PHP OpenID consumer working! [was: PHP hackers wanted -- here's a seed]

Martin Atkins mart at
Thu May 26 06:00:51 PDT 2005

Phillip Pearson wrote:
> One thing it *doesn't* do is use the final URL if it hits redirects
> along the way to fetching the page containing the <link rel> element.
> So if I enter "", LJ will come back and
> tell me I can't authenticate for ~myelin.  If I can get PHP to tell me
> what the *actual* fetched URL was, I can fix this, though.  It looks
> like Net::OpenID::Consumer does it properly.

You're probably going to have to leave behind PHP's built in HTTP stuff 
and use something which allows you more control over the process. There 
are two HTTP client modules on PEAR, it seems. HTTP_Client hides all of 
the redirects, so isn't any good, HTTP_Request's documentation doesn't 
mention redirects at all, so perhaps it'll just return a 302 response 
which you can then follow manually.

It'd be a good idea to make a more "paranoid" request library anyway, 
like Brad's LWPx::ParanoidAgent for Perl. It protects the consumer from 
users entering URLs pointing at internal addresses and from servers 
hurting the consumer's web app by responding very slowly, redirecting it 
in an infinite loop and whatnot.

> Somebody is going to have to take all this code sometime and make some
> sort of validator...:)

I imagine this could be achieved by making an identity server that's 
very picky and then making a bunch of pathological identity URLs to test 
against. If a given consumer doesn't allow one of them to log in they 
fail validation!

More information about the yadis mailing list