I created ForustOp_Auth for all authentication operations (“auth.login” and “auth.logout”) and just got through a successful test using my Blogger OpenID.
Rather than use SimpleOpenID directly, I skimmed it to get the gist and wrote mine from scratch. Just saying that induces a small shudder, but I wanted to fix some bugs (server URL’s with query string parts), use PHP5-specific stuff, and avoid hassles with mixing in their GPLv3 licensed code with my BSD licensed code.
That said, it has some terrible flaws and is nowhere near secure. It’s enough to get me through the block I had.
You might note that the return_to URL has a parameter ‘p=1′ which has Forust operate on $_GET rather than $_POST. OpenID servers never POST, unfortunately, so I extended my API a bit (honestly had planned to for testing anyway).
The OpenID server discovery code uses cURL (so https will work) and also the PHP5 DOM which is awesome, if a bit verbose. It will handle improperly formed HTML and let you parse it like the XML DOM. I only use it to enumerate all the link elements, but it allowed me to forgo the wacky RegExp patterns used in SimpleOpenID.
Things to be done:
- Check the signature returned by the server.
- Use the nonce, but where is it? Is that only OpenID 2?
- Check openid_mode (must be == “id_res”).
- What happens if the same parameters are replayed elsewhere, couldn’t a snoop do that and be logged in with this identity? This is what the nonce solves (albeit with a slight race condition), right?
- I’m a bit worried about simply storing the user ID in the PHP session.. Again it seems like something a snoop could take and put in their own requests to operate as that user unless I put the whole site on HTTPS when logged in (ridiculous?).
- Basic OpenID 2 support so I can use my Gmail account for testing.
There’s probably more, but these are enough questions to keep me busy.