[catagits/Catalyst-Authentication-Credential-OpenID.git] / lib / Catalyst / Authentication / Credential / OpenID.pm

package Catalyst::Authentication::Credential::OpenID;
use strict;
# use warnings; no warnings "uninitialized"; # for testing, not production
use parent "Class::Accessor::Fast";

BEGIN {
    __PACKAGE__->mk_accessors(qw/ _config realm debug secret /);
}

our $VERSION = "0.15";

use Net::OpenID::Consumer;
use Catalyst::Exception ();

sub new : method {
    my ( $class, $config, $c, $realm ) = @_;
    my $self = { _config => { %{ $config },
                              %{ $realm->{config} }
                          }
                 };
    bless $self, $class;

    # 2.0 spec says "SHOULD" be named "openid_identifier."
    $self->_config->{openid_field} ||= "openid_identifier";

    $self->debug( $self->_config->{debug} );

    my $secret = $self->_config->{consumer_secret} ||= join("+",
                                                            __PACKAGE__,
                                                            $VERSION,
                                                            sort keys %{ $c->config }
                                                            );

    $secret = substr($secret,0,255) if length $secret > 255;
    $self->secret($secret);
    # If user has no preference we prefer L::PA b/c it can prevent DoS attacks.
    $self->_config->{ua_class} ||= eval "use LWPx::ParanoidAgent" ?
        "LWPx::ParanoidAgent" : "LWP::UserAgent";

    my $agent_class = $self->_config->{ua_class};
    eval "require $agent_class"
        or Catalyst::Exception->throw("Could not 'require' user agent class " .
                                      $self->_config->{ua_class});

    $c->log->debug("Setting consumer secret: " . $secret) if $self->debug;

    return $self;
}

sub authenticate : method {
    my ( $self, $c, $realm, $authinfo ) = @_;

    $c->log->debug("authenticate() called from " . $c->request->uri) if $self->debug;

    my $field = $self->{_config}->{openid_field};

    my $claimed_uri = $authinfo->{ $field };

    # Its security related so we want to be explicit about GET/POST param retrieval.
    $claimed_uri ||= $c->req->method eq 'GET' ? 
        $c->req->query_params->{ $field } : $c->req->body_params->{ $field };


    my $csr = Net::OpenID::Consumer->new(
        ua => $self->_config->{ua_class}->new(%{$self->_config->{ua_args} || {}}),
        args => $c->req->params,
        consumer_secret => $self->secret,
    );

    if ( $self->_config->{extension_args} and $self->debug )
    {
        $c->log->info("The configuration key 'extension_args' is deprecated; use 'extensions'");
    }

    my @extensions = $self->_config->{extensions} ?
        @{ $self->_config->{extensions} } : $self->_config->{extension_args} ?
        @{ $self->_config->{extension_args} } : ();

    if ( $claimed_uri )
    {
        my $current = $c->uri_for($c->req->uri->path); # clear query/fragment...

        my $identity = $csr->claimed_identity($claimed_uri);
        unless ( $identity )
        {
            if ( $self->_config->{errors_are_fatal} )
            {
                Catalyst::Exception->throw($csr->err);
            }
            else
            {
                $c->log->error($csr->err . " -- $claimed_uri");
                $c->detach();
            }
        }

        $identity->set_extension_args(@extensions)
            if @extensions;

        my $check_url = $identity->check_url(
            return_to  => $current . '?openid-check=1',
            trust_root => $current,
            delayed_return => 1,
        );
        $c->res->redirect($check_url);
        $c->detach();
    }
    elsif ( $c->req->params->{'openid-check'} )
    {
        if ( my $setup_url = $csr->user_setup_url )
        {
            $c->res->redirect($setup_url);
            return;
        }
        elsif ( $csr->user_cancel )
        {
            return;
        }
        elsif ( my $identity = $csr->verified_identity )
        {
            # This is where we ought to build an OpenID user and verify against the spec.
            my $user = +{ map { $_ => scalar $identity->$_ }
                qw( url display rss atom foaf declared_rss declared_atom declared_foaf foafmaker ) };
            # Dude, I did not design the array as hash spec. Don't curse me [apv].
            my %flat = @extensions;
            for my $key ( keys %flat )
            {
                $user->{extensions}->{$key} = $identity->signed_extension_fields($key);
            }

            my $user_obj = $realm->find_user($user, $c);

            if ( ref $user_obj )
            {
                return $user_obj;
            }
            else
            {
                $c->log->debug("Verified OpenID identity failed to load with find_user; bad user_class? Try 'Null.'") if $self->debug;
                return;
            }
        }
        else
        {
            $self->_config->{errors_are_fatal} ?
                Catalyst::Exception->throw("Error validating identity: " . $csr->err)
                      :
                $c->log->error( $csr->err);
        }
    }
    return;
}

1;

__END__

=head1 NAME

Catalyst::Authentication::Credential::OpenID - OpenID credential for Catalyst::Plugin::Authentication framework.

=head1 VERSION

0.15

=head1 BACKWARDS COMPATIBILITY CHANGES

=head2 EXTENSION_ARGS v EXTENSIONS

B<NB>: The extensions were previously configured under the key C<extension_args>. They are now configured under C<extensions>. This prevents the need for double configuration but it breaks extensions in your application if you do not change the name. The old version is supported for now but may be phased out at any time.

As previously noted, L</EXTENSIONS TO OPENID>, I have not tested the extensions. I would be grateful for any feedback or, better, tests.

=head2 FATALS

The problems encountered by failed OpenID operations have always been fatals in the past. This is unexpected behavior for most users as it differs from other credentials. Authentication errors here are no longer fatal. Debug/error output is improved to offset the loss of information. If for some reason you would prefer the legacy/fatal behavior, set the configuration variable C<errors_are_fatal> to a true value.

=head1 SYNOPSIS

In MyApp.pm-

 use Catalyst qw/
    Authentication
    Session
    Session::Store::FastMmap
    Session::State::Cookie
 /;

Somewhere in myapp.conf-

 <Plugin::Authentication>
     default_realm   openid
     <realms>
         <openid>
             <credential>
                 class   OpenID
                 ua_class   LWP::UserAgent
             </credential>
         </openid>
     </realms>
 </Plugin::Authentication>

Or in your myapp.yml if you're using L<YAML> instead-

 Plugin::Authentication:
   default_realm: openid
   realms:
     openid:
       credential:
         class: OpenID
         ua_class: LWP::UserAgent

In a controller, perhaps C<Root::openid>-

 sub openid : Local {
      my($self, $c) = @_;

      if ( $c->authenticate() )
      {
          $c->flash(message => "You signed in with OpenID!");
          $c->res->redirect( $c->uri_for('/') );
      }
      else
      {
          # Present OpenID form.
      }
 }

And a L<Template> to match in C<openid.tt>-

 <form action="[% c.uri_for('/openid') %]" method="GET" name="openid">
 <input type="text" name="openid_identifier" class="openid" />
 <input type="submit" value="Sign in with OpenID" />
 </form>

=head1 DESCRIPTION

This is the B<third> OpenID related authentication piece for
L<Catalyst>. The first E<mdash> L<Catalyst::Plugin::Authentication::OpenID>
by Benjamin Trott E<mdash> was deprecated by the second E<mdash>
L<Catalyst::Plugin::Authentication::Credential::OpenID> by Tatsuhiko
Miyagawa E<mdash> and this is an attempt to deprecate both by conforming to
the newish, at the time of this module's inception, realm-based
authentication in L<Catalyst::Plugin::Authentication>.

 1. Catalyst::Plugin::Authentication::OpenID
 2. Catalyst::Plugin::Authentication::Credential::OpenID
 3. Catalyst::Authentication::Credential::OpenID

The benefit of this version is that you can use an arbitrary number of
authentication systems in your L<Catalyst> application and configure
and call all of them in the same way.

Note that both earlier versions of OpenID authentication use the method
C<authenticate_openid()>. This module uses C<authenticate()> and
relies on you to specify the realm. You can specify the realm as the
default in the configuration or inline with each
C<authenticate()> call; more below.

This module functions quite differently internally from the others.
See L<Catalyst::Plugin::Authentication::Internals> for more about this
implementation.

=head1 METHODS

=over 4

=item $c->authenticate({},"your_openid_realm");

Call to authenticate the user via OpenID. Returns false if
authorization is unsuccessful. Sets the user into the session and
returns the user object if authentication succeeds.

You can see in the call above that the authentication hash is empty.
The implicit OpenID parameter is, as the 2.0 specification says it
SHOULD be, B<openid_identifier>. You can set it anything you like in
your realm configuration, though, under the key C<openid_field>. If
you call C<authenticate()> with the empty info hash and no configured
C<openid_field> then only C<openid_identifier> is checked.

It implicitly does this (sort of, it checks the request method too)-

 my $claimed_uri = $c->req->params->{openid_identifier};
 $c->authenticate({openid_identifier => $claimed_uri});

=item Catalyst::Authentication::Credential::OpenID->new()

You will never call this. Catalyst does it for you. The only important
thing you might like to know about it is that it merges its realm
configuration with its configuration proper. If this doesn't mean
anything to you, don't worry.

=back

=head2 USER METHODS

Currently the only supported user class is L<Catalyst::Plugin::Authentication::User::Hash>.

=over 4

=item $c->user->url

=item $c->user->display

=item $c->user->rss 

=item $c->user->atom

=item $c->user->foaf

=item $c->user->declared_rss

=item $c->user->declared_atom

=item $c->user->declared_foaf

=item $c->user->foafmaker

=back

See L<Net::OpenID::VerifiedIdentity> for details.

=head1 CONFIGURATION

Catalyst authentication is now configured entirely from your
application's configuration. Do not, for example, put
C<Credential::OpenID> into your C<use Catalyst ...> statement.
Instead, tell your application that in one of your authentication
realms you will use the credential.

In your application the following will give you two different
authentication realms. One called "members" which authenticates with
clear text passwords and one called "openid" which uses... uh, OpenID.

 __PACKAGE__->config
    ( name => "MyApp",
      "Plugin::Authentication" => {
          default_realm => "members",
          realms => {
              members => {
                  credential => {
                      class => "Password",
                      password_field => "password",
                      password_type => "clear"
                      },
                          store => {
                              class => "Minimal",
                              users => {
                                  paco => {
                                      password => "l4s4v3n7ur45",
                                  },
                              }
                          }
              },
              openid => {
                  credential => {
                      class => "OpenID",
                      store => {
                          class => "OpenID",
                      },
                      consumer_secret => "Don't bother setting",
                      ua_class => "LWP::UserAgent",
                      # whitelist is only relevant for LWPx::ParanoidAgent
                      ua_args => {
                          whitelisted_hosts => [qw/ 127.0.0.1 localhost /],
                      },
                      extensions => [
                          'http://openid.net/extensions/sreg/1.1',
                          {
                           required => 'email',
                           optional => 'fullname,nickname,timezone',
                          },
                      ],
                  },
              },
          },
      }
    );

This is the same configuration in the default L<Catalyst> configuration format from L<Config::General>.

 name   MyApp
 <Plugin::Authentication>
     default_realm   members
     <realms>
         <members>
             <store>
                 class   Minimal
                 <users>
                     <paco>
                         password   l4s4v3n7ur45
                     </paco>
                 </users>
             </store>
             <credential>
                 password_field   password
                 password_type   clear
                 class   Password
             </credential>
         </members>
         <openid>
             <credential>
                 <store>
                     class   OpenID
                 </store>
                 class   OpenID
                 <ua_args>
                     whitelisted_hosts   127.0.0.1
                     whitelisted_hosts   localhost
                 </ua_args>
                 consumer_secret   Don't bother setting
                 ua_class   LWP::UserAgent
                 <extensions>
                     http://openid.net/extensions/sreg/1.1
                     required   email
                     optional   fullname,nickname,timezone
                 </extensions>
             </credential>
         </openid>
     </realms>
 </Plugin::Authentication>

And now, the same configuration in L<YAML>. B<NB>: L<YAML> is whitespace sensitive.

 name: MyApp
 Plugin::Authentication:
   default_realm: members
   realms:
     members:
       credential:
         class: Password
         password_field: password
         password_type: clear
       store:
         class: Minimal
         users:
           paco:
             password: l4s4v3n7ur45
     openid:
       credential:
         class: OpenID
         store:
           class: OpenID
         consumer_secret: Don't bother setting
         ua_class: LWP::UserAgent
         ua_args:
           # whitelist is only relevant for LWPx::ParanoidAgent
           whitelisted_hosts:
             - 127.0.0.1
             - localhost
         extensions:
             - http://openid.net/extensions/sreg/1.1
             - required: email
               optional: fullname,nickname,timezone

B<NB>: There is no OpenID store yet.

=head2 EXTENSIONS TO OPENID

The Simple Registration--L<http://openid.net/extensions/sreg/1.1>--(SREG) extension to OpenID is supported in the L<Net::OpenID> family now. Experimental support for it is included here as of v0.12. SREG is the only supported extension in OpenID 1.1. It's experimental in the sense it's a new interface and barely tested. Support for OpenID extensions is here to stay.

=head2 MORE ON CONFIGURATION

=item ua_args and ua_class

L<LWPx::ParanoidAgent> is the default agent E<mdash> C<ua_class> E<mdash> if it's available, L<LWP::UserAgent> if not. You don't have to set
it. I recommend that you do B<not> override it. You can with any well behaved L<LWP::UserAgent>. You probably should not.
L<LWPx::ParanoidAgent> buys you many defenses and extra security checks. When you allow your application users freedom to initiate external
requests, you open an avenue for DoS (denial of service) attacks. L<LWPx::ParanoidAgent> defends against this. L<LWP::UserAgent> and any
regular subclass of it will not.

=item consumer_secret

The underlying L<Net::OpenID::Consumer> object is seeded with a secret. If it's important to you to set your own, you can. The default uses
this package name + its version + the sorted configuration keys of your Catalyst application (chopped at 255 characters if it's longer).
This should generally be superior to any fixed string.

=back

=head1 TODO

Option to suppress fatals.

Support more of the new methods in the L<Net::OpenID> kit.

There are some interesting implications with this sort of setup. Does a user aggregate realms or can a user be signed in under more than one
realm? The documents could contain a recipe of the self-answering OpenID end-point that is in the tests.

Debug statements need to be both expanded and limited via realm configuration.

Better diagnostics in errors. Debug info at all consumer calls.

Roles from provider domains? Mapped? Direct? A generic "openid" auto_role?

=head1 THANKS

To Benjamin Trott (L<Catalyst::Plugin::Authentication::OpenID>), Tatsuhiko Miyagawa (L<Catalyst::Plugin::Authentication::Credential::OpenID>), Brad Fitzpatrick for the great OpenID stuff, Martin Atkins for picking up the code to handle OpenID 2.0, and Jay Kuri and everyone else who has made Catalyst such a wonderful framework.

Menno Blom provided a bug fix and the hook to use OpenID extensions.

=head1 LICENSE AND COPYRIGHT

Copyright (c) 2008-2009, Ashley Pond V C<< <ashley@cpan.org> >>. Some of Tatsuhiko Miyagawa's work is reused here.

This module is free software; you can redistribute it and modify it under the same terms as Perl itself. See L<perlartistic>.

=head1 DISCLAIMER OF WARRANTY

Because this software is licensed free of charge, there is no warranty for the software, to the extent permitted by applicable law. Except
when otherwise stated in writing the copyright holders and other parties provide the software "as is" without warranty of any kind, either
expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. The
entire risk as to the quality and performance of the software is with you. Should the software prove defective, you assume the cost of all
necessary servicing, repair, or correction.

In no event unless required by applicable law or agreed to in writing will any copyright holder, or any other party who may modify or
redistribute the software as permitted by the above license, be liable to you for damages, including any general, special, incidental, or
consequential damages arising out of the use or inability to use the software (including but not limited to loss of data or data being
rendered inaccurate or losses sustained by you or third parties or a failure of the software to operate with any other software), even if
such holder or other party has been advised of the possibility of such damages.

=head1 SEE ALSO

=over 4

=item OpenID

L<Net::OpenID::Server>, L<Net::OpenID::VerifiedIdentity>, L<Net::OpenID::Consumer>, L<http://openid.net/>,
L<http://openid.net/developers/specs/>, and L<http://openid.net/extensions/sreg/1.1>.

=item Catalyst Authentication

L<Catalyst>, L<Catalyst::Plugin::Authentication>, L<Catalyst::Manual::Tutorial::Authorization>, and
L<Catalyst::Manual::Tutorial::Authentication>.

=item Catalyst Configuration

L<Catalyst::Plugin::ConfigLoader>, L<Config::General>, and L<YAML>.

=item Miscellaneous

L<Catalyst::Manual::Tutorial>, L<Template>, L<LWPx::ParanoidAgent>.

=back

=cut
Commit	Line	Data
e5b6823d	1	package Catalyst::Authentication::Credential::OpenID;
d214d0c0	2	use strict;
788804c2	3	# use warnings; no warnings "uninitialized"; # for testing, not production
	4	use parent "Class::Accessor::Fast";
	5
	6	BEGIN {
	7	__PACKAGE__->mk_accessors(qw/ _config realm debug secret /);
	8	}
	9
29b37787	10	our $VERSION = "0.15";
788804c2	11
	12	use Net::OpenID::Consumer;
	13	use Catalyst::Exception ();
	14
	15	sub new : method {
	16	my ( $class, $config, $c, $realm ) = @_;
	17	my $self = { _config => { %{ $config },
	18	%{ $realm->{config} }
	19	}
	20	};
	21	bless $self, $class;
	22
	23	# 2.0 spec says "SHOULD" be named "openid_identifier."
	24	$self->_config->{openid_field} \|\|= "openid_identifier";
e5b6823d	25
	26	$self->debug( $self->_config->{debug} );
	27
	28	my $secret = $self->_config->{consumer_secret} \|\|= join("+",
	29	__PACKAGE__,
	30	$VERSION,
	31	sort keys %{ $c->config }
	32	);
	33
	34	$secret = substr($secret,0,255) if length $secret > 255;
a404fd1a	35	$self->secret($secret);
1c4d7c1f	36	# If user has no preference we prefer L::PA b/c it can prevent DoS attacks.
	37	$self->_config->{ua_class} \|\|= eval "use LWPx::ParanoidAgent" ?
	38	"LWPx::ParanoidAgent" : "LWP::UserAgent";
e5b6823d	39
ab944aad	40	my $agent_class = $self->_config->{ua_class};
	41	eval "require $agent_class"
	42	or Catalyst::Exception->throw("Could not 'require' user agent class " .
	43	$self->_config->{ua_class});
e5b6823d	44
	45	$c->log->debug("Setting consumer secret: " . $secret) if $self->debug;
	46
	47	return $self;
	48	}
	49
	50	sub authenticate : method {
	51	my ( $self, $c, $realm, $authinfo ) = @_;
	52
	53	$c->log->debug("authenticate() called from " . $c->request->uri) if $self->debug;
	54
	55	my $field = $self->{_config}->{openid_field};
	56
	57	my $claimed_uri = $authinfo->{ $field };
	58
	59	# Its security related so we want to be explicit about GET/POST param retrieval.
	60	$claimed_uri \|\|= $c->req->method eq 'GET' ?
	61	$c->req->query_params->{ $field } : $c->req->body_params->{ $field };
	62
06f54255	63
e5b6823d	64	my $csr = Net::OpenID::Consumer->new(
	65	ua => $self->_config->{ua_class}->new(%{$self->_config->{ua_args} \|\| {}}),
	66	args => $c->req->params,
bf16184a	67	consumer_secret => $self->secret,
e5b6823d	68	);
e5b6823d	69
06f54255	70	if ( $self->_config->{extension_args} and $self->debug )
	71	{
	72	$c->log->info("The configuration key 'extension_args' is deprecated; use 'extensions'");
	73	}
	74
1c4d7c1f	75	my @extensions = $self->_config->{extensions} ?
	76	@{ $self->_config->{extensions} } : $self->_config->{extension_args} ?
	77	@{ $self->_config->{extension_args} } : ();
	78
e5b6823d	79	if ( $claimed_uri )
	80	{
	81	my $current = $c->uri_for($c->req->uri->path); # clear query/fragment...
	82
41427aaf	83	my $identity = $csr->claimed_identity($claimed_uri);
	84	unless ( $identity )
	85	{
06f54255	86	if ( $self->_config->{errors_are_fatal} )
	87	{
	88	Catalyst::Exception->throw($csr->err);
	89	}
	90	else
	91	{
	92	$c->log->error($csr->err . " -- $claimed_uri");
	93	$c->detach();
	94	}
41427aaf	95	}
e5b6823d	96
5bd16806	97	$identity->set_extension_args(@extensions)
1c4d7c1f	98	if @extensions;
a404fd1a	99
e5b6823d	100	my $check_url = $identity->check_url(
	101	return_to => $current . '?openid-check=1',
	102	trust_root => $current,
	103	delayed_return => 1,
	104	);
	105	$c->res->redirect($check_url);
85db8ed7	106	$c->detach();
e5b6823d	107	}
	108	elsif ( $c->req->params->{'openid-check'} )
	109	{
	110	if ( my $setup_url = $csr->user_setup_url )
	111	{
	112	$c->res->redirect($setup_url);
	113	return;
	114	}
	115	elsif ( $csr->user_cancel )
	116	{
	117	return;
	118	}
	119	elsif ( my $identity = $csr->verified_identity )
	120	{
	121	# This is where we ought to build an OpenID user and verify against the spec.
	122	my $user = +{ map { $_ => scalar $identity->$_ }
	123	qw( url display rss atom foaf declared_rss declared_atom declared_foaf foafmaker ) };
1c4d7c1f	124	# Dude, I did not design the array as hash spec. Don't curse me [apv].
	125	my %flat = @extensions;
	126	for my $key ( keys %flat )
	127	{
	128	$user->{extensions}->{$key} = $identity->signed_extension_fields($key);
a404fd1a	129	}
e5b6823d	130
	131	my $user_obj = $realm->find_user($user, $c);
	132
	133	if ( ref $user_obj )
	134	{
	135	return $user_obj;
	136	}
	137	else
	138	{
06f54255	139	$c->log->debug("Verified OpenID identity failed to load with find_user; bad user_class? Try 'Null.'") if $self->debug;
e5b6823d	140	return;
	141	}
	142	}
	143	else
	144	{
06f54255	145	$self->_config->{errors_are_fatal} ?
	146	Catalyst::Exception->throw("Error validating identity: " . $csr->err)
	147	:
	148	$c->log->error( $csr->err);
e5b6823d	149	}
e5b6823d	150	}
d214d0c0	151	return;
e5b6823d	152	}
	153
	154	1;
	155
	156	__END__
	157
e5b6823d	158	=head1 NAME
e5b6823d	159
ab944aad	160	Catalyst::Authentication::Credential::OpenID - OpenID credential for Catalyst::Plugin::Authentication framework.
e5b6823d	161
d214d0c0	162	=head1 VERSION
d214d0c0	163
29b37787	164	0.15
1c4d7c1f	165
06f54255	166	=head1 BACKWARDS COMPATIBILITY CHANGES
06f54255	167
29b37787	168	=head2 EXTENSION_ARGS v EXTENSIONS
1c4d7c1f	169
29b37787	170	B<NB>: The extensions were previously configured under the key C<extension_args>. They are now configured under C<extensions>. This prevents the need for double configuration but it breaks extensions in your application if you do not change the name. The old version is supported for now but may be phased out at any time.
1c4d7c1f	171
1c4d7c1f	172	As previously noted, L</EXTENSIONS TO OPENID>, I have not tested the extensions. I would be grateful for any feedback or, better, tests.
d214d0c0	173
06f54255	174	=head2 FATALS
	175
	176	The problems encountered by failed OpenID operations have always been fatals in the past. This is unexpected behavior for most users as it differs from other credentials. Authentication errors here are no longer fatal. Debug/error output is improved to offset the loss of information. If for some reason you would prefer the legacy/fatal behavior, set the configuration variable C<errors_are_fatal> to a true value.
	177
e5b6823d	178	=head1 SYNOPSIS
e5b6823d	179
ab944aad	180	In MyApp.pm-
d214d0c0	181
e5b6823d	182	use Catalyst qw/
	183	Authentication
	184	Session
	185	Session::Store::FastMmap
	186	Session::State::Cookie
	187	/;
	188
ab944aad	189	Somewhere in myapp.conf-
d214d0c0	190
	191	<Plugin::Authentication>
	192	default_realm openid
	193	<realms>
	194	<openid>
d214d0c0	195	<credential>
d214d0c0	196	class OpenID
29b37787	197	ua_class LWP::UserAgent
d214d0c0	198	</credential>
	199	</openid>
	200	</realms>
	201	</Plugin::Authentication>
	202
ab944aad	203	Or in your myapp.yml if you're using L<YAML> instead-
d214d0c0	204
e5b6823d	205	Plugin::Authentication:
	206	default_realm: openid
	207	realms:
	208	openid:
	209	credential:
	210	class: OpenID
29b37787	211	ua_class: LWP::UserAgent
d214d0c0	212
ab944aad	213	In a controller, perhaps C<Root::openid>-
e5b6823d	214
bf16184a	215	sub openid : Local {
e5b6823d	216	my($self, $c) = @_;
	217
	218	if ( $c->authenticate() )
	219	{
	220	$c->flash(message => "You signed in with OpenID!");
	221	$c->res->redirect( $c->uri_for('/') );
	222	}
	223	else
	224	{
	225	# Present OpenID form.
	226	}
bf16184a	227	}
e5b6823d	228
ab944aad	229	And a L<Template> to match in C<openid.tt>-
d214d0c0	230
bf16184a	231	<form action="[% c.uri_for('/openid') %]" method="GET" name="openid">
	232	<input type="text" name="openid_identifier" class="openid" />
	233	<input type="submit" value="Sign in with OpenID" />
	234	</form>
e5b6823d	235
e5b6823d	236	=head1 DESCRIPTION
	237
	238	This is the B<third> OpenID related authentication piece for
6342195d	239	L<Catalyst>. The first E<mdash> L<Catalyst::Plugin::Authentication::OpenID>
6342195d	240	by Benjamin Trott E<mdash> was deprecated by the second E<mdash>
e5b6823d	241	L<Catalyst::Plugin::Authentication::Credential::OpenID> by Tatsuhiko
6342195d	242	Miyagawa E<mdash> and this is an attempt to deprecate both by conforming to
e5b6823d	243	the newish, at the time of this module's inception, realm-based
	244	authentication in L<Catalyst::Plugin::Authentication>.
	245
d214d0c0	246	1. Catalyst::Plugin::Authentication::OpenID
	247	2. Catalyst::Plugin::Authentication::Credential::OpenID
	248	3. Catalyst::Authentication::Credential::OpenID
e5b6823d	249
	250	The benefit of this version is that you can use an arbitrary number of
	251	authentication systems in your L<Catalyst> application and configure
	252	and call all of them in the same way.
	253
d214d0c0	254	Note that both earlier versions of OpenID authentication use the method
e5b6823d	255	C<authenticate_openid()>. This module uses C<authenticate()> and
	256	relies on you to specify the realm. You can specify the realm as the
	257	default in the configuration or inline with each
	258	C<authenticate()> call; more below.
	259
	260	This module functions quite differently internally from the others.
	261	See L<Catalyst::Plugin::Authentication::Internals> for more about this
	262	implementation.
	263
a404fd1a	264	=head1 METHODS
e5b6823d	265
	266	=over 4
	267
d214d0c0	268	=item $c->authenticate({},"your_openid_realm");
e5b6823d	269
	270	Call to authenticate the user via OpenID. Returns false if
	271	authorization is unsuccessful. Sets the user into the session and
	272	returns the user object if authentication succeeds.
	273
	274	You can see in the call above that the authentication hash is empty.
	275	The implicit OpenID parameter is, as the 2.0 specification says it
	276	SHOULD be, B<openid_identifier>. You can set it anything you like in
	277	your realm configuration, though, under the key C<openid_field>. If
	278	you call C<authenticate()> with the empty info hash and no configured
	279	C<openid_field> then only C<openid_identifier> is checked.
	280
	281	It implicitly does this (sort of, it checks the request method too)-
	282
	283	my $claimed_uri = $c->req->params->{openid_identifier};
	284	$c->authenticate({openid_identifier => $claimed_uri});
	285
d214d0c0	286	=item Catalyst::Authentication::Credential::OpenID->new()
bf16184a	287
	288	You will never call this. Catalyst does it for you. The only important
	289	thing you might like to know about it is that it merges its realm
	290	configuration with its configuration proper. If this doesn't mean
	291	anything to you, don't worry.
e5b6823d	292
bf16184a	293	=back
e5b6823d	294
	295	=head2 USER METHODS
	296
	297	Currently the only supported user class is L<Catalyst::Plugin::Authentication::User::Hash>.
	298
bf16184a	299	=over 4
e5b6823d	300
d214d0c0	301	=item $c->user->url
e5b6823d	302
d214d0c0	303	=item $c->user->display
e5b6823d	304
d214d0c0	305	=item $c->user->rss
e5b6823d	306
d214d0c0	307	=item $c->user->atom
e5b6823d	308
d214d0c0	309	=item $c->user->foaf
e5b6823d	310
d214d0c0	311	=item $c->user->declared_rss
e5b6823d	312
d214d0c0	313	=item $c->user->declared_atom
e5b6823d	314
d214d0c0	315	=item $c->user->declared_foaf
e5b6823d	316
d214d0c0	317	=item $c->user->foafmaker
e5b6823d	318
	319	=back
	320
	321	See L<Net::OpenID::VerifiedIdentity> for details.
	322
	323	=head1 CONFIGURATION
	324
	325	Catalyst authentication is now configured entirely from your
	326	application's configuration. Do not, for example, put
	327	C<Credential::OpenID> into your C<use Catalyst ...> statement.
	328	Instead, tell your application that in one of your authentication
	329	realms you will use the credential.
	330
	331	In your application the following will give you two different
	332	authentication realms. One called "members" which authenticates with
	333	clear text passwords and one called "openid" which uses... uh, OpenID.
	334
	335	__PACKAGE__->config
	336	( name => "MyApp",
	337	"Plugin::Authentication" => {
	338	default_realm => "members",
	339	realms => {
	340	members => {
	341	credential => {
	342	class => "Password",
	343	password_field => "password",
	344	password_type => "clear"
	345	},
	346	store => {
	347	class => "Minimal",
	348	users => {
	349	paco => {
	350	password => "l4s4v3n7ur45",
	351	},
	352	}
	353	}
	354	},
	355	openid => {
e5b6823d	356	credential => {
	357	class => "OpenID",
	358	store => {
	359	class => "OpenID",
	360	},
29b37787	361	consumer_secret => "Don't bother setting",
	362	ua_class => "LWP::UserAgent",
	363	# whitelist is only relevant for LWPx::ParanoidAgent
	364	ua_args => {
	365	whitelisted_hosts => [qw/ 127.0.0.1 localhost /],
a404fd1a	366	},
29b37787	367	extensions => [
	368	'http://openid.net/extensions/sreg/1.1',
	369	{
	370	required => 'email',
	371	optional => 'fullname,nickname,timezone',
	372	},
	373	],
	374	},
e5b6823d	375	},
e5b6823d	376	},
a404fd1a	377	}
a404fd1a	378	);
e5b6823d	379
d214d0c0	380	This is the same configuration in the default L<Catalyst> configuration format from L<Config::General>.
	381
	382	name MyApp
	383	<Plugin::Authentication>
	384	default_realm members
	385	<realms>
	386	<members>
	387	<store>
	388	class Minimal
	389	<users>
	390	<paco>
	391	password l4s4v3n7ur45
	392	</paco>
	393	</users>
	394	</store>
	395	<credential>
	396	password_field password
	397	password_type clear
	398	class Password
	399	</credential>
	400	</members>
	401	<openid>
d214d0c0	402	<credential>
	403	<store>
	404	class OpenID
	405	</store>
	406	class OpenID
29b37787	407	<ua_args>
	408	whitelisted_hosts 127.0.0.1
	409	whitelisted_hosts localhost
	410	</ua_args>
	411	consumer_secret Don't bother setting
	412	ua_class LWP::UserAgent
	413	<extensions>
	414	http://openid.net/extensions/sreg/1.1
	415	required email
	416	optional fullname,nickname,timezone
	417	</extensions>
d214d0c0	418	</credential>
	419	</openid>
	420	</realms>
	421	</Plugin::Authentication>
	422
	423	And now, the same configuration in L<YAML>. B<NB>: L<YAML> is whitespace sensitive.
e5b6823d	424
	425	name: MyApp
	426	Plugin::Authentication:
	427	default_realm: members
	428	realms:
	429	members:
	430	credential:
	431	class: Password
	432	password_field: password
	433	password_type: clear
	434	store:
	435	class: Minimal
	436	users:
	437	paco:
	438	password: l4s4v3n7ur45
	439	openid:
	440	credential:
	441	class: OpenID
	442	store:
	443	class: OpenID
29b37787	444	consumer_secret: Don't bother setting
	445	ua_class: LWP::UserAgent
	446	ua_args:
	447	# whitelist is only relevant for LWPx::ParanoidAgent
	448	whitelisted_hosts:
	449	- 127.0.0.1
	450	- localhost
	451	extensions:
	452	- http://openid.net/extensions/sreg/1.1
	453	- required: email
	454	optional: fullname,nickname,timezone
e5b6823d	455
6342195d	456	B<NB>: There is no OpenID store yet.
bf16184a	457
a404fd1a	458	=head2 EXTENSIONS TO OPENID
a404fd1a	459
1c4d7c1f	460	The Simple Registration--L<http://openid.net/extensions/sreg/1.1>--(SREG) extension to OpenID is supported in the L<Net::OpenID> family now. Experimental support for it is included here as of v0.12. SREG is the only supported extension in OpenID 1.1. It's experimental in the sense it's a new interface and barely tested. Support for OpenID extensions is here to stay.
a404fd1a	461
d214d0c0	462	=head2 MORE ON CONFIGURATION
bf16184a	463
d214d0c0	464	=item ua_args and ua_class
bf16184a	465
06f54255	466	L<LWPx::ParanoidAgent> is the default agent E<mdash> C<ua_class> E<mdash> if it's available, L<LWP::UserAgent> if not. You don't have to set
	467	it. I recommend that you do B<not> override it. You can with any well behaved L<LWP::UserAgent>. You probably should not.
	468	L<LWPx::ParanoidAgent> buys you many defenses and extra security checks. When you allow your application users freedom to initiate external
	469	requests, you open an avenue for DoS (denial of service) attacks. L<LWPx::ParanoidAgent> defends against this. L<LWP::UserAgent> and any
	470	regular subclass of it will not.
e5b6823d	471
d214d0c0	472	=item consumer_secret
bf16184a	473
06f54255	474	The underlying L<Net::OpenID::Consumer> object is seeded with a secret. If it's important to you to set your own, you can. The default uses
	475	this package name + its version + the sorted configuration keys of your Catalyst application (chopped at 255 characters if it's longer).
	476	This should generally be superior to any fixed string.
bf16184a	477
	478	=back
	479
e5b6823d	480	=head1 TODO
e5b6823d	481
1c4d7c1f	482	Option to suppress fatals.
1c4d7c1f	483
a404fd1a	484	Support more of the new methods in the L<Net::OpenID> kit.
a404fd1a	485
06f54255	486	There are some interesting implications with this sort of setup. Does a user aggregate realms or can a user be signed in under more than one
06f54255	487	realm? The documents could contain a recipe of the self-answering OpenID end-point that is in the tests.
e5b6823d	488
06f54255	489	Debug statements need to be both expanded and limited via realm configuration.
e5b6823d	490
bf16184a	491	Better diagnostics in errors. Debug info at all consumer calls.
e5b6823d	492
bf16184a	493	Roles from provider domains? Mapped? Direct? A generic "openid" auto_role?
e5b6823d	494
f29585f9	495	=head1 THANKS
f29585f9	496
a404fd1a	497	To Benjamin Trott (L<Catalyst::Plugin::Authentication::OpenID>), Tatsuhiko Miyagawa (L<Catalyst::Plugin::Authentication::Credential::OpenID>), Brad Fitzpatrick for the great OpenID stuff, Martin Atkins for picking up the code to handle OpenID 2.0, and Jay Kuri and everyone else who has made Catalyst such a wonderful framework.
a404fd1a	498
1c4d7c1f	499	Menno Blom provided a bug fix and the hook to use OpenID extensions.
f29585f9	500
e5b6823d	501	=head1 LICENSE AND COPYRIGHT
e5b6823d	502
1c4d7c1f	503	Copyright (c) 2008-2009, Ashley Pond V C<< <ashley@cpan.org> >>. Some of Tatsuhiko Miyagawa's work is reused here.
e5b6823d	504
a404fd1a	505	This module is free software; you can redistribute it and modify it under the same terms as Perl itself. See L<perlartistic>.
e5b6823d	506
e5b6823d	507	=head1 DISCLAIMER OF WARRANTY
e5b6823d	508
06f54255	509	Because this software is licensed free of charge, there is no warranty for the software, to the extent permitted by applicable law. Except
	510	when otherwise stated in writing the copyright holders and other parties provide the software "as is" without warranty of any kind, either
	511	expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. The
	512	entire risk as to the quality and performance of the software is with you. Should the software prove defective, you assume the cost of all
e5b6823d	513	necessary servicing, repair, or correction.
e5b6823d	514
06f54255	515	In no event unless required by applicable law or agreed to in writing will any copyright holder, or any other party who may modify or
	516	redistribute the software as permitted by the above license, be liable to you for damages, including any general, special, incidental, or
	517	consequential damages arising out of the use or inability to use the software (including but not limited to loss of data or data being
	518	rendered inaccurate or losses sustained by you or third parties or a failure of the software to operate with any other software), even if
	519	such holder or other party has been advised of the possibility of such damages.
e5b6823d	520
e5b6823d	521	=head1 SEE ALSO
e5b6823d	522
d214d0c0	523	=over 4
e5b6823d	524
d214d0c0	525	=item OpenID
e5b6823d	526
06f54255	527	L<Net::OpenID::Server>, L<Net::OpenID::VerifiedIdentity>, L<Net::OpenID::Consumer>, L<http://openid.net/>,
06f54255	528	L<http://openid.net/developers/specs/>, and L<http://openid.net/extensions/sreg/1.1>.
e5b6823d	529
d214d0c0	530	=item Catalyst Authentication
d214d0c0	531
06f54255	532	L<Catalyst>, L<Catalyst::Plugin::Authentication>, L<Catalyst::Manual::Tutorial::Authorization>, and
06f54255	533	L<Catalyst::Manual::Tutorial::Authentication>.
d214d0c0	534
1200a1ee	535	=item Catalyst Configuration
d214d0c0	536
	537	L<Catalyst::Plugin::ConfigLoader>, L<Config::General>, and L<YAML>.
	538
	539	=item Miscellaneous
	540
f29585f9	541	L<Catalyst::Manual::Tutorial>, L<Template>, L<LWPx::ParanoidAgent>.
d214d0c0	542
	543	=back
	544
e5b6823d	545	=cut