| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
| |
Thanks for reporting and patching this Andrey!
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
See http://php.net/manual/en/function.readdir.php - specifically
/* This is the correct way to loop over the directory. */
while (false !== ($entry = readdir($handle))) {
echo "$entry\n";
}
/* This is the WRONG way to loop over the directory. */
while ($entry = readdir($handle)) {
echo "$entry\n";
}
Looping over a directory the wrong way will cause the loop to stop if it comes to a directory named 0 (or anything else which evaluates to false)
|
| |
|
|
|
|
|
|
| |
- Fixed some typos
- Fixed the way an association is retreived from the store (getAssociation()).
The existing implementation was poping (LPOP) from a list, causing unneeded
re-associations. If we need to discard stale association handles, i think we
should rather set the appropriate expiry intervals.
|
| |\
| |
| | |
Add warning when you disable SSL, don't be silly please
|
| | | |
|
| | | |
|
| |/ |
|
| |\
| |
| | |
Add Auth_OpenID_DISABLE_SSL_VERIFY opt to disable SSL verify
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Yadis' ParseHTML.php has a replaceEntities() function for replacing HTML
entities, with a comment that appears to explain its existence by stating
"Replace numeric entities because html_entity_decode doesn't do it for us".
This is breaking with PHP 5.5 because it uses the deprecated /e modifier
for preg_replace() - https://github.com/openid/php-openid/issues/108 .
I think this custom function is no longer needed at least with PHP 5. PHP 5
has had support for replacing numeric entities since 2003, and its entity
handling code has been refined quite a lot since then. replaceEntities() has
been there since 2006, and probably earlier. I guess at that time PHP 4
compatibility was still important so this was needed - I don't think PHP 4's
html_entity_decode() has ever had numeric entity support - but now PHP 5 is
a decade old and there's a separate PHP 4 branch of php-openid, I think we
can ditch replaceEntities() in the main branch!
|
| |\ \
| |/
|/| |
Update Consumer.php for Auth_OpenID_DumbStore
|
| | |
| |
| |
| |
| |
| |
| |
| | |
```
$this->_use_assocs = (is_null($this->store) ? false : true);
```
always return true, even the store is Auth_OpenID_DumbStore, and do an association with the OpenID Server.
but OpenID Server will reject the check_authentication, if RP have do an association.
|
| |\ \
| |/
|/| |
issue #8 fix (PHP 5.4 call-time pass-by-reference removed)
|
| | | |
|
| |\ \
| | |
| | | |
Fixed wrong expiration command (expiresat -> expireat)
|
| | | | |
|
| | | |
| | |
| | | |
libxml_disable_entity_loader (PHP 5 >= 5.2.11)
|
| |\ \ \
| |/ /
| | | |
Implemented PredisStore to provide association store for Redis servers.
|
| | | | |
|
| |/ /
| |
| |
| | |
thanks to Kousuke Ebihara for the report and patch.
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
AX fetch response is created based on AX fetch request data. Need to
pass the $request to the Auth_OpenID_AX_FetchResponse getExtensionArgs
method.
|
| |/ |
|
| | |
|
| | |
|
| |\
| |
| | |
Fix encoding errors in some POST forms + fix example server
|
| | |
| |
| |
| |
| |
| | |
Since this data is inserted as strings in HTML documents, we should
call htmlspecialchars() to protect against any values containing
special characters, e.g. '"' or '&'.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
needed)."
Since the message values are not URL encoded, calling urldecode() on
them does not make sense. Instead, it breaks any OpenID parameter
containing anything that looks like URL encoding.
This reverts commit 8d53dfe542f321da3a6e6d6e626923d575ed91d2.
|
| |\ \
| | |
| | | |
Removed logging calls for a successful retrieval, as the PlainHTTPFetcher doesn't perform logging on a successful commit.
|
| | | |
| | |
| | |
| | | |
doesn't perform logging on a successful commit.
|
| | |/
|/| |
|
| | | |
|
| | | |
|
| |\ \
| | |
| | | |
Changing datatype of the server_url column from blob to varchar
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | | |
partially fixes #38
|
| | | |
| | |
| | |
| | | |
make it a little more readable and obvious what we're doing here
|
| | |/
|/|
| |
| | |
verification on and off, or leaving the defaults as-is.
|
| |/ |
|
| |
|
|
|
|
| |
This was also logged previously as Trac ticket 356
This patch was submitted at the time by https://me.yahoo.com/doulepov
|
| |
|
|
|
|
|
|
|
| |
Auth/OpenID/Parse.php
The match() function takes a reference parameter $match and, depending on execution flow, either returns that as an array or a string. This has been modified to now return an array in both cases.
Auth/OpenID/Consumer.php
Auth/Yadis/Manager.php
Fixed two function calls with explicit call-by-reference parameters.
|
| | |
|
| |
|
|
| |
github.com/openid/php-openid branch
|
| |
|
|
| |
pseudo-references
|
| | |
|
| | |
|
| |
|
|
| |
user reported that the regular expression in Auth/OpenID/Parse.php is too greedy to cope with big pages. A simple fix is to make .? to . See http://bugs.debian.org/535479 for more info."
|
| | |
|
| |\ |
|
| | | |
|
| | | |
|
| | | |
|
| |/
|
|
| |
reference here, as php-5.x already treats all objects as pseudo-references'
|
| |\ |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This prevents a blank page with no error indication at all, if there
appears to happen a fatal error when trying to require DB.php from
the global include path (very bad practice!)
Instead, using is_subclass_of should be enough, especially when
using an own implementation.
|
| | |
| |
| |
| | |
the commit was failing as when I tried to pull the change. This fixes the issue opened by ccazette: 'In Server.php, this function calls the Auth_OpenID_verifyReturnTo() function from TrustRoot.php, which takes 3 arguments, but only 2 are given in call_user_func_array.'
|
| |/
|
|
| |
me a notice error at line 1471 because ->code can be undefined. An isset test can correct the problem ;)'
|
| |
|
|
| |
reference has been updated.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
http://trac.openidenabled.com/trac/ticket/338
(http://trac.openidenabled.com/trac/attachment/ticket/338/openid-php5.3.diff)
Patch makes php-openid library compatible with PHP 5.3, and included changes to many files.
Original Message:
Reported by: http://paulisageek.com/
Opened 6 months ago
Last modified 2 months ago
php openid library doesn't seem to work with php 5.3
"I get many PHP warnings and then the error condition on the Consumer.
Deprecated: Assigning the return value of new by reference is deprecated in *path*/Auth/OpenID/Consumer.php on line 271
Deprecated: Assigning the return value of new by reference is deprecated in *path*/Auth/OpenID/Consumer.php on line 273
Warning: Parameter 1 to filter_MatchesAnyOpenIDType() expected to be a reference, value given in *path*/Auth/Yadis/XRDS.php on line 431
Warning: Parameter 2 to Auth_OpenID_GenericConsumer::_completeInvalid() expected to be a reference, value given in *path*/Auth/OpenID/Consumer.php on line 669 "
It should be noted that 3 hunks across 7 files failed, and I applied most of them manually. 7 files were patched.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
http://trac.openidenabled.com/trac/ticket/337
(http://trac.openidenabled.com/trac/attachment/ticket/337/php-openid-php5.3.patch)
Patch makes php-openid library compatible with PHP 5.3, and included changes to many files.
Original Message:
Reported by: http://bfarber.myopenid.com/
Opened 7 months ago
Last modified 2 months ago
PHP OpenID libraries do not work on PHP 5.3
"In my own application the script simply stops working at
function Auth_OpenID_setNoMathSupport() {
if (!defined('Auth_OpenID_NO_MATH_SUPPORT')) {
define('Auth_OpenID_NO_MATH_SUPPORT', true);
}
}
(Namespace issue perhaps?)
I downloaded the latest 2.1.3 libraries available from the site here and set them up on my local server. Using PHP 5.2.9 they work fine (with some notices) however using PHP 5.3 they don't work at all. I just get this one a white screen
Deprecated: Assigning the return value of new by reference is deprecated in C:\wamp\www\openid\php-openid-2.1.3\examples\consumer\common.php on line 72
Deprecated: Assigning the return value of new by reference is deprecated in C:\wamp\www\openid\php-openid-2.1.3\Auth\OpenID\Consumer.php on line 271
Deprecated: Assigning the return value of new by reference is deprecated in C:\wamp\www\openid\php-openid-2.1.3\Auth\OpenID\Consumer.php on line 273"
It should be noted that 34 hunks across about 22 files failed, and I applied most of them manually. 37 files were patched.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
http://lists.openidenabled.com/pipermail/dev/attachments/20090928/2d616914/attachment.bin
Original Message:
anthony.lenton at canonical.com anthony.lenton at canonical.com
Mon Sep 28 11:30:12 PDT 2009
darcs patch: cURL verify host
"With this patch, if you define Auth_Openid_VERIFY_HOST cURL will enable host verification on ssl connections, for added security."
This patch was in the form of a Darcs patch, not a normal patch. So solve this, I applied it to the Darcs repository found on openidenabled, then created a new diff file between the original Darcs repo and the new one (with the patch applied) so that I could apply it to this git repo.
All hunks were applied successfully.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
http://lists.openidenabled.com/pipermail/dev/attachments/20090206/f0d91666/attachment-0001.bin
Original Message:
will at willnorris.com will at willnorris.com
Fri Feb 6 14:56:12 PST 2009
darcs patch: Properly handle Yadis discovery failure
"The library does not curently handle failures during Yadis discovery properly. Specifically, if Yadis discovery fails, and discovery WAS being done with an XRDS document, then non-Yadis discovery should be attempted.
The use-case I'm dealing with right now that exposes this bug is when an XRDS document location is advertised (via HTTP response header or <meta /> HTML tag), but the document is not able to be retrieved for whatever reason. The library is failing in this case, instead of continuing to attempt non-Yadis discovery.
This patch includes two changes:
- change to Yadis/Yadis.php that properly detects if XRDS was used
- change to OpenID/Discovery.php that prevents discovery from halting in the
above example"
This patch was in the form of a Darcs patch, not a normal patch. So solve this, I applied it to the Darcs repository found on openidenabled, then created a new diff file between the original Darcs repo and the new one (with the patch applied) so that I could apply it to this git repo.
All hunks were applied successfully.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
http://lists.openidenabled.com/pipermail/dev/attachments/20090113/8ed067b3/attachment.bin
Original Message:
will at willnorris.com will at willnorris.com
Sun Jan 4 11:27:26 PST 2009
darcs patch: I'm not entirely sure which versions of PHP are having...
"I've had a number of users report that $this->store is incorrectly evaluating to false, thereby preventing associations from being used. I've been unable to reproduce this myself, but the change is minor enough."
This patch was in the form of a Darcs patch, not a normal patch. So solve this, I applied it to the Darcs repository found on openidenabled, then created a new diff file between the original Darcs repo and the new one (with the patch applied) so that I could apply it to this git repo.
All hunks were applied successfully.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
http://lists.openidenabled.com/pipermail/dev/attachments/20090109/7e344691/attachment-0001.bin
Original Message:
ketmar at ketmar.no-ip.org ketmar at ketmar.no-ip.org
Fri Jan 9 07:51:35 PST 2009
darcs patch: fix for incomplete URIs in "location" http field (for ...
"* fix for incomplete URIs in "location" http field (for technorati and maybe others)"
This patch was in the form of a Darcs patch, not a normal patch. So solve this, I applied it to the Darcs repository found on openidenabled, then created a new diff file between the original Darcs repo and the new one (with the patch applied) so that I could apply it to this git repo.
Hunks were applied successfully.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
http://lists.openidenabled.com/pipermail/dev/attachments/20090101/217f2590/attachment.bin
Original Message:
dev-list-openidenabled at thequod.de dev-list-openidenabled at thequod.de
Thu Jan 1 18:14:12 PST 2009
darcs patch: php-openid-urldecode-urlparamkey
"This patch also decodes the key of URL params, which is
required for param names like 'action[foo]' when the browser sends those
urlencoded (Konqueror 4.2 does so).
I would like to propose using rawurldecode instead of urldecode, too, but
that causes the tests to fail and may be against the OpenID spec
(the difference is only that "+" gets decoded with urldecode() but not
with rawurldecode IIRC)"
This patch was in the form of a Darcs patch, not a normal patch. So solve this, I applied it to the Darcs repository found on openidenabled, then created a new diff file between the original Darcs repo and the new one (with the patch applied) so that I could apply it to this git repo.
All hunks were applied successfully.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
http://lists.openidenabled.com/pipermail/dev/attachments/20080821/1eded806/attachment-0001.bin
Original Message:
will at willnorris.com
Thu Aug 21 18:43:28 PDT 2008
darcs patch: seperate provider and consumer xrds types
"Currently, the five OpenID Provider service types (OpenID 1.0 - 1.2, and the two for OpenID 2.0) are combined with the one OpenID Consumer service type (return_to). This causes a potential false positive when performing discovery on an endpoint. If a php-openid consumer performs discovery on another consumer which has a published return_to service type, php-openid will think it is a valid OpenID Server service type and send an authentication request to the URI. Similarly, when checking the return_to URL of a consumer, if the consumer has any of the OpenID Server service types published, a php-openid server object will try to treat one of those URIs as a published return_to URL.
This scenario is actually fairly common... many personal blogs serve as both an OpenID Server (for the blog owner) as well as an OpenID consumer (for people who comment on the blog)."
This patch was in the form of a Darcs patch, not a normal patch. So solve this, I applied it to the Darcs repository found on openidenabled, then created a new diff file between the original Darcs repo and the new one (with the patch applied) so that I could apply it to this git repo.
It should be noted that all 3 hunks for Discover.php and the 1st hunk for TrustRoot.php were applied successfully, but the second hunk for TrustRoot failed. It seems that all it was doing was removing trailing endlines from the file, so I think it should be ok.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
http://lists.openidenabled.com/pipermail/dev/attachments/20080221/f087874e/attachment.obj
Original Messages:
Ryan Patterson cgamesplay at cgamesplay.com
Thu Feb 21 10:57:56 PST 2008
OpenIDStore for PEAR::MDB2
"On Thu, Feb 21, 2008 at 10:24 AM, Thomas Harning
<thomas.harning at trustbearer.com> wrote:
> Shortening the URLs to 255 chars has some ugly problems since the spec states
> that the max Server URL can technically be up to 2047 bytes (per OpenID 1.1-Appendix D)
Ah, I glanced at the spec but didn't see anything.
> One option for databases that can't have a key large enough is using a prefix-based key...
> I know MySQL supports this, but I'm not so sure on others.
This is what the current SQLStore implementation does. I've modified
the patch to add specific SQL for mysql backends, but use MDB2's
generic table creation for other stores. The test cases in the patch
pass for MDB2 using MySQL, but I'd like to verify that it works with
PostgreSQL.
--
Regards,
Ryan Patterson <mailto:cgamesplay at cgamesplay.com>"
Thomas Harning thomas.harning at trustbearer.com
Thu Feb 21 07:24:02 PST 2008
OpenIDStore for PEAR::MDB2
"Ryan Patterson wrote:
> I've created an Auth_OpenID_OpenIDStore implementation that utilizes
> PEAR::MDB2 instead of PEAR::DB, called Auth_OpenID_MDB2Store. The
> advantages to this store are that it supports all database back ends
> that PEAR::MDB2 supports, and does not require the user to know which
> database back end is being used when instantiating the store. Because
> of the complete database abstraction, the entire store is
> approximately 350 lines shorter than the SQLStore family.
>
> As a note to users planning to test this store: the table schema is
> incompatible with the other SQLStores. Specifically, the length of
> server URLs has been shortened to 255 characters to allow cross-RDBMS
> compatibility, and the field types have been changed to NOT NULL. You
> may safely delete your associations and nonces tables with no
> consequences.
Shortening the URLs to 255 chars has some ugly problems since the spec states
that the max Server URL can technically be up to 2047 bytes (per OpenID 1.1-Appendix D)
One option for databases that can't have a key large enough is using a prefix-based key...
I know MySQL supports this, but I'm not so sure on others.
Another option would be to use a unique value as the primary key and use some ugly
mechanics so that you can store a 20 byte sha1 in a non-unique index and the server URL
not in an index.
The basic select would be SELECT * FROM Sites WHERE URLHash = ? AND URL = ?;
The URLHash would narrow it down to likely one, where URL would clobber potential
collisions and keep the data around if needed...
--
Thomas Harning @ TrustBearer Labs (http://www.trustbearer.com)
Secure OpenID: https://openid.trustbearer.com/harningt
3201 Stellhorn Road 260-399-1656
Fort Wayne, IN 46815"
OpenIDStore for PEAR::MDB2
Ryan Patterson cgamesplay at cgamesplay.com
Thu Feb 21 07:19:02 PST 2008
"I've created an Auth_OpenID_OpenIDStore implementation that utilizes
PEAR::MDB2 instead of PEAR::DB, called Auth_OpenID_MDB2Store. The
advantages to this store are that it supports all database back ends
that PEAR::MDB2 supports, and does not require the user to know which
database back end is being used when instantiating the store. Because
of the complete database abstraction, the entire store is
approximately 350 lines shorter than the SQLStore family.
As a note to users planning to test this store: the table schema is
incompatible with the other SQLStores. Specifically, the length of
server URLs has been shortened to 255 characters to allow cross-RDBMS
compatibility, and the field types have been changed to NOT NULL. You
may safely delete your associations and nonces tables with no
consequences.
A test case has been added that tests the MDB2 store with a MySQL
backend. I would appreciate it if someone capable could modify the
test case and test it using PostgreSQL, to ensure that the database
abstraction I've used is correct.
--
Regards,
Ryan Patterson <mailto:cgamesplay at cgamesplay.com>"
All of the patch's hunks were applied successfully.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
http://lists.openidenabled.com/pipermail/dev/attachments/20080117/5d35b90c/attachment.obj
Original Message:
artemy tregoubenko me at arty.name
Thu Jan 17 01:58:39 PST 2008
php: raw bytestrings vs. mb_string.func_overload and strlen
"Hello.
After all, patch for unicode support in 'html parser' is quite small.
It solves my problems for now.
On 1/16/08, artemy tregoubenko <me at arty.name> wrote:
> Hello again!
>
> Today I switched to php-openid 2.0.0 and some things began working.
> However, I experienced more problems with multibyte strings. Now they
> happen at stage of fetching and parsing html documents.
> ParanoidFetcher was easy to fix, patch for it attached. Currently I'm
> hacking into ParseHTML, and using regexes in php-unicode environment
> is a pain!
>
> --
> arty ( http://arty.name )
>
>
--
arty ( http://arty.name )"
It should be noted that hunks 1 and 4, out of the patch's 4, were applied successfully, I manually applied hunk 2, and hunk 3 could no longer be applied for the same reason as the previous patch: In both cases, the patches modified the same function, and the current function no longer contains the lines of code that the 3rd hunk is trying to modify. On that note, both patches are modifying the same lines of code in the same function. From what I can tell from the email messages, they are fixing different issues, but it should be confirmed that the fixes are both needed and will play nicely together.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
http://lists.openidenabled.com/pipermail/dev/attachments/20070117/14e9fc7d/attachment.bin
Original Message:
dAniel hAhler dev-list-openidenabled at thequod.de
Wed Jan 17 14:02:44 PST 2007
[PHP-openid] PCRE backtrack error in Auth_OpenID_Parse::parseLinkAttrs() / todo (patch)
"Hi,
I find that the Auth_OpenID_Parse::parseLinkAttrs() method is quite ineffective.
It failed here (silently), because of a PREG_BACKTRACK_LIMIT_ERROR in preg_match() (introduced with PHP 5.2).
The attached patch adds a TODO with an idea of a better/more efficient implementation and a dirty workaround, by disabling this limit.
It seems like the parsing fails if the HTML to get parsed is > 100KB or something similar. The default backtrack limit is 100000.
..."
It should be noted that hunks 1, 4, and 5 out of the patch's 5 were applied successfully, I manually applied hunk 2, and hunk 3 could no longer be applied.
|
| |
|
|
| |
openidenabled.com's repo after the repo was moved to git hub
|
| |
|
| |
Signed-off-by: Will Norris <will@willnorris.com>
|
| |
|
|
|
|
|
|
| |
A few minor changes made over the past few months. This adds some
additional logging, an extra helper function for error messages,
and fixes a small bug with the association handler ... not to mention
standardizing on "false" instead of "False".
Signed-off-by: Will Norris <will@willnorris.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Reviewed By: Will Norris
Facebook has a policy to not have closing ?> tags at the bottom of PHP
files. It can unintentionally introduce newlines which causes
ridiculous bugs.
This is recommended in the Zend style guide:
http://framework.zend.com/manual/en/coding-standard.php-file-formatting.html
Signed-off-by: Will Norris <will@willnorris.com>
|
| |
|
|
|
|
| |
This reverts commit a2bdc5c6129ff11b1c1e29a207b1b80153ac6fb0.
I'm going to stop playing in bce's fork, and start messing in my own. Sorry for the mess Brian :)
|
| |
|
|
|
|
|
|
|
|
| |
Reviewed By: Will Norris
Facebook has a policy to not have closing ?> tags at the bottom of PHP files. It
can unintentionally introduce newlines which causes ridiculous bugs.
This is recommended in the Zend style guide:
http://framework.zend.com/manual/en/coding-standard.php-file-formatting.html
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reviewed By: Will Norris
The set of tests assumes PHPUnit 2.3, which conflicts with my environment setup.
I think PHPUnit 3.3 is pretty widespread now, and under active maintenance
(latest rev 4/10/2009).
There's a few changes included here. I did a few mostly automated code
transformations:
replace "PHPUnit_TestCase" "PHPUnit_Framework_TestCase"
replace "PHPUnit_TestSuite" "PHPUnit_Framework_TestSuite"
removed all require_once "PHPUnit.php" - they are unnecessary.
"call by reference" is now deprecated, so changed "&$" to "$"
I also made a few changes to admin/testtext.php and Tests/TestDriver.php to
accomodate the new syntax.
Note that this just upgrades the framework; it does not guarantee that all tests
pass. I'll submit future diffs to fix or disable failing unit tests. I wasn't
able to get the tests running with the previous version, so I don't know if
these have always been failing.
I doubt that the github has automatically running unit tests, but if so then
we'll have to make sure that the central repo is running the same version of
PHPUnit.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In our solution, one party, which we call the Attribute Provider (AP), provides
a signed certificate that the the user possesses some attribute (e.g. is over 18). This certificate is stored as an attribute at the user's OP, and other RPs can request this certificate when they want to verify attributes of the user.
For the implementation, we have followed the OpenID Signed Assertions
draft: http://www.mail-archive.com/specs@openid.net/msg00907.html
The Signed Assertions Draft did not specify how signed assertions are
stored at the OP, so we adopted the following scheme:
Attribute: http://X
Certificate: http://X/signature
This enables RPs that don't care about certificates to completely ignore them. Assertions are SAML documents as specified in the OpenID Signed
Assertions old draft.
We are developing a demo application in which a university issues certificates verifying students' age, student-hood, and even their photo (also potentially useful to dating sites). So basically the university acts as an attribute provider, signing assertions about user claims. These claims are stored as an attribute in the OpenId provider and we can use the OpenID AX protocol to pass assertions as attributes. The data flow is:
User requests assertion --- University(Attribute provider)
--- (store request)
--- Openid provider
Relying Party(Dating site) --- (fetch request) --- OpenID Provider
The RP gets the assertion, verifies the signature, and takes actions depending on the result. In some scenarios, the RP may deny the user request if the attribute verification fails (e.g. the dating site may forbid users under 18). In other scenarios the RP may treat them differently (e.g. the dating site could tag certified photos as "Verified Photo").
Note that the RP must have some sort of trust relationship with the AP. We've tried to keep the system as open as possible. Our protocol and implementation do not specify how this trust relationship is created or managed. For example, there could be a PKI specifically set up for verifying claims about student-hood, another trust system set up for verifying claims about age, etc.
Santosh Subramanian
Shishir Randive
Michael Hart
Rob Johnson
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
This fixes an rather cryptic error when using stateless mode via the DumbStore. The 'ns'
key can not be found in the alias/namespace mapping (its stored as the "Null Namespace"),
it must be returned explicitly. The inability to find the key in the mapping results in a
"Server Denied check_authentication" error, but the error is caused before any callback
to the server is made.
This also brings the PHP lib more in line with the ruby and python libs.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
even in OpenID 2]
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
ParanoidHTTPFetcher-strpos-instead-of-preg_match-and-code-improvements]
ParanoidHTTPFetcher:
- Fix corner case in get() and post() for headers without any value
(e.g. 'Expires:')
- Use strpos() instead of preg_match() when looking for ":" (and
look for ": " now instead)
|
| | |
|
| |
|
|
| |
(thanks to Evan Prodromou)]
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
1. There should only be a single CanonicalID in each XRD (in the latest XRI
resolution spec), so I made it use the first CID found instead of the last.
2. Use case-insensitive comparison when comparing CanonicalIDs.
|
| | |
|
