OpenID登陆!

这个就不用说太多了,是标准的!

		if(empty($_REQUEST['openid_mode'])){
			if(empty($_REQUEST['OpenID']))
				LocationHtml($LoginUrl, 'OpenID is null!');
			$openid_url = formUrl($_REQUEST['OpenID']);
			$openid_server_list = getOpenIDServer($openid_url);
			if(empty($openid_server_list))
				LocationHtml($LoginUrl, 'OpenID server is null!');

			if(!empty($openid_server_list[1]))
				$openid_server = $openid_server_list[1];
			if(!empty($openid_server_list[2]))
				$openid_server = $openid_server_list[2];
			$data['openid.ns'] = 'http://specs.openid.net/auth/2.0';
			$data['openid.mode'] = 'associate';
			$data['openid.assoc_type'] = 'HMAC-SHA1';
			$data['openid.session_type'] = 'no-encryption';
			$AssocHandle = getAssociationHandle($openid_server.'?'.http_build_query($data));
			setcookie('cookieAssocHandle', $AssocHandle);
			unset($data);

			$data['openid.assoc_handle'] = $AssocHandle;
			$data['openid.ax.mode'] = 'fetch_request';
			$data['openid.ax.required'] = 'attr1,attr2,attr3,attr4,attr5';
			$data['openid.ax.type.attr1'] = 'http://axschema.org/contact/email';
			$data['openid.ax.type.attr2'] = 'http://axschema.org/namePerson/first';
			$data['openid.ax.type.attr3'] = 'http://axschema.org/namePerson/last';
			$data['openid.ax.type.attr4'] = 'http://axschema.org/contact/country/home';
			$data['openid.ax.type.attr5'] = 'http://axschema.org/pref/language';
			$data['openid.claimed_id'] = $openid_url;
			$data['openid.identity'] = $openid_url;
			$data['openid.mode'] = 'checkid_setup';
			$data['openid.ns'] = 'http://specs.openid.net/auth/2.0';
			$data['openid.ns.ax'] = 'http://openid.net/srv/ax/1.0';
			$data['openid.ns.sreg'] = 'http://openid.net/extensions/sreg/1.1';
			$data['openid.realm'] = $RealmUrl;
			$data['openid.return_to'] = $AuthUrl;
			$data['openid.sreg.optional'] = 'nickname,email,fullname,dob,gender,postcode,country,language,timezone';
			$data['openid.sreg.policy_url'] = $PolicyUrl;
			$data['openid.sreg.required'] = 'email';
			$data['openid.trust_root'] = $RealmUrl;

			$LocationUrl  = $openid_server.'?'.http_build_query($data);
		}else{
			if('id_res' == $_REQUEST['openid_mode']
				&& $AssocHandle == $_REQUEST['openid_assoc_handle']){
				$openid = !empty($_REQUEST['openid_claimed_id']) ? formUrl($_REQUEST['openid_claimed_id']) : formUrl($_REQUEST['openid_identity']);
				$email = $_REQUEST['openid_sreg_email'];
				$fullname = $_REQUEST['openid_sreg_fullname'];
				$nickname = $_REQUEST['openid_sreg_nickname'];
				$timezone = $_REQUEST['openid_sreg_timezone'];
				echo('<pre>');
				echo("<a href=$LoginUrl>BACK</a>\n\n");
				print_r($_REQUEST);
				echo('</pre>');
			}
		}
		break;

部分函数请参考:
Yahoo的OpenID登陆
Windows Live ID当作OpenID使用的方法
Google的OpenID的登陆

Yahoo的OpenID登陆

前两次写了Windows Live ID当作OpenID使用的方法Google的OpenID的登陆,这次写Yahoo的OpenID的实现方法。

先说一下Yahoo的OpenID仅有Plaxo等几个网站可以获取用户属性,所以暂时不要考虑这个东西吧。

而且Yahoo还会出现了下面这段警告:

Warning: This website has not confirmed its identity with Yahoo! and might be fraudulent. Do not share any personal information with this website unless you are certain it is legitimate.

你是不是很郁闷呢?其实解决方法很简单,请参考:http://tihualong.javaeye.com/blog/309246

因为其他的OpenID提供者同时支持OpenID1.1与OpenID2.0协议,但是Yahoo的程序员像我们一样不喜欢考虑兼容性的问题。只支持OpenID2.0协议标准。

那么OpenID2.0协议标准有什么特殊的地方呢?

OpenID2.0中提出了一个新的东西叫做OpenID Relying Party discovery的,我们的问题就出在这个OpenID Relying Party discovery上。

先解释一下这个OpenID Relying Party discovery是什么东西。

当你重定向到OpenID提供者站点去请求认证的时候,OpenID提供者会使用这个叫做OpenID Relying Party discovery的机制自动验证return_to的URL处于指定的范围内,并且与OP通过realm参数获取到的XRDS文档中获取到的return_to的URL相同。

我是这么理解的:我的Consumer程序告诉了OP我的return_to地址是什么,但是OP不信任我,要通过我的realm参数(注意:这个地方是OP向RP发出的请求,所以要求你realm参数的url必须是外网的ip地址或者能通过外部的DNS查找到的域名)查找一个基于yadis协议的XRDS文档中的return_to地址,两个return_to地址相比较,如果相同,好,我相信你了,放行。(不知道这样理解有没有问题,我觉得应该没问题吧)

好,原理理解了。下面我们要做的就是:

1、 编写一个XRDS文档保存到你的网站上,存放成什么扩展名的没什么关系,但是你要保证Yahoo或者其他OP获取到这个文档的Content-Type是” application/xrds+xml”,不然他们会认为这个文档不是他们要找的文档。

2、 将你第一步编写的XRDS文档的地址公布在你网站的首页,或者你的openid.realm参数指定的页面上(建议)

我们先来编写XRDS文档:(起名xrds.php)

<?php
header(‘Content-type: application/xrds+xml’);
?>
<?xml version=”1.0″ encoding=”UTF-8″?>
<xrds:XRDS
xmlns:xrds=”xri://$xrds”
xmlns:openid=”http://openid.net/xmlns/1.0″
xmlns=”xri://$xrd*($v*2.0)”>
<XRD>
<Service priority=”1″>
<Type>http://specs.openid.net/auth/2.0/return_to</Type>
<URI>改成你的return_url地址</URI>
</Service>
</XRD>
</xrds:XRDS>

将你编写的XRDS文档的地址公布在openid.realm指定的页面,建议单独写一个页面维护,然后设置openid.realm参数为你创建的这个页面

<?php
header(‘X-XRDS-Location: 改成你的xrds.php地址’);
?>
<html>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=utf-8″>
<meta http-equiv=”X-XRDS-Location” content=”改成你的xrds.php地址”/>
</head>
<body>
网页内容
</body>
</html>

if(empty($_REQUEST[‘openid_mode’])){
$openid_server = ‘https://open.login.yahooapis.com/openid/op/auth’;
$data[‘openid.ns’] = ‘http://specs.openid.net/auth/2.0’;
$data[‘openid.mode’] = ‘associate’;
$data[‘openid.assoc_type’] = ‘HMAC-SHA1’;
$data[‘openid.session_type’] = ‘no-encryption’;
$AssocHandle = getAssociationHandle($openid_server.’?’.http_build_query($data));
setcookie(‘cookieAssocHandle’, $AssocHandle);
unset($data);

$data[‘openid.assoc_handle’] = $AssocHandle;
$data[‘openid.ax.mode’] = ‘fetch_request’;
$data[‘openid.ax.required’] = ‘attr1,attr2,attr3,attr4,attr5’;
$data[‘openid.ax.type.attr1’] = ‘http://axschema.org/contact/email’;
$data[‘openid.ax.type.attr2’] = ‘http://axschema.org/namePerson/first’;
$data[‘openid.ax.type.attr3’] = ‘http://axschema.org/namePerson/last’;
$data[‘openid.ax.type.attr4’] = ‘http://axschema.org/contact/country/home’;
$data[‘openid.ax.type.attr5’] = ‘http://axschema.org/pref/language’;
$data[‘openid.claimed_id’] = ‘http://specs.openid.net/auth/2.0/identifier_select’;
$data[‘openid.identity’] = ‘http://specs.openid.net/auth/2.0/identifier_select’;
$data[‘openid.mode’] = ‘checkid_setup’;
$data[‘openid.ns’] = ‘http://specs.openid.net/auth/2.0’;
$data[‘openid.ns.ax’] = ‘http://openid.net/srv/ax/1.0’;
$data[‘openid.ns.sreg’] = ‘http://openid.net/extensions/sreg/1.1’;
$data[‘openid.realm’] = $RealmUrl;
$data[‘openid.return_to’] = $AuthUrl;
$data[‘openid.sreg.optional’] = ‘nickname,email,fullname,dob,gender,postcode,country,language,timezone’;
$data[‘openid.sreg.policy_url’] = $PolicyUrl;
$data[‘openid.sreg.required’] = ’email’;
$data[‘openid.trust_root’] = $RealmUrl;
//$data[‘xopenid_lang_pref’] = ‘tw’;

$LocationUrl = $openid_server.’?’.http_build_query($data);
}else{
if(‘id_res’ == $_REQUEST[‘openid_mode’]
&& $AssocHandle == $_REQUEST[‘openid_assoc_handle’]){
$openid = !empty($_REQUEST[‘openid_identity’]) ? formUrl($_REQUEST[‘openid_identity’]) : formUrl($_REQUEST[‘openid_claimed_id’]);
$email = $_REQUEST[‘openid_sreg_email’];
$fullname = $_REQUEST[‘openid_sreg_fullname’];
$nickname = $_REQUEST[‘openid_sreg_nickname’];
$timezone = $_REQUEST[‘openid_sreg_timezone’];
}
echo(‘<pre>’);
echo(“<a href=$LoginUrl>BACK</a>\n\n”);
print_r($_REQUEST);
echo(‘</pre>’);
}

注意:有部分函数和变量有遗漏,请参考Windows Live ID当作OpenID使用的方法Google的OpenID的登陆

Google的OpenID

上次写了Windows Live ID当作OpenID使用的方法,这次写Google的OpenID的实现方法。


if(empty($_REQUEST['openid_mode'])){
$openid_server = getXrdsUri('https://www.google.com/accounts/o8/id');
$data['openid.ns'] = 'http://specs.openid.net/auth/2.0';
$data['openid.mode'] = 'associate';
$data['openid.assoc_type'] = 'HMAC-SHA1';
$data['openid.session_type'] = 'no-encryption';
$AssocHandle = getAssociationHandle($openid_server.'?'.http_build_query($data));
setcookie('cookieAssocHandle', $AssocHandle);
unset($data);

$data['openid.ns'] = 'http://specs.openid.net/auth/2.0';
$data['openid.claimed_id'] = 'http://specs.openid.net/auth/2.0/identifier_select';
$data['openid.identity'] = 'http://specs.openid.net/auth/2.0/identifier_select';
$data['openid.return_to'] = $AuthUrl;
$data['openid.realm'] = $RealmUrl;
$data['openid.assoc_handle'] = $AssocHandle;
$data['openid.mode'] = 'checkid_setup';
$data['openid.ns.ext1'] = 'http://openid.net/srv/ax/1.0';
$data['openid.ext1.mode'] = 'fetch_request';
$data['openid.ext1.type.email'] = 'http://axschema.org/contact/email';
$data['openid.ext1.required'] = 'email';

$LocationUrl = $openid_server.'?'.http_build_query($data);
}else{
if('id_res' == $_REQUEST['openid_mode']
&& $AssocHandle == $_REQUEST['openid_assoc_handle']){
$openid = !empty($_REQUEST['openid_ext1_value_email']) ? $_REQUEST['openid_ext1_value_email'] : formUrl($_REQUEST['openid_claimed_id']);
$email = $_REQUEST['openid_ext1_value_email'];
}
echo('<pre>');
echo("<a href=$LoginUrl>BACK</a>\n\n");
print_r($_REQUEST);
echo('</pre>');
}

function getAssociationHandle($url){
$c = curl_init($url);

curl_setopt($c, CURLOPT_RETURNTRANSFER, true);
curl_setopt($c, CURLOPT_HEADER, false);
curl_setopt($c, CURLOPT_SSL_VERIFYPEER, false);

$contents = curl_exec($c);
//print_r($contents);
//exit;

curl_close($c);

$assoc_handle = time();

$lines = explode("\n", $contents);

foreach($lines as $line){
if(substr($line, 0, 13) == "assoc_handle:"){
$assoc_handle = substr($line, 13);
break;
}
}

return $assoc_handle;
}

function getXrdsUri($url){
$c = curl_init($url);

curl_setopt($c, CURLOPT_RETURNTRANSFER, true);
curl_setopt($c, CURLOPT_HEADER, false);
curl_setopt($c, CURLOPT_SSL_VERIFYPEER, false);

$request_contents = curl_exec($c);

curl_close($c);

$domdoc = new DOMDocument();
$domdoc->loadXML($request_contents);

$uri = $domdoc->getElementsByTagName("URI");
$uri = $uri->item(0)->nodeValue;

return $uri;
}

if(empty($openid))
LocationHtml($LocationUrl);

LocationHtml函数见Windows Live ID当作OpenID使用的方法

注意:Google的OpenID的openid.claimed_id(即OpenID)的值,随不同网站变化,网站不同值也不同,所以不是真正的OpenID,Google真正的OpenID是他的Email。但是Email也不是每次都可以取得到的,如果你在Google的授权页面上点选了”允许 XXX 记住我”,再次登录时将略过授权页面,同时也将得不到Email的值。只有Google帐号的所有者在个人设置里更改获授权网站,将你的网站撤销访问权,才能再次得到Email的值。

Google的OpenID是个被阉割的OpenID,除了提供Email的值之外,其他一概不提供!

参考:http://code.google.com/intl/zh-CN/apis/accounts/docs/OpenID.html

rpxnow.com的OpenID托管服务

RPX提供了OpenID的托管服务,你所要做的,只是在网页中插入几行代码,剩下的全部由它来完成。

但是RPX提供的PHP示例代码,我想很多人未必会用,写的有点菜,我就没有用的起来。下面是我自己写的一个示例代码,供大家学习:)


<script src="https://rpxnow.com/openid/v2/widget"
type="text/javascript"></script>
<script type="text/javascript">
RPXNOW.token_url = "http://freebapp.org/tools/openid/rpx.php";
RPXNOW.realm = "freebapp";
RPXNOW.overlay = true;
RPXNOW.language_preference = 'en';
</script>

<?php
if(!empty($_REQUEST['token'])){
$post['token'] = $_REQUEST['token'];
$post['apiKey'] = 'a21e795ea614c12f549660ab15f93de30451d338';
$post['format'] = 'json';

$curl = curl_init();
$url = 'https://rpxnow.com/api/v2/auth_info?token_url='.urlencode('http://freebapp.org/tools/openid/rpx.php');
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_HEADER, 0);
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, $post);
curl_setopt($curl, CURLOPT_URL, $url);

$data = curl_exec($curl);
echo('<pre>');
print_r(json_decode($data));
echo('</pre>');
curl_close($curl);
}
?>

大家把上例的apiKey和token_url换成自己的就可以了!

示例演示

Windows Live ID当作OpenID使用

MSN庞大的客户群体是不可忽视的,虽然Live有OpenID,但是很少有人会去开通,并且记得住的不多。记得上次有人在他的BLOG上说很多上网的人其实很白痴,连登录Gmail都要用hao123。包括在我使用OpenID的网站(OpenTags.org)上,真正使用OpenID登录的并不多,Google、Yahoo、Live的用户才多。Google、Yahoo虽然支持OpenID,但是都被阉割了,只是有选择的支持sreg。关于Google、Yahoo,下次再说,今天说Windows Live ID。

Windows Live ID,注意是ID不是OpenID,如果使用Login的方式会得到一个userid,但是这个userid只是一个识别符号,不是真正的Live ID,这个userid只能在你的网络识别Live ID,即一个appid对应一个userid,如果换了appid,即换站userid也跟着变。如果要再作第三方的认证就不合适了。我这里介绍的是取得真正的Live ID,即通过获取Live ID的联系人信息来获取Live ID。

如果要Login方式的userid可以不用再往下面看了,说一下获取Login方式的userid很简单,下载SDK包,然后里面有个sample,看下就懂了,记得要修改Application-Key.xml。

要取得真正的Live ID,按下列步骤即可:

申请(New Project >> Live Services: Existing APIs)


下载 Windows Live ID Web Authentication SDK 1.2 webauth-php-1.2.tar.gz

修改Application-Key.xml


$LoginUrl = '登录地址';
$AuthUrl = '验证地址';
$RealmUrl = '退出后返回的地址';

$DEBUG = true;
$KEYFILE = './Live/Application-Key.xml';
$COOKIE = 'webauthtoken';
$COOKIETTL = time() + (10 * 365 * 24 * 60 * 60);

include_once('./Live/lib/windowslivelogin.php');
$wll = WindowsLiveLogin::initFromXml($KEYFILE);
$wll->setDebug($DEBUG);

if(!empty($_REQUEST['action'])){
switch($_REQUEST['action']) {
case 'logout':
setcookie($COOKIE);
$LocationUrl = $RealmUrl;
break;
case "clearcookie":
setcookie($COOKIE);
$LocationUrl = $AuthUrl;
break;
default:
$user = $wll->processConsent($_REQUEST);
if(!empty($user)){
setcookie($COOKIE, $user->getToken(), $COOKIETTL);
$LocationUrl = $AuthUrl;
}else{
$LocationUrl = $LoginUrl;
}
break;
}
LocationHtml($LocationUrl);
}
$token = $_COOKIE[$COOKIE];
if($token){
$user = $wll->processConsentToken($token);
if(!$user->isValid()){
$LocationUrl = $AuthUrl.'?AuthType=Live&amp;action=clearcookie';
}else{
$url = 'https://livecontacts.services.live.com/users/@L@'.$user->getLocationID().'/rest/livecontacts/owner';
$owner = getLiveID($url, array('Authorization: DelegatedToken dt="'.$user->getDelegationToken().'"'));
$openid = $owner->WindowsLiveID;
$email = $owner->WindowsLiveID;
$fullname = $owner->Profiles->Personal->LastName.' '.$owner->Profiles->Personal->FirstName;
$nickname = $owner->Profiles->Personal->DisplayName;
echo('<pre>');
print_r($owner);
echo('</pre>');
}
}else{
$LocationUrl = $wll->getConsentUrl('Contacts.View', 'zh-CN');
}


function getLiveID($url, $header){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
curl_setopt($ch, CURLOPT_TIMEOUT, 60);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$data = curl_exec($ch);
curl_close($ch);
try{
$xml = new SimpleXMLElement($data);
}catch(Exception $e){
return false;
}
return $xml;
}

function LocationHtml($url, $e=null){
if(empty($url))
exit;
echo('<html>');
echo('<head>');
echo('<title>Redirect to: '.$url.'</title>');
echo('<meta http-equiv="refresh" content="1;url='.$url.'">');
echo('</head>');
echo('<body bgcolor="#FFFFFF" onload="window.location.href=\''.$url.'\'">');
echo('<table border="0" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF" height="100%" width="100%">');
echo('<tr>');
echo('<td align="center" valign="middle">');
echo('<a href="'.$url.'" style="color:#000000;text-decoration:none">');
echo($url);
echo('</a>');
echo('</td>');
echo('</tr>');
echo('</table>');
if(!empty($e)){
echo('<script type="text/javascript">');
if(is_array($e))
echo('alert("'.implode('\n', $e).'");');
else
echo('alert("'.$e.'");');
echo('</script>');
}
echo('</body>');
echo('</html>');
exit;
}

注意:getLiveID要CURL支持,如果不支持请用其他办法。