PHP OpenID consumer working! [was: PHP hackers wanted -- here's
a seed]
Martin Atkins
mart at degeneration.co.uk
Thu May 26 06:00:51 PDT 2005
Phillip Pearson wrote:
>
> One thing it *doesn't* do is use the final URL if it hits redirects
> along the way to fetching the page containing the <link rel> element.
> So if I enter "www.livejournal.com/~myelin", LJ will come back and
> tell me I can't authenticate for ~myelin. If I can get PHP to tell me
> what the *actual* fetched URL was, I can fix this, though. It looks
> like Net::OpenID::Consumer does it properly.
>
You're probably going to have to leave behind PHP's built in HTTP stuff
and use something which allows you more control over the process. There
are two HTTP client modules on PEAR, it seems. HTTP_Client hides all of
the redirects, so isn't any good, HTTP_Request's documentation doesn't
mention redirects at all, so perhaps it'll just return a 302 response
which you can then follow manually.
It'd be a good idea to make a more "paranoid" request library anyway,
like Brad's LWPx::ParanoidAgent for Perl. It protects the consumer from
users entering URLs pointing at internal addresses and from servers
hurting the consumer's web app by responding very slowly, redirecting it
in an infinite loop and whatnot.
>
> Somebody is going to have to take all this code sometime and make some
> sort of validator...:)
>
I imagine this could be achieved by making an identity server that's
very picky and then making a bunch of pathological identity URLs to test
against. If a given consumer doesn't allow one of them to log in they
fail validation!
More information about the yadis
mailing list