3.6. Open ID Authentication

3.6.1. Introduction

Zend_Auth_Adapter_OpenId allows authenticate user using remote OpenID server. Such authentication process assumes that user submits to web application only their OpenID identity. Then they are redirected to their OpenID providers to prove the identity ownership using password or some other method. This password is never known to local web application.

The OpenID identity is just an HTTP URL that points to some web page with suitable information about the user and special tags which describes which server to use and which identity to submit there. You can read more about OpenID at OpenID official site.

The Zend_Auth_Adapter_OpenId class is a wrapper on top of Zend_OpenId_Consumer component which implements the OpenID authentication protocol itself.

[Замечание] Замечание

Zend_OpenId takes advantage of the GMP extension, where available. Consider enabling the GMP extension for better performance when using Zend_Auth_Adapter_OpenId.

3.6.2. Specifics

As any other Zend_Auth adapter the Zend_Auth_Adapter_OpenId class implements Zend_Auth_Adapter_Interface, which defines one method - authenticate(). This method performs the authentication itself, but the object must be prepared prior to calling it. Such adapter preparation includes setting up OpenID identity and some other Zend_OpenId specific options.

However in opposite to other Zend_Auth adapters it performs authentication on external server and it is done in two separate HTTP requests. So the Zend_Auth_Adapter_OpenId::authenticate() must be called twice. First time the method won't return, but will redirect user to their OpenID server. Then after authentication on server they will be redirected back and the script for this second request must call Zend_Auth_Adapter_OpenId::authenticate() again to verify signature which come with redirected request from the server and complete the authentication process. This time the method will return Zend_Auth_Result object as expected.

The following example shows the usage of Zend_Auth_Adapter_OpenId. As was said before the Zend_Auth_Adapter_OpenId::authenticate() is called two times. First time - after submitting of HTML form when $_POST['openid_action'] is set to "login", and the second time after HTTP redirection from OpenID server when $_GET['openid_mode'] or $_POST['openid_mode'] is set.

require_once "Zend/Auth.php";
require_once "Zend/Auth/Adapter/OpenId.php";

$status = "";
$auth = Zend_Auth::getInstance();
if ((isset($_POST['openid_action']) &&
     $_POST['openid_action'] == "login" &&
     !empty($_POST['openid_identifier'])) ||
    isset($_GET['openid_mode']) ||
    isset($_POST['openid_mode'])) {
    $result = $auth->authenticate(
        new Zend_Auth_Adapter_OpenId(@$_POST['openid_identifier']));
    if (!$result->isValid()) {
        $status = "You are logged-in as " . $auth->getIdentity() . "<br>\n";
    } else {
        foreach ($result->getMessages() as $message) {
            $status .= "$message<br>\n";
} else if ($auth->hasIdentity()) {
    if (isset($_POST['openid_action']) &&
        $_POST['openid_action'] == "logout") {
    } else {
        $status = "You are logged-in as " . $auth->getIdentity() . "<br>\n";
<?php echo "$status";?>
<form method="post"><fieldset>
<legend>OpenID Login</legend>
<input type="text" name="openid_identifier" value="">
<input type="submit" name="openid_action" value="login">
<input type="submit" name="openid_action" value="logout">

It is allowed customize the OpenID authentication process with: receiving redirection from the OpenID server on separate page, specifying the "root" of web site. In this case, using custom Zend_OpenId_Consumer_Storage or custom Zend_Controller_Response. It is also possible to use Simple Registration Extension to retrieve information about user from the OpenID server. All these possibilities described in more details in Zend_OpenId_Consumer reference.

    Поддержать сайт на родительском проекте КГБ