| Catalyst::Authentication::Credential::OpenID - OpenID credential for Catalyst::Plugin::Authentication framework. |
Catalyst::Authentication::Credential::OpenID - OpenID credential for Catalyst::Plugin::Authentication framework.
0.08
In MyApp.pm-
use Catalyst qw/ Authentication Session Session::Store::FastMmap Session::State::Cookie /;
Somewhere in myapp.conf-
<Plugin::Authentication>
default_realm openid
<realms>
<openid>
<credential>
class OpenID
</credential>
ua_class LWPx::ParanoidAgent
</openid>
</realms>
</Plugin::Authentication>
Or in your myapp.yml if you're using YAML instead-
Plugin::Authentication:
default_realm: openid
realms:
openid:
credential:
class: OpenID
ua_class: LWPx::ParanoidAgent
In a controller, perhaps Root::openid-
sub openid : Local { my($self, $c) = @_;
if ( $c->authenticate() )
{
$c->flash(message => "You signed in with OpenID!");
$c->res->redirect( $c->uri_for('/') );
}
else
{
# Present OpenID form.
}
}
And a Template to match in openid.tt-
<form action="[% c.uri_for('/openid') %]" method="GET" name="openid">
<input type="text" name="openid_identifier" class="openid" />
<input type="submit" value="Sign in with OpenID" />
</form>
This is the third OpenID related authentication piece for Catalyst. The first -- the Catalyst::Plugin::Authentication::OpenID manpage by Benjamin Trott -- was deprecated by the second -- the Catalyst::Plugin::Authentication::Credential::OpenID manpage by Tatsuhiko Miyagawa -- and this is an attempt to deprecate both by conforming to the newish, at the time of this module's inception, realm-based authentication in the Catalyst::Plugin::Authentication manpage.
1. Catalyst::Plugin::Authentication::OpenID 2. Catalyst::Plugin::Authentication::Credential::OpenID 3. Catalyst::Authentication::Credential::OpenID
The benefit of this version is that you can use an arbitrary number of authentication systems in your Catalyst application and configure and call all of them in the same way.
Note that both earlier versions of OpenID authentication use the method
authenticate_openid(). This module uses authenticate() and
relies on you to specify the realm. You can specify the realm as the
default in the configuration or inline with each
authenticate() call; more below.
This module functions quite differently internally from the others. See the Catalyst::Plugin::Authentication::Internals manpage for more about this implementation.
Call to authenticate the user via OpenID. Returns false if authorization is unsuccessful. Sets the user into the session and returns the user object if authentication succeeds.
You can see in the call above that the authentication hash is empty.
The implicit OpenID parameter is, as the 2.0 specification says it
SHOULD be, openid_identifier. You can set it anything you like in
your realm configuration, though, under the key openid_field. If
you call authenticate() with the empty info hash and no configured
openid_field then only openid_identifier is checked.
It implicitly does this (sort of, it checks the request method too)-
my $claimed_uri = $c->req->params->{openid_identifier}; $c->authenticate({openid_identifier => $claimed_uri});
new()
You will never call this. Catalyst does it for you. The only important thing you might like to know about it is that it merges its realm configuration with its configuration proper. If this doesn't mean anything to you, don't worry.
Currently the only supported user class is the Catalyst::Plugin::Authentication::User::Hash manpage.
See the Net::OpenID::VerifiedIdentity manpage for details.
Catalyst authentication is now configured entirely from your
application's configuration. Do not, for example, put
Credential::OpenID into your use Catalyst ... statement.
Instead, tell your application that in one of your authentication
realms you will use the credential.
In your application the following will give you two different authentication realms. One called "members" which authenticates with clear text passwords and one called "openid" which uses... uh, OpenID.
__PACKAGE__->config ( name => "MyApp", "Plugin::Authentication" => { default_realm => "members", realms => { members => { credential => { class => "Password", password_field => "password", password_type => "clear" }, store => { class => "Minimal", users => { paco => { password => "l4s4v3n7ur45", }, } } }, openid => { consumer_secret => "Don't bother setting", ua_class => "LWPx::ParanoidAgent", ua_args => { whitelisted_hosts => [qw/ 127.0.0.1 localhost /], }, credential => { class => "OpenID", store => { class => "OpenID", }, }, }, }, }, );
This is the same configuration in the default Catalyst configuration format from the Config::General manpage.
name MyApp
<Plugin::Authentication>
default_realm members
<realms>
<members>
<store>
class Minimal
<users>
<paco>
password l4s4v3n7ur45
</paco>
</users>
</store>
<credential>
password_field password
password_type clear
class Password
</credential>
</members>
<openid>
<ua_args>
whitelisted_hosts 127.0.0.1
whitelisted_hosts localhost
</ua_args>
consumer_secret Don't bother setting
ua_class LWPx::ParanoidAgent
<credential>
<store>
class OpenID
</store>
class OpenID
</credential>
</openid>
</realms>
</Plugin::Authentication>
And now, the same configuration in YAML. NB: YAML is whitespace sensitive.
name: MyApp
Plugin::Authentication:
default_realm: members
realms:
members:
credential:
class: Password
password_field: password
password_type: clear
store:
class: Minimal
users:
paco:
password: l4s4v3n7ur45
openid:
credential:
class: OpenID
store:
class: OpenID
consumer_secret: Don't bother setting
ua_class: LWPx::ParanoidAgent
ua_args:
whitelisted_hosts:
- 127.0.0.1
- localhost
NB: There is no OpenID store yet. Trying for next release.
These are set in your realm. See above.
the LWPx::ParanoidAgent manpage is the default agent -- ua_class. You don't
have to set it. I recommend that you do not override it. You can
with any well behaved the LWP::UserAgent manpage. You probably should not.
the LWPx::ParanoidAgent manpage buys you many defenses and extra security
checks. When you allow your application users freedom to initiate
external requests, you open a big avenue for DoS (denial of service)
attacks. the LWPx::ParanoidAgent manpage defends against this.
the LWP::UserAgent manpage and any regular subclass of it will not.
The underlying the Net::OpenID::Consumer manpage object is seeded with a secret. If it's important to you to set your own, you can. The default uses this package name + its version + the sorted configuration keys of your Catalyst application (chopped at 255 characters if it's longer). This should generally be superior to any fixed string.
There are some interesting implications with this sort of setup. Does a user aggregate realms or can a user be signed in under more than one realm? The documents could contain a recipe of the self-answering OpenID end-point that is in the tests.
Debug statements need to be both expanded and limited via realm configuration.
Better diagnostics in errors. Debug info at all consumer calls.
Roles from provider domains? Mapped? Direct? A generic "openid" auto_role?
To Benjamin Trott (the Catalyst::Plugin::Authentication::OpenID manpage), Tatsuhiko Miyagawa (the Catalyst::Plugin::Authentication::Credential::OpenID manpage), and Brad Fitzpatrick for the great OpenID stuff and to Jay Kuri and everyone else who has made Catalyst such a wonderful framework.
Copyright (c) 2008, Ashley Pond V <ashley@cpan.org>. Some of
Tatsuhiko Miyagawa's work is reused here.
This module is free software; you can redistribute it and modify it under the same terms as Perl itself. See perlartistic.
Because this software is licensed free of charge, there is no warranty for the software, to the extent permitted by applicable law. Except when otherwise stated in writing the copyright holders and other parties provide the software "as is" without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. The entire risk as to the quality and performance of the software is with you. Should the software prove defective, you assume the cost of all necessary servicing, repair, or correction.
In no event unless required by applicable law or agreed to in writing will any copyright holder, or any other party who may modify or redistribute the software as permitted by the above license, be liable to you for damages, including any general, special, incidental, or consequential damages arising out of the use or inability to use the software (including but not limited to loss of data or data being rendered inaccurate or losses sustained by you or third parties or a failure of the software to operate with any other software), even if such holder or other party has been advised of the possibility of such damages.
the Net::OpenID::Server manpage, the Net::OpenID::VerifiedIdentity manpage, the Net::OpenID::Consumer manpage, http://openid.net/, and http://openid.net/developers/specs/.
Catalyst, the Catalyst::Plugin::Authentication manpage, the Catalyst::Manual::Tutorial::Authorization manpage, and the Catalyst::Manual::Tutorial::Authentication manpage.
the Catalyst::Plugin::ConfigLoader manpage, the Config::General manpage, and YAML.
the Catalyst::Manual::Tutorial manpage, Template, the LWPx::ParanoidAgent manpage.
| Catalyst::Authentication::Credential::OpenID - OpenID credential for Catalyst::Plugin::Authentication framework. |