New spec is unclear on HMAC digest type

Kristopher Tate kris at
Mon Jun 27 20:26:59 PDT 2005

These values correspond with openid.mode = 'associate'. I recommend 
going to the OpenID spec 
<>, and reading-up on 
that mode.

As for token, secret, and assoc_handle our network has a special 
sessionhash that we generate anyways for any connection and set as the 
assoc_handle. An example sessionhash looks like 
27:166:1522fbfb9dfc864c06d8987aa26e5531523962a5:RPC or 
27:153:60c9baddbbb96679737f70a5a4e5673829878e28:OPENID -- The key here 
is generating something that is very unique and based on time.

The secret is something that is associated with the token. When a 
consumer asks us for an openid.mode = associate response, we generate a 
20-char random string. the PHP code for that is really simple (ver >= 

> //Build Random string, $numchar as INT
> function random_chars($numchar) {
>      $string 
> =str_shuffle("abcefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ");
>      $random_str = substr($string,1,$numchar);
>      return $random_str;
> }
> //Generate 20-char random mac_key
> $mac_key = random_chars(20);

That key is sent to the consumer (with other important info in the 
spec), so when they redirect the User Agent to the ID Server with the 
assoc_handle, the server can use the assoc_handle as a key to grabbing 
the secret (which is cached) to HMAC our token. The token is a 
composite of the following: mode,issued,valid_to,identity, and 

Here's some code on how we build the token:

> $sign['mode'] = 'id_res';
> $sign['issued'] = $w3c_time; //String var that contains a W3C 
> timestamp of time() in the UTC timezone
> $sign['valid_to'] = iso8601_encode($now+(60),1)."Z"; //Generate future 
> time (60s ahead) in a W3C timestamp (UTC timezone)
> $sign['identity'] = $_GET['openid_identity'];
> $sign['return_to'] = $_GET['openid_return_to'];
> $token = '';
> foreach ($sign as $key => $data) {
>     $token .= $key.":".$data."\n";
> }

Then all there is left to do is set openid.sig to 
base64_encode(hmacsha1($secret,$token)), and then do a 
header('Location: <return_to URL>') (along with all of the other 

Bottom-line: check the spec. Brad and Co. have put alot of time into 
typing that baby up, it's well worth the read. You can also search 
Brad's Perl libraries on <>.

If you've got any other questions, you may IM me on AIM SN 
findyourownpath .


On 2005/06/27, at 7:57 PM, Dossy Shiobara wrote:
> Could you be so kind as to post some test cases for me to test my Tcl
> implementation against?  Basically, the values for "secret" and "token"
> and the resulting base64/HMAC'ed string?

More information about the yadis mailing list