Глава 29. Zend_OpenId

29.1. Introduction

Zend_OpenId is a Zend Framework component that provides a simple API for building OpenID-enabled sites and identity providers.

29.1.1. What is OpenID?

OpenID is a set of protocols for user-centric digital identities. These protocols allow to create an identity online, using an identity provider. This identity can be used anywhere that OpenID is supported. Using OpenID-enabled sites, web users do not need to remember traditional authentication tokens such as username and password. All OpenID-enabled sites accept a single OpenID identity. This identity is typically a URL. It may be the URL of the user's personal page, blog or other resource that may provide additional information about them. No more need for many passwords and different user names - just one identifier for all Internet services. OpenID is an open, decentralized, and free user centric solution. A user may choose which OpenID provider to use, or even create their own personal identity server. No central authority is needed to approve or register OpenID-enabled sites or identity providers.

For more information about OpenID visit OpenID official site and look into the OpenID Book by Rafeeq Rehman.

29.1.2. How Does it Work?

The main purpose of the Zend_OpenId components is to implement an OpenID authentication protocol as described in the following diagram:

  1. Authentication is initiated by the end-user, who passes their OpenID identifier to the OpenID consumer through a User-Agent.

  2. The OpenID consumer performs normalization of the user-supplied identifier, and discovery on it. As result, it gets the following: a claimed identifier, OpenID provider URL and an OpenID protocol version.

  3. The OpenID client establishes an optional association with the server using Diffie-Hellman keys. As a result, both parties get a common "shared secret" that is used for signing and verification of the following (subsequent) messages.

  4. The OpenID consumer redirects the User-Agent to the OpenID provider's URL with an OpenID authentication request.

  5. The OpenID Provider checks if the user-Agent is already authenticated and offers to do so if needed.

  6. The end user enters the required password.

  7. The OpenID Provider checks if it is allowed to pass the user identity to the given consumer, and asks the user if needed.

  8. The end user allows or disallows passing his identity.

  9. The OpenID Provider redirects the User-Agent back to the OpenID consumer with an "authentication approved" or "failed" request.

  10. The OpenID consumer verifies the information received from the provider by using the "shared secret" it got on step 3 or by sending additional direct request to the OpenID provider.

29.1.3. Zend_OpenId Structure

Zend_OpenId consists of two sub packages. The first one is Zend_OpenId_Consumer for developing OpenID-enabled sites and the second Zend_OpenId_Provider for developing OpenID servers. They are completely independent of each other and may be used separately.

The only common parts of these sub packages are the OpenID Simple Registration Extension implemented by Zend_OpenId_Extension_Sreg class and the set of utility functions implemented by Zend_OpenId class.

[Замечание] Замечание

Zend_OpenId takes advantage of the GMP extension, where available. Consider enabling the GMP extension for better performance when using Zend_OpenId.

29.1.4. Supported Standards

The Zend_OpenId component conforms to the following standards:

  • OpenID Authentication protocol version 1.1

  • OpenID Authentication protocol version 2.0 draft 11

  • OpenID Simple Registration Extension version 1.0

  • OpenID Simple Registration Extension version 1.1 draft 1

    Поддержать сайт на родительском проекте КГБ