asimkumar2222 / lightopenid Goto Github PK

Hi,

I had difficulties with your example.php, because the openId provider that I 
was using as test (Hyves.nl) uses POST callbacks rather than GET. So your login 
example failed because it only looks at $_GET['openid_mode']. I fixed this, and 
I also merged the Google example into the regular example (might be more 
convenient for most people). You might not agree with the latter, however here 
is the code.

Thanks!
Niels

>---



try {
    $openid_mode = '';
    if (isset($_GET['openid_mode']) ){
        $openid_mode=$_GET['openid_mode'];
    } else if (isset($_POST['openid_mode'])) {
        $openid_mode=$_POST['openid_mode'];
    } 
    if($openid_mode=='' ) {
        if (isset($_POST['openid_identifier'])) {
            $openid = new LightOpenID;

            // Google only provider
            if (strpos($_POST['openid_identifier'],'google')!==FALSE || 
                strpos($_POST['openid_identifier'],'gmail')!==FALSE) {
                $openid->identity = 'https://www.google.com/accounts/o8/id';
            } else {
                $openid->identity = $_POST['openid_identifier'];
            }
            header('Location: ' . $openid->authUrl());
        }
?>
<form action="" method="post">
    OpenID: <input type="text" name="openid_identifier" /> <button>Submit</button>
</form>
<?php
    } elseif ($openid_mode == 'cancel'   ) {
        echo 'User has canceled authentication!';
    } else {
        $openid = new LightOpenID;
        echo 'User ' . ($openid->validate() ? $openid->identity . ' has ' : 'has not ') . 'logged in.';
    }
} catch(ErrorException $e) {
    echo $e->getMessage();
}

If some openid fields contains diacritics e.g. ščťžýáň validation fails

Tested with myopenid.com provider.

$openid->required = array('contact/email');
$openid->optional = 
array('namePerson','namePerson/friendly','birthDate','person/gender');


It wasn't clear, and I found the example on stackoverflow.

Wish you had the source up here :)

This is from the master HEAD revision.

When using "http://launchpad.net/~myusername" as my openID, I get an error:

strpos() expects parameter 1 to be string, array given

On line 00225: && strpos($headers['Content-Type'], 'application/xrds+xml') !== 
false) {


* Here's a dump of $headers['Content-Type'] when the error occurs:

Array ( [0] => text/html; charset=iso-8859-1 [1] => text/html;charset=utf-8 )


I think this might be because there is a redirection 
"http://launchpad.net/~myusername" -> "https://launchpad.net/~myusername". When 
I'm directly entering "https://launchpad.net/~myusername", it seems to work 
fine.

Does this have something to do with the redirection and cURL?

I tried to implement an openid provider using lightopenid. It is accepted by an 
lightopenid consumer, but not by sourceforge or test-id.org

I tried to understand the issue but I am lost, this may be a bug in the way we 
use lightopenid-provider.


To reproduce
------------
1. Go to: http://test-id.org/OP/Sreg.aspx
2. Enter: https://stendhalgame.org
3. Login using ttttt / ttttt


Error message
-------------

Login failed: The OpenID Provider issued an assertion for an Identifier whose 
discovery information did not match.
Assertion endpoint info: 
    ClaimedIdentifier: https://stendhalgame.org/a/ttttt
    ProviderLocalIdentifier: https://stendhalgame.org/a/ttttt
    ProviderEndpoint: https://stendhalgame.org/?id=content/account/openid-provider

OpenID version: 2.0 Service Type URIs:
Discovered endpoint info: [{ 
    ClaimedIdentifier: http://specs.openid.net/auth/2.0/identifier_select
    ProviderLocalIdentifier: http://specs.openid.net/auth/2.0/identifier_select
    ProviderEndpoint: https://stendhalgame.org/?id=content/account/openid-provider
    OpenID version: 2.0 Service Type URIs: http://specs.openid.net/auth/2.0/server },]




Our code
--------

Our code is at 
http://arianne.cvs.sf.net/viewvc/arianne/stendhal_website/scripts/openid-provide
r.php?revision=1.7&view=markup (Note: the functions showConfirmationForm and 
getUserData are not used, yet).

The xrds document is declared by: header('X-XRDS-Location: 
'.STENDHAL_LOGIN_TARGET.'/?id=content/account/openid-provider&xrds');

The identifier points to an URL which simply displays a text: 
http://arianne.cvs.sf.net/viewvc/arianne/stendhal_website/content/account/a.php?
revision=1.1&view=markup

The OpenidProvider is configured at
http://arianne.cvs.sf.net/viewvc/arianne/stendhal_website/content/account/openid
-provider.php?revision=1.2&view=markup

Thanks for this great lib!

Hi,

This patch introduces Google Apps specific endpoint discovery through the 
additional discover_google_apps($url) method.

It might be helpful for those who wish to implement Google SSO (as described 
here: http://code.google.com/intl/en/googleapps/marketplace/sso.html)

--
idle sign

Not sure if this is related to issue 6, as it is also giving a warning with 
file_get_contents.
This is the error I'm getting when trying to login to Yahoo or Flickr (which is 
actually the same):

Warning: file_get_contents() [function.file-get-contents]: SSL: Connection 
reset by peer in /path/to/lightopenid/openid.php on line 212

If you need more info, please ask, as I'm not sure where to look for possible 
causes.

Hi mewp, this is Alix from StackOverflow.

While working on the porting of your library to the phunction framework I've 
noticed several bugs, one of them was related to several calls in the form of:

`$content = preg_match('...', $content, $...);`

This one seems to be solved with the latest release, but I can still spot one 
that can produce non-optimal, erroneous YADIS discoveries. Imagine the 
following scenario:

1) Content-Type: application/xrds+xml is matched.
2) You find a server that uses the http://specs.openid.net/auth/2.0/ namespace, 
and grab the $server.
3) You'll still try to search (due to the lack of else if) for the 
http://openid.net/signon/1.1/ namespace (why not also 1.0?), and if you find 
it, you'll grab the $server again. If you don't it's still inefficient, since 
you already have a 2.0 URI.

I suggest you either drop the $ns variable altogether and use if ... else if 
directly, or switch the order of the conditions, that the most preferable URI 
(2.0) overrides the previously one found (1.1).

An important security fix has been pushed to the git repo of the project but no 
release has been made that included that fix.

The security vulnerability that was fixed in the git repo is the one reported 
by Google on May 5:

http://googlecode.blogspot.com/2011/05/security-advisory-to-websites-using.html

Either the fix should be backported to the latest stable version or a new 
version with the current state of the git repo should be made available as 
downloadable package.

If I use a yahoo account, the discovery method ends up redirecting me to a 
yahoo login page. If I try a gmail.com account, I get this:

Fatal error: Uncaught exception 'ErrorException' with message 'No servers 
found!' in C:\inetpub\GlobalFit\openID\gfOpenID.php:472
Stack trace:
#0 C:\inetpub\GlobalFit\openID\lightopenid\openid.php(596): gfOpenID->discover()
#1 C:\inetpub\GlobalFit\openID\gfOpenID.php(23): 
LightOpenID->authUrl('xxxx@gmail...')

I'm not sure if this is a bug or if I need to do more here. When I use the 
example-google.php file, it says "Logged in" but if I go back to 
example-google.php it does not keep me logged in.

Sorry if I shouldn't write this here but I am not familiar with gitorious.  Are 
you keep the downloads section up to date (on code.google.com) or should we 
just download the source from the other website?  Might be something good to 
make perfectly clear on the project home page.

After the initial validation, how can I quickly check on other pages to see 
that the user has been authorized to view the site?
Thanks
David

Hello,

It seems that this class doesn't support Google Hybrid Protocol with is 
basically an OAuth extension to the OpenID protocol: 
http://code.google.com/apis/accounts/docs/OpenID.html#oauth

Here is what I did to support it

* I added a public $oauth variable (false)
* Added this code to authUrl_v2:

if ( $this->oauth ) {
    $params['openid.ns.oauth'] = 'http://specs.openid.net/extensions/oauth/1.0';
    $params['openid.oauth.consumer'] = str_replace(array('http://','https://'),'',$this->trustRoot);
    $params['openid.oauth.scope'] = implode(' ',$this->oauth);
}

It's a bit hackish, but it's working for my needs. Usage example (to get the 
OAuth working you have to register your domain in Google first):

$openid->identity = "https://www.google.com/accounts/o8/id";
// request access to Google Analytics
$openid->oauth = array(
    'https://www.google.com/analytics/feeds/'
);

Hope this help!

Regards

I was searching for an explanation for openid.realm. I found a good one here: 
http://code.google.com/intl/de-DE/apis/accounts/docs/OpenID.html#Parameters
on this page are many parameters explained in a few words. Perhaps you could 
link to it as an external link or mention it in the wiki-system.

If I have more questions / suggestions related to the documentation, I will 
write them down in this issue.

Trying to login with an lightopenid-provider to http://sourceforge.net does not 
work. Unfortunately there is no real error message. SourceForge says that they 
cannot help with other provides than the ones they officially support. There is 
only little documentation at 
https://sourceforge.net/apps/trac/sourceforge/wiki/OpenID

The issues happens with the example.php provider, too.

Hi, I downloaded version 8fc8ad7 (at 2011-10-10 21:15:00 UTC) to use in 
Codeigniter 2.0.3.

When I did a quick try on Saturday everything worked fine, today's version 
gives "Missing argument 2 for Openid::parse_header_array(), called in 
Openid.php on line 330" error.

This is my code:

if ($identity) {
            $config['host'] = base_url();
            $this->load->library('openid', $config);
            if (!$this->openid->mode) {
                $this->openid->identity = $identity;
                header('Location: ' . $this->openid->authUrl());
            }
        }

I think the problems resides in commit 7d0c3eb ( 
http://gitorious.org/lightopenid/lightopenid/commit/7d0c3eb30f13196233e540556444
c99896d14f48 ) which added the parse_header_array function.

This library appears to be doing XML parsing with regular expressions instead 
of an XML parser for its XRD discovery:

   $ns = preg_quote('http://specs.openid.net/auth/2.0/');
   if (preg_match('#<Service.*?>(.*)<Type>\s*'.$ns.'(.*?)\s*</Type>(.*)</Service>#s', $content, $m)) {

This fails dramatically if the discovery information contains other entries, 
matching a large swatch of the document instead of just the relevant entries 
for OpenID.

The result is that attempting to authenticate against a site such as identi.ca 
which offers other services such as OAuth in that same XRD ends up breaking, 
for instance by sending you off to the OAuth requesttoken URL instead of the 
OpenID endpoint.

I've looked around the web to find a solution for this but it seems to be 
coming down to the library. When I request contact/email from Google, it 
supplies it. When I request it from Yahoo, it always just responds with a 
namePerson/friendly - nothing else. 

I tried tweaking every possible setting. Some people suggested that I should 
only request 1 email address from Yahoo and that if I request more, it won't 
supply any at all. This however, can't be configured for the request - correct?

It seems odd nobody would have tested this, but is there any other reason? Once 
solved, I'm sure this would make a good entry to the wiki as I think others 
might have the same problem.

Hi,

I have tried to research the problem, but do not understand the protocol good 
enough to find the answer.

It fails in the Discovery with "No OpenID Server found at 
http://facebook-openid.appspot.com/"

I have tried the openid url at another site, and it worked.

I've been using OpenID with my google account for a while. I also included some 
meta header into my website like the following:

<link rel="openid2.provider" 
href="https://www.google.com/accounts/o8/ud?source=profiles" /> 
<link rel="openid2.local_id" 
href="http://www.google.com/profiles/12345678901234567890" /> 

When I try to login using my domain (like http://example.com) I will be 
redirected to the Google login screen. After login in I get the described "no 
servers found" error. I tried to debug your class to find the error, but I 
didn't really found out, why he is failing.

However I could find out, that if I create a public profile for my Google 
Account, it works as expected. But if I delete my public profile it fails again.

As I can use my profile for OpenID logins on other websites, there might be an 
error in the way you try to get the profile information from Google.

With an active profile I get the following headers:

Array
(
    [] => 
    [content-type] => text/html; charset=utf-8
    [x-xrds-location] => https://www.google.com/accounts/o8/id?source=profiles&id=http%3A%2F%2Fwww.google.com%2Fprofiles%2F123456789012345678901
    [date] => Tue, 09 Nov 2010 15:19:42 GMT
    [expires] => Tue, 09 Nov 2010 15:19:42 GMT
    [cache-control] => private, max-age=0
    [x-content-type-options] => nosniff
    [x-frame-options] => SAMEORIGIN
    [x-xss-protection] => 1; mode=block
    [server] => GSE
    [transfer-encoding] => chunked
)

This will start a second run of the foreach with following URL from the 
x-xrds-location header.

With an inactive header is doesn not "continue" but tries to get data from the 
BODY using this URL for the request: 
http://www.google.com/profiles/123456789012345678901
This will return an error page (which you can see if you try to open my example 
link in a browser).

I don't even know if the issue is with your class or with the way Google wants 
me to integrate the OpenID "provider" and "local_id" into my website. But as it 
works with other OpenID login implementations there should be a way to get it 
working.

Hi,

I added a query parameter to the returnUrl:

$openid->realm     = 'http://localhost';
$openid->returnUrl = $openid->realm.'/index.php?id=content/account/openid';


In validate() this parameter is part of data['openid_return_to'] but missing in 
$this->returnUrl.

$this->data['openid_return_to']: 
http://localhost/index.php?id=content/account/openid&openid.claimed_id=http://nh
nb.de/


$this->returnUrl: http://localhost/index.php?openid.claimed_id=http://nhnb.de/

Right now the library's data depends on these super globals. It would be nice 
if there was an option to provide the data instead of just relying on the super 
globals.

MyOpenID offers an affiliate program. When a user goes to the site and after 
registration myopenid.com returns with openid_identifier. Can you add similar 
functionality to the validation and verification of registration?

$ OpenidReg = new LightOpenID_Reg ();
$ OpenidReg-> affiliate = 12345;
header ('Location:'. $ openidReg-> regUrl ());

if ($ openidReg-> validate ()) $ openidIdentifier = $ openidReg-> identity

Something like this.

Hi,

first of all, I want to thank you. With your library, it is very easy to 
implement OpenID to a little project.

I would like to have a bit more information about OpenID Attribute Exchange in 
the Wiki-Section. Could you please create a new page with the following 
information:

AX and SREG extensions are supported.
To use them, specify $openid->required and/or $openid->optional before calling 
$openid->authUrl().
These are arrays, with values being AX schema paths (the 'path' part of the 
URL).
For example:
  $openid->required = array('namePerson/friendly', 'contact/email');
  $openid->optional = array('namePerson/first');

All possible Strings:
 * 'namePerson/friendly'
 * 'contact/email'
 * 'namePerson'
 * 'birthDate'
 * 'person/gender'
 * 'contact/postalCode/home'
 * 'contact/country/home'
 * 'pref/language'
 * 'pref/timezone'

Specification: http://openid.net/specs/openid-attribute-exchange-1_0.html

If a user enters an invalid domain like http://not.exists the following PHP 
warnings are generated:

Warning: get_headers() [function.get-headers]: php_network_getaddresses: 
getaddrinfo failed: Name or service not known in 
/srv/www/stendhal/lib/openid/lightopenid.php on line 148

Warning: get_headers(http://not.existing/) [function.get-headers]: failed to 
open stream: php_network_getaddresses: getaddrinfo failed: Name or service not 
known in /srv/www/stendhal/lib/openid/lightopenid.php on line 148

Warning: file_get_contents() [function.file-get-contents]: 
php_network_getaddresses: getaddrinfo failed: Name or service not known in 
/srv/www/stendhal/lib/openid/lightopenid.php on line 156

Warning: file_get_contents(http://not.existing/) [function.file-get-contents]: 
failed to open stream: php_network_getaddresses: getaddrinfo failed: Name or 
service not known in /srv/www/stendhal/lib/openid/lightopenid.php on line 156

Warning: file_get_contents() [function.file-get-contents]: 
php_network_getaddresses: getaddrinfo failed: Name or service not known in 
/srv/www/stendhal/lib/openid/lightopenid.php on line 156

Warning: file_get_contents(http://not.existing/) [function.file-get-contents]: 
failed to open stream: php_network_getaddresses: getaddrinfo failed: Name or 
service not known in /srv/www/stendhal/lib/openid/lightopenid.php on line 156

I just implemented this so I'm not sure if I'm understanding correctly, but 
from the example, it looks like to get Google's unique identifier for the user, 
you do:

$openid->identity;

When looking at the code in get's magic method:
return $this->claimed_id;

But if I var dump $this, the id is stuck at the end of (where XXXX's are):
[data][openid_claimed_id] => https://www.google.com/accounts/o8/id?id=XXXXXXX

whereas

 [claimed_id:private] =>

is empty....

I hope that makes sense? On Google's documentation:

http://code.google.com/apis/accounts/docs/OpenID.html

they state that they provide a unique ID, this way even when a user changes 
their name, we can be sure to uniquely identify them...Here's the exact quote:

"The Google-supplied identifier, which has no connection to the user's actual 
Google account name or password, is a persistent value; it remains constant 
even if the user changes their Google user name and/or email address. This 
identifier is also a "directed identity", that is, Google returns a different 
value to each relying party. Google uses the request parameter openid.realm to 
recognize the relying party, so if the third-party application decides to 
change this value, all user identifiers will change."

BTW this id seems identical in their example:

&openid.identity=https://www.google.com/accounts/o8/id/id=AItOawl27F2M92ry4jTdji
Vx06tuFNA

&openid.claimed_id=https://www.google.com/accounts/o8/id/id=AItOawl27F2M92ry4jTd
jiVx06tuFNA

I've just seen that the error messages could be improved:

"Invalid request." (line 201) - You get this message, if the host you've 
entered (e.g. http://martin-thoma.blogger.com) doesn't exist. So the message 
could be "Invalid request. Host 'http://martin-thoma.blogger.com' doesn't exist.

I've installed lightopenid and successfully used it with three openID providers 
(including Yahoo, myid.net and one which I installed a provider library on), 
but I get an error (below) when trying to use it with Symantec's 
pip.versignlabs.com provider.

If I enter my openID (https://<myid>.pip.verisignlabs.com) the error arises 
immediately; if I use the generic address http://pip.verisignlabs.com and then 
login, the error is the same but on return from the remote login.

[Tue Apr 12 11:54:52 2011] [error] [client 86.26.13.165] PHP Fatal error:  
Uncaught exception 'ErrorException' with message 'error:14077458:SSL 
routines:SSL23_GET_SERVER_HELLO:reason(1112)' in 
/home/ensembling/DevV3/www/lightopenid/openid.php:193\nStack trace:\n#0 
/home/ensembling/DevV3/www/lightopenid/openid.php(292): 
LightOpenID->request_curl('https://...', 'GET', Array)\n#1 
/home/ensembling/DevV3/www/lightopenid/openid.php(431): 
LightOpenID->request('https://...', 'GET')\n#2 
/home/ensembling/DevV3/www/lightopenid/openid.php(651): 
LightOpenID->discover('https://...')\n#3 
/home/ensembling/DevV3/www/lightopenid/openidreturn.php(11): 
LightOpenID->validate()\n#4 {main}\n  thrown in 
/home/ensembling/DevV3/www/lightopenid/openid.php on line 193, referer: 
https://pip.verisignlabs.com/dataExchange?target=render&identityName=...


FYI this is PHP5.3.3-7 and the php curl library reports 7.21.0 and libssh2/1.2.5

The error happened in the callback during validate() on line 621. My Yahoo 
claimed_id has a URL fragment (#ennnn). The problem is in build_url() called 
from discover() where the $url['fragment'] is added to the new discovery $url.

I've attached a diff that fixes the error.

Consumer in this library is not working with the biggest czech OpenID provider, 
because he sends content-type 'text/xml' instead of 'application/xrds+xml'.

I propose this simple patch, which make's it working.

Hi,
I'm testing lightopenid on PHP as FastCGI on Microsoft IIS 5.1 setup.
In this environment I have $_SERVER['HTTPS']=='off'.

To make LightOpenId working I've modified first line in constructor:

    function __construct()
    {
        $this->trustRoot = ((!empty($_SERVER['HTTPS']) && ($_SERVER['HTTPS']!='off')) ? 'https' : 'http') . '://' . $_SERVER['HTTP_HOST'];
...

I'm not sure if IIS is popular, but maybe one additional condition could be 
added to support this platform...

Best regards,
Seba.

Hey!

How can i manage, to log in with a single gmail address?

Regards, János

When using 'http://*.example.com' realm validate() always returns FALSE from 
validate() method. It's because of this line in validate():
if ($this->data['openid_return_to'] != $this->returnUrl)

$this->returnUrl is improperly constructed in __construct()
$this->returnUrl = $this->trustRoot . $uri;
(trustRoot may contain wildcard).

Warning: get_headers() [function.get-headers]: This function may only be used 
against URLs. in /home/a6630283/public_html/connect/openid.php on line 177

Warning: file_get_contents(https://www.google.com/accounts/o8/id) 
[function.file-get-contents]: failed to open stream: No such file or directory 
in /home/a6630283/public_html/connect/openid.php on line 212

Warning: file_get_contents(https://www.google.com/accounts/o8/id) 
[function.file-get-contents]: failed to open stream: No such file or directory 
in /home/a6630283/public_html/connect/openid.php on line 212

No servers found!

Hello,

I get an "Undefined variable: attributes" when trying to call the 
getAttributes() method after a successful authentication, and I think the 
problem comes from lightOpenID.

Here is the code I use :
if(#user has provided an identifier#) {
    $lightOpenID = new \LightOpenID();
    $lightOpenID->required = array('namePerson/friendly', 'contact/email');
    $lightOpenID->identity = $provider_given_by_user;
    header('Location: '.$lightOpenID->authUrl());
    die;
}
if(isset($_GET['openid_mode'])) {
    $lightOpenID = new \LightOpenID();
    if($lightOpenID->validate()) {
        header('Content-Type: text/plain');
        print_r($lightOpenID->getAttributes());
        die;
    } else {
        die(_('Authentication failed somehow.'));
    }
}

And here is the full stack trace :
Undefined variable: attributes
#0 /staging/src/3rdparty/lightopenid/openid.php(523): Logger::handleError(8, 
'Undefined varia...', '...
#1 /staging/src/3rdparty/lightopenid/openid.php(559): 
LightOpenID->getAxAttributes()
#2 /staging/src/UI/Base/Register.php(146): LightOpenID->getAttributes()

My provider is myOpenid.com and I used the version in 22bb9a0 (master at the 
moment). If you need more information, please ask.

When php script with LightOpenID constructor call is accessed via https:// 
scheme AND constructor is given 'https://example.com' address $openid->realm is 
malformed.

Following code:
$openid = LightOpenID('https://example.com');
echo $openid->realm;
produces
'https://https://example.com'.
where it should be:
'https://example.com'

For those who wants to fetch user data of users using Google openid, here is a 
patch.
(Attached you'll find a diff)

1) Add this function:
    protected function nsTranslate($field)
    {
    switch($field) {
        case "email": return("contact/email");
        case "country": return("contact/country/home");
        case "firstname": return("namePerson/first");
        case "lastname": return("namePerson/last");
        case "language": return("pref/language");
    }
    return($field);
    }
2) In function axParams(), change:
$this->aliases[$alias]='http://axschema.org/'.$field;
to:
$this->aliases[$alias]='http://axschema.org/'.$this->nsTranslate($field);

This should send *FOR GOOGLE* the right openid.ns.ax values in request.
To use it see second attached file

On openid delegation authUrl_v1 appends the openid.claim_id to the returnUrl. 
validate(), however, failes because it does not expect that addition.

Workaround in validate():
if (strpos($this->data['openid_return_to'], $this->returnUrl) !== 0) {


Note: I don't know if that has a security impact

Could you please add support for localization? 

You could add "/* l18n */" after each string that should get localized, so it 
would be easier to find them. If you created a wiki-page, I'd add my l18n for 
german.

In php 5.4beta1 the function get_magic_quotes_gpc() is deprecated and has been 
removed.

As this library uses that function it's not working int php 5.4.

I'm having a problem using lightopenid in a google gadget. After clicking on 
"login with google", it only show a blank canva. See my issue here:

http://stackoverflow.com/questions/4770261/using-lightopenid-in-google-gadget

If there a work around for it? Thanks in advance.

my class

class Ncw_OpenID extends LightOpenID
{
    const OPENID_MODE_CANCEL = 'cancel';

    /**
     * @todo Не работает авторизация с параметрами
     */
    public function __construct()
    {
        parent::__construct();
        $this->required = array('namePerson/friendly', 'contact/email');
        $this->optional = array('contact/email');
    }

    public function  getAttributes() {
        $attr = parent::getAttributes();
        $newAttr = array();
        foreach ($attr as $key => $value) {
            if (isset(parent::$ax_to_sreg[$key])) $key = parent::$ax_to_sreg[$key];
            $newAttr[$key] = $value;
        }
        return $newAttr;
    }
}

$openid->validate() return false, if i comment
//$this->required = array('namePerson/friendly', 'contact/email');
//$this->optional = array('contact/email');
openid work...

Hi,

Yes, it's terribly minor (or even less), anyway I get a nice warning 
'assignment in condition' in the openid.php file at line 340 when working with 
ZendStudio:

"
$content = $this->request($url, 'GET');
if ($location = $this->htmlTag($content, 'meta', 'http-equiv', 
'X-XRDS-Location', 'value')) {
   $url = $this->build_url(parse_url($url), parse_url($location));
    continue;
       }
"

If you just replace it with something like this, ZendStudio is happy as well. 
Tnx!

"
$content = $this->request($url, 'GET');
$location = $this->htmlTag($content, 'meta', 'http-equiv', 'X-XRDS-Location', 
'value');
 if ($location=='') {
$url = $this->build_url(parse_url($url), parse_url($location));
 continue;
 }

Because the returnUrl is set to the current url(request uri) but with the query 
string stripped, it fails to return true when the url has one.

At this point, unless I'm missing something about the involved protocols, I 
don't see why should it be stripped, or why do we need the expression 
"($this->data['openid_return_to'] != $this->returnUrl)" at all.

In case it's actually needed, we can still get the returnUrl WITH the query 
string we provided, by replacing, in the __construct method:

- $uri = strpos($uri, '?') ? substr($uri, 0, strpos($uri, '?')) : $uri;

for this

+ $uri = preg_replace('#((?<=\?)|&)openid\..*(?>=&|$)#','',$uri);

The code for getting the identity property says "We return claimed_id instead 
of identity, because the developer should see the claimed identifier". That's 
fine for the login security, but it's distracting to the user when he's 
managing his OpenID identities in my account control. See stackoverflow, I have 
a list of my identities and it's not google.com/some-long-blah but it's exactly 
my domain as I've entered it when logging in, even without the unnecessary 
http:// stuff. Can I get that URL back from LightOpenID or do I have to 
remember it elsewhere? Is it safe to remember what the user has entered before 
redirecting away and using that input later again?

Hi,

the x-xrds-location header is ignored because of an upper case letter in the 
key name. $this->request($url, 'HEAD') converts all header names to lower case.

The following patch will redirect to the AOL login screen instead of failing 
with "No server found". I don't have an AOL account, so i cannot test the 
validation part.

--- lightopenid.php     26 Sep 2010 21:14:23 -0000      1.4
+++ lightopenid.php     27 Sep 2010 00:16:20 -0000
@@ -227,8 +227,8 @@
                 $headers = $this->request($url, 'HEAD');

                 $next = false;
-                    if (isset($headers['x-xrds-Location'])) {
-                        $url = $this->build_url(parse_url($url), 
parse_url(trim($headers['x-xrds-Location'])));
+                if (isset($headers['x-xrds-location'])) {
+                        $url = $this->build_url(parse_url($url), 
parse_url(trim($headers['x-xrds-location'])));
                         $next = true;
                     }

Hi,

if you used your SVN-repository, it would be easier to see which changes you 
made.

Martin

Suppose you use a reverse proxy to dispatch requests to different servers and 
suppose that your site uses https. Then the dispatcher needs to forward the 
request and the information about the protocol gets lost. On the server behind 
the dispatcher $_SERVER['HTTPS'] is empty.

To solve this issue it looks like an established convention that site 
adminstrators that need reverse proxies and https in their server setup 
introduce the server variable HTTP_X_FORWARDED_PROTO to make the 'real' 
protocol of the client visible to the servers behind the proxy. If you would 
substitute line 73


$this->trustRoot = ((empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] == 'off') ? 
'http' : 'https') . '://' . $_SERVER['HTTP_HOST'];


with the following code:


        if(!empty($_SERVER['HTTPS']) || (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')) {
            $this->trustRoot = 'https://'.$_SERVER['HTTP_HOST'];
        } else {
            $this->trustRoot = 'http://'.$_SERVER['HTTP_HOST'];
        }

then lightopenid can be used behind reverse proxies and with https.
Just setting the realm/trustRoot manually using the api did not work for me as 
then the validate method failed. If there is a better way to go, please tell me.

Best regards and thanks for providing this library
Silvan