if length $secret > 255;
42 $self->secret($secret);
43 # If user has no preference we prefer L::PA b/c it can prevent DoS attacks.
44 my $ua_class = $self->{ua_class} ||= eval "use LWPx::ParanoidAgent" ?
45 "LWPx::ParanoidAgent" : "LWP::UserAgent";
47 my $agent_class = $self->ua_class;
48 eval "require $agent_class"
49 or Catalyst::Exception->throw("Could not 'require' user agent class " .
52 $c->log->debug("Setting consumer secret: " . $secret) if $self->debug;
58 my ( $self, $c, $realm, $authinfo ) = @_;
60 $c->log->debug("authenticate() called from " . $c->request->uri) if $self->debug;
62 my $field = $self->openid_field;
64 my $claimed_uri = $authinfo->{ $field };
66 # Its security related so we want to be explicit about GET/POST param retrieval.
67 $claimed_uri ||= $c->req->method eq 'GET' ?
68 $c->req->query_params->{ $field } : $c->req->body_params->{ $field };
71 my $csr = Net::OpenID::Consumer->new(
72 ua => $self->ua_class->new(%{$self->ua_args || {}}),
73 args => $c->req->params,
74 consumer_secret => $self->secret,
77 if ( $self->extension_args )
79 $c->log->warn("The configuration key 'extension_args' is ignored; use 'extensions'");
82 my %extensions = ref($self->extensions) eq "HASH" ?
83 %{ $self->extensions } : ref($self->extensions) eq "ARRAY" ?
84 @{ $self->extensions } : ();
88 my $current = $c->uri_for("/" . $c->req->path); # clear query/fragment...
90 my $identity = $csr->claimed_identity($claimed_uri);
93 if ( $self->errors_are_fatal )
95 Catalyst::Exception->throw($csr->err);
99 $c->log->error($csr->err . " -- $claimed_uri");
104 for my $key ( keys %extensions )
106 $identity->set_extension_args($key, $extensions{$key});
109 my $check_url = $identity->check_url(
110 return_to => $current . '?openid-check=1',
111 trust_root => $self->trust_root || $current,
114 $c->res->redirect($check_url);
117 elsif ( $c->req->params->{'openid-check'} )
119 if ( my $setup_url = $csr->user_setup_url )
121 $c->res->redirect($setup_url);
124 elsif ( $csr->user_cancel )
128 elsif ( my $identity = $csr->verified_identity )
130 # This is where we ought to build an OpenID user and verify against the spec.
131 my $user = +{ map { $_ => scalar $identity->$_ }
132 qw( url display rss atom foaf declared_rss declared_atom declared_foaf foafmaker ) };
133 # Dude, I did not design the array as hash spec. Don't curse me [apv].
134 for my $key ( keys %extensions )
136 my $vals = $identity->signed_extension_fields($key);
137 $user->{extensions}->{$key} = $vals;
138 if ( $self->flatten_extensions_into_user )
140 $user->{$_} = $vals->{$_} for keys %{$vals};
144 my $user_obj = $realm->find_user($user, $c);
152 $c->log->debug("Verified OpenID identity failed to load with find_user; bad user_class? Try 'Null.'") if $self->debug;
158 $self->errors_are_fatal ?
159 Catalyst::Exception->throw("Error validating identity: " . $csr->err)
161 $c->log->error( $csr->err);
173 Catalyst::Authentication::Credential::OpenID - OpenID credential for Catalyst::Plugin::Authentication framework.
179 =head1 BACKWARDS COMPATIBILITY CHANGES
181 =head2 EXTENSION_ARGS v EXTENSIONS
183 B<NB>: The extensions were previously configured under the key C<extension_args>. They are now configured under C<extensions>. C<extension_args> is no longer honored.
185 As previously noted, L</EXTENSIONS TO OPENID>, I have not tested the extensions. I would be grateful for any feedback or, better, tests.
189 The problems encountered by failed OpenID operations have always been fatals in the past. This is unexpected behavior for most users as it differs from other credentials. Authentication errors here are no longer fatal. Debug/error output is improved to offset the loss of information. If for some reason you would prefer the legacy/fatal behavior, set the configuration variable C<errors_are_fatal> to a true value.
198 Session::Store::FastMmap
199 Session::State::Cookie
202 Somewhere in myapp.conf-
204 <Plugin::Authentication>
210 ua_class LWP::UserAgent
214 </Plugin::Authentication>
216 Or in your myapp.yml if you're using L<YAML> instead-
218 Plugin::Authentication:
219 default_realm: openid
224 ua_class: LWP::UserAgent
226 In a controller, perhaps C<Root::openid>-
231 if ( $c->authenticate() )
233 $c->flash(message => "You signed in with OpenID!");
234 $c->res->redirect( $c->uri_for('/') );
238 # Present OpenID form.
242 And a L<Template> to match in C<openid.tt>-
244 <form action="[% c.uri_for('/openid') %]" method="GET" name="openid">
245 <input type="text" name="openid_identifier" class="openid" />
246 <input type="submit" value="Sign in with OpenID" />
251 This is the B<third> OpenID related authentication piece for
252 L<Catalyst>. The first E<mdash> L<Catalyst::Plugin::Authentication::OpenID>
253 by Benjamin Trott E<mdash> was deprecated by the second E<mdash>
254 L<Catalyst::Plugin::Authentication::Credential::OpenID> by Tatsuhiko
255 Miyagawa E<mdash> and this is an attempt to deprecate both by conforming to
256 the newish, at the time of this module's inception, realm-based
257 authentication in L<Catalyst::Plugin::Authentication>.
259 1. Catalyst::Plugin::Authentication::OpenID
260 2. Catalyst::Plugin::Authentication::Credential::OpenID
261 3. Catalyst::Authentication::Credential::OpenID
263 The benefit of this version is that you can use an arbitrary number of
264 authentication systems in your L<Catalyst> application and configure
265 and call all of them in the same way.
267 Note that both earlier versions of OpenID authentication use the method
268 C<authenticate_openid()>. This module uses C<authenticate()> and
269 relies on you to specify the realm. You can specify the realm as the
270 default in the configuration or inline with each
271 C<authenticate()> call; more below.
273 This module functions quite differently internally from the others.
274 See L<Catalyst::Plugin::Authentication::Internals> for more about this
281 =item $c->authenticate({},"your_openid_realm");
283 Call to authenticate the user via OpenID. Returns false if
284 authorization is unsuccessful. Sets the user into the session and
285 returns the user object if authentication succeeds.
287 You can see in the call above that the authentication hash is empty.
288 The implicit OpenID parameter is, as the 2.0 specification says it
289 SHOULD be, B<openid_identifier>. You can set it anything you like in
290 your realm configuration, though, under the key C<openid_field>. If
291 you call C<authenticate()> with the empty info hash and no configured
292 C<openid_field> then only C<openid_identifier> is checked.
294 It implicitly does this (sort of, it checks the request method too)-
296 my $claimed_uri = $c->req->params->{openid_identifier};
297 $c->authenticate({openid_identifier => $claimed_uri});
299 =item Catalyst::Authentication::Credential::OpenID->new()
301 You will never call this. Catalyst does it for you. The only important
302 thing you might like to know about it is that it merges its realm
303 configuration with its configuration proper. If this doesn't mean
304 anything to you, don't worry.
310 Currently the only supported user class is L<Catalyst::Plugin::Authentication::User::Hash>.
316 =item $c->user->display
324 =item $c->user->declared_rss
326 =item $c->user->declared_atom
328 =item $c->user->declared_foaf
330 =item $c->user->foafmaker
334 See L<Net::OpenID::VerifiedIdentity> for details.
338 Catalyst authentication is now configured entirely from your
339 application's configuration. Do not, for example, put
340 C<Credential::OpenID> into your C<use Catalyst ...> statement.
341 Instead, tell your application that in one of your authentication
342 realms you will use the credential.
344 In your application the following will give you two different
345 authentication realms. One called "members" which authenticates with
346 clear text passwords and one called "openid" which uses... uh, OpenID.
350 "Plugin::Authentication" => {
351 default_realm => "members",
356 password_field => "password",
357 password_type => "clear"
363 password => "l4s4v3n7ur45",
374 consumer_secret => "Don't bother setting",
375 ua_class => "LWP::UserAgent",
376 # whitelist is only relevant for LWPx::ParanoidAgent
378 whitelisted_hosts => [qw/ 127.0.0.1 localhost /],
381 'http://openid.net/extensions/sreg/1.1',
384 optional => 'fullname,nickname,timezone',
393 This is the same configuration in the default L<Catalyst> configuration format from L<Config::General>.
396 <Plugin::Authentication>
397 default_realm members
404 password l4s4v3n7ur45
409 password_field password
421 whitelisted_hosts 127.0.0.1
422 whitelisted_hosts localhost
424 consumer_secret Don't bother setting
425 ua_class LWP::UserAgent
427 http://openid.net/extensions/sreg/1.1
429 optional fullname,nickname,timezone
434 </Plugin::Authentication>
436 And now, the same configuration in L<YAML>. B<NB>: L<YAML> is whitespace sensitive.
439 Plugin::Authentication:
440 default_realm: members
445 password_field: password
451 password: l4s4v3n7ur45
457 consumer_secret: Don't bother setting
458 ua_class: LWP::UserAgent
460 # whitelist is only relevant for LWPx::ParanoidAgent
465 - http://openid.net/extensions/sreg/1.1
467 optional: fullname,nickname,timezone
469 B<NB>: There is no OpenID store yet.
471 You can set C<trust_root> now too. This is experimental and I have no idea if it's right or could be better. Right now it must be a URI. It was submitted as a path but this seems to limit it to the Catalyst app and while easier to dynamically generate no matter where the app starts, it seems like the wrong way to go. Let me know if that's mistaken.
473 =head2 EXTENSIONS TO OPENID
475 The Simple Registration--L<http://openid.net/extensions/sreg/1.1>--(SREG) extension to OpenID is supported in the L<Net::OpenID> family now. Experimental support for it is included here as of v0.12. SREG is the only supported extension in OpenID 1.1. It's experimental in the sense it's a new interface and barely tested. Support for OpenID extensions is here to stay.
477 Google's OpenID is also now supported. Uh, I think.
479 Here is a snippet from Thorben JE<auml>ndling combining Sreg and Google's extenstionsE<ndash>
481 'Plugin::Authentication' => {
485 ua_class => 'LWP::UserAgent',
487 'http://openid.net/extensions/sreg/1.1' => {
488 required => 'nickname,email,fullname',
489 optional => 'timezone,language,dob,country,gender'
491 'http://openid.net/srv/ax/1.0' => {
492 mode => 'fetch_request',
493 'type.nickname' => 'http://axschema.org/namePerson/friendly',
494 'type.email' => 'http://axschema.org/contact/email',
495 'type.fullname' => 'http://axschema.org/namePerson',
496 'type.firstname' => 'http://axschema.org/namePerson/first',
497 'type.lastname' => 'http://axschema.org/namePerson/last',
498 'type.dob' => 'http://axschema.org/birthDate',
499 'type.gender' => 'http://axschema.org/person/gender',
500 'type.country' => 'http://axschema.org/contact/country/home',
501 'type.language' => 'http://axschema.org/pref/language',
502 'type.timezone' => 'http://axschema.org/pref/timezone',
503 required => 'nickname,fullname,email,firstname,lastname',
504 if_available => 'dob,gender,country,language,timezone',
509 default_realm => 'openid',
513 =head2 MORE ON CONFIGURATION
517 =item ua_args and ua_class
519 L<LWPx::ParanoidAgent> is the default agent E<mdash> C<ua_class> E<mdash> if it's available, L<LWP::UserAgent> if not. You don't have to set it. I recommend that you do B<not> override it. You can with any well behaved L<LWP::UserAgent>. You probably should not. L<LWPx::ParanoidAgent> buys you many defenses and extra security checks. When you allow your application users freedom to initiate external requests, you open an avenue for DoS (denial of service) attacks. L<LWPx::ParanoidAgent> defends against this. L<LWP::UserAgent> and any regular subclass of it will not.
521 =item consumer_secret
523 The underlying L<Net::OpenID::Consumer> object is seeded with a secret. If it's important to you to set your own, you can. The default uses this package name + its version + the sorted configuration keys of your Catalyst application (chopped at 255 characters if it's longer). This should generally be superior to any fixed string.
529 Option to suppress fatals.
531 Support more of the new methods in the L<Net::OpenID> kit.
533 There are some interesting implications with this sort of setup. Does a user aggregate realms or can a user be signed in under more than one realm? The documents could contain a recipe of the self-answering OpenID end-point that is in the tests.
535 Debug statements need to be both expanded and limited via realm configuration.
537 Better diagnostics in errors. Debug info at all consumer calls.
539 Roles from provider domains? Mapped? Direct? A generic "openid" auto_role?
543 To Benjamin Trott (L<Catalyst::Plugin::Authentication::OpenID>), Tatsuhiko Miyagawa (L<Catalyst::Plugin::Authentication::Credential::OpenID>), Brad Fitzpatrick for the great OpenID stuff, Martin Atkins for picking up the code to handle OpenID 2.0, and Jay Kuri and everyone else who has made Catalyst such a wonderful framework.
545 Menno Blom provided a bug fix and the hook to use OpenID extensions.
547 =head1 LICENSE AND COPYRIGHT
549 Copyright (c) 2008-2009, Ashley Pond V C<< <ashley@cpan.org> >>. Some of Tatsuhiko Miyagawa's work is reused here.
551 This module is free software; you can redistribute it and modify it under the same terms as Perl itself. See L<perlartistic>.
553 =head1 DISCLAIMER OF WARRANTY
555 Because this software is licensed free of charge, there is no warranty for the software, to the extent permitted by applicable law. Except
556 when otherwise stated in writing the copyright holders and other parties provide the software "as is" without warranty of any kind, either
557 expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. The
558 entire risk as to the quality and performance of the software is with you. Should the software prove defective, you assume the cost of all
559 necessary servicing, repair, or correction.
561 In no event unless required by applicable law or agreed to in writing will any copyright holder, or any other party who may modify or
562 redistribute the software as permitted by the above license, be liable to you for damages, including any general, special, incidental, or
563 consequential damages arising out of the use or inability to use the software (including but not limited to loss of data or data being
564 rendered inaccurate or losses sustained by you or third parties or a failure of the software to operate with any other software), even if
565 such holder or other party has been advised of the possibility of such damages.
573 L<Net::OpenID::Server>, L<Net::OpenID::VerifiedIdentity>, L<Net::OpenID::Consumer>, L<http://openid.net/>,
574 L<http://openid.net/developers/specs/>, and L<http://openid.net/extensions/sreg/1.1>.
576 =item Catalyst Authentication
578 L<Catalyst>, L<Catalyst::Plugin::Authentication>, L<Catalyst::Manual::Tutorial::Authorization>, and
579 L<Catalyst::Manual::Tutorial::Authentication>.
581 =item Catalyst Configuration
583 L<Catalyst::Plugin::ConfigLoader>, L<Config::General>, and L<YAML>.
587 L<Catalyst::Manual::Tutorial>, L<Template>, L<LWPx::ParanoidAgent>.