OpenID library
- Spec: V1.1 V2.0
- Simple registration extension: http://openid.net/specs/openid-simple-registration-extension-1_0.html
- Logo:
http://openid.net/login-bg.gif
Error Codes
| Code | Reason |
| noimmediate | OPENID_IMMEDIATE is set but couldn't perform immediate auth |
| throttled | User is trying to auth too often |
| discovery | There was an error during discovery (down site, protocol not supported, etc) |
| notvalid | The identity entered isn't valid (no openid.server link) |
| nonce | Nonce didn't match - either the user is trying to do a replay attack, or they tried to access an old page |
| diffid | The IdP validated a different identity (= broken provider?) |
| autherror | Error while trying to POST data to authenticate a request in dumb mode |
| noauth | The provider didn't authenticate the signature of the id_res message (or it didn't match the one we were expecting in associate mode) = something's broken or someone's trying one of several attacks |
| cancelled | Provider indicated that the attempt was cancelled |
| perror | Error returned by the provider |
Provider details
Implementor-defined functions:
- isAuthed(identity, serverInfo)
- doAuth(identity, token, serverInfo)
Useful functions:
- continueAuth(token, authed, [sreg info])
ServerInfo structure
- URL - openid.return_to
- realm - trust root/realm, falling back to openid.return_to
- version - OpenID version they're using
- mode - dumb/associate
- associate[since] - the time the server associated
- associate[sessiontype] - encryption used to transmit the MAC key
- associate[hashtype] - the hashing algo used for message verification
- sreg[X] = {optional,required} - any sreg info they've requested
OpenID todo list (edit)
- Add support for D-H key exchange
- Tidy up processor code
- Look at how authentication logic is abstracted
- Tidy up keymanager
- Move D-H processing to association routine
- Tidy up bigmath library
- Revoke all old keys periodically
- Alternate data store
Version 2.0 changes
- Association attempts may fail
- Verify openid.op_endpoint
- Investigate YARIS/XRI stuff
- Realm instead of trust_root
Provider requirements
- Check with user it's ok to continue
- Show as much information about the server as possible (associate/dumb mode, trust root, return url)
- Allow the user to select which (if any) of the sreg details are returned
- Ability to remember both login and sreg details for each server (based on trust root?)
- List of authorised sites (options to revoke auth)
- List of recent sites
- Anti-phishing message on the main page
CategoryPoidsy
CategoryProjects CategoryPoidsy CategoryPHP