{ "content": [ { "type": "text", "text": "# Net::OpenID::Consumer (perldoc)\n\n## NAME\n\nNet::OpenID::Consumer - Library for consumers of OpenID identities\n\n## SYNOPSIS\n\nuse Net::OpenID::Consumer;\nmy $csr = Net::OpenID::Consumer->new(\nua => LWPx::ParanoidAgent->new,\ncache => Cache::File->new( cacheroot => '/tmp/mycache' ),\nargs => $cgi,\nconsumersecret => ...,\nrequiredroot => \"http://site.example.com/\",\nassocoptions => [\nmaxencrypt => 1,\nsessionnoencrypthttps => 1,\n],\n);\n# Say a user enters \"bradfitz.com\" as his/her identity. The first\n# step is to perform discovery, i.e., fetch that page, parse it,\n# find out the actual identity provider and other useful information,\n# which gets encapsulated in a Net::OpenID::ClaimedIdentity object:\nmy $claimedidentity = $csr->claimedidentity(\"bradfitz.com\");\nunless ($claimedidentity) {\ndie \"not actually an openid? \" . $csr->err;\n}\n# We can then launch the actual authentication of this identity.\n# The first step is to redirect the user to the appropriate URL at\n# the identity provider. This URL is constructed as follows:\n#\nmy $checkurl = $claimedidentity->checkurl(\nreturnto => \"http://example.com/openid-check.app?yourarg=val\",\ntrustroot => \"http://example.com/\",\n# to do a \"checkidsetup mode\" request, in which the user can\n# interact with the provider, e.g., so that the user can sign in\n# there if s/he has not done so already, you will need this,\ndelayedreturn => 1\n# otherwise, this will be a \"checkimmediate mode\" request, the\n# provider will have to immediately return some kind of answer\n# without interaction\n);\n# Once you redirect the user to $checkurl, the provider should\n# eventually redirect back, at which point you need some kind of\n# handler at openid-check.app to deal with that response.\n# You can either use the callback-based API (recommended)...\n#\n$csr->handleserverresponse(\nnotopenid => sub {\ndie \"Not an OpenID message\";\n},\nsetupneeded => sub {\nif ($csr->message->protocolversion >= 2) {\n# (OpenID 2) retry request in checkidsetup mode (above)\n}\nelse {\n# (OpenID 1) redirect user to $csr->usersetupurl\n}\n},\ncancelled => sub {\n# User hit cancel; restore application state prior to checkurl\n},\nverified => sub {\nmy ($vident) = @;\nmy $verifiedurl = $vident->url;\nprint \"You are $verifiedurl !\";\n},\nerror => sub {\nmy ($errcode,$errtext) = @;\ndie(\"Error validating identity: $errcode: $errcode\");\n},\n);\n# ... or handle the various cases yourself\n#\nunless ($csr->isserverresponse) {\ndie \"Not an OpenID message\";\n} elsif ($csr->setupneeded) {\n# (OpenID 2) retry request in checkidsetup mode\n# (OpenID 1) redirect/link/popup user to $csr->usersetupurl\n} elsif ($csr->usercancel) {\n# User hit cancel; restore application state prior to checkurl\n} elsif (my $vident = $csr->verifiedidentity) {\nmy $verifiedurl = $vident->url;\nprint \"You are $verifiedurl !\";\n} else {\ndie \"Error validating identity: \" . $csr->err;\n}\n\n## DESCRIPTION\n\nThis is the Perl API for (the consumer half of) OpenID, a distributed identity system based on\nproving you own a URL, which is then your identity. More information is available at:\n\n## Sections\n\n- **NAME**\n- **VERSION**\n- **SYNOPSIS**\n- **DESCRIPTION**\n- **CONSTRUCTOR**\n- **METHODS** (4 subsections)\n- **ERROR CODES**\n- **PROTOCOL VARIANCES**\n- **COPYRIGHT**\n- **WARRANTY**\n- **MAILING LIST**\n- **SEE ALSO**\n- **AUTHORS**\n\nUse structuredContent.sections for detailed options, examples, and full documentation.\n" } ], "structuredContent": { "command": "Net::OpenID::Consumer", "section": "", "mode": "perldoc", "summary": "Net::OpenID::Consumer - Library for consumers of OpenID identities", "synopsis": "use Net::OpenID::Consumer;\nmy $csr = Net::OpenID::Consumer->new(\nua => LWPx::ParanoidAgent->new,\ncache => Cache::File->new( cacheroot => '/tmp/mycache' ),\nargs => $cgi,\nconsumersecret => ...,\nrequiredroot => \"http://site.example.com/\",\nassocoptions => [\nmaxencrypt => 1,\nsessionnoencrypthttps => 1,\n],\n);\n# Say a user enters \"bradfitz.com\" as his/her identity. The first\n# step is to perform discovery, i.e., fetch that page, parse it,\n# find out the actual identity provider and other useful information,\n# which gets encapsulated in a Net::OpenID::ClaimedIdentity object:\nmy $claimedidentity = $csr->claimedidentity(\"bradfitz.com\");\nunless ($claimedidentity) {\ndie \"not actually an openid? \" . $csr->err;\n}\n# We can then launch the actual authentication of this identity.\n# The first step is to redirect the user to the appropriate URL at\n# the identity provider. This URL is constructed as follows:\n#\nmy $checkurl = $claimedidentity->checkurl(\nreturnto => \"http://example.com/openid-check.app?yourarg=val\",\ntrustroot => \"http://example.com/\",\n# to do a \"checkidsetup mode\" request, in which the user can\n# interact with the provider, e.g., so that the user can sign in\n# there if s/he has not done so already, you will need this,\ndelayedreturn => 1\n# otherwise, this will be a \"checkimmediate mode\" request, the\n# provider will have to immediately return some kind of answer\n# without interaction\n);\n# Once you redirect the user to $checkurl, the provider should\n# eventually redirect back, at which point you need some kind of\n# handler at openid-check.app to deal with that response.\n# You can either use the callback-based API (recommended)...\n#\n$csr->handleserverresponse(\nnotopenid => sub {\ndie \"Not an OpenID message\";\n},\nsetupneeded => sub {\nif ($csr->message->protocolversion >= 2) {\n# (OpenID 2) retry request in checkidsetup mode (above)\n}\nelse {\n# (OpenID 1) redirect user to $csr->usersetupurl\n}\n},\ncancelled => sub {\n# User hit cancel; restore application state prior to checkurl\n},\nverified => sub {\nmy ($vident) = @;\nmy $verifiedurl = $vident->url;\nprint \"You are $verifiedurl !\";\n},\nerror => sub {\nmy ($errcode,$errtext) = @;\ndie(\"Error validating identity: $errcode: $errcode\");\n},\n);\n# ... or handle the various cases yourself\n#\nunless ($csr->isserverresponse) {\ndie \"Not an OpenID message\";\n} elsif ($csr->setupneeded) {\n# (OpenID 2) retry request in checkidsetup mode\n# (OpenID 1) redirect/link/popup user to $csr->usersetupurl\n} elsif ($csr->usercancel) {\n# User hit cancel; restore application state prior to checkurl\n} elsif (my $vident = $csr->verifiedidentity) {\nmy $verifiedurl = $vident->url;\nprint \"You are $verifiedurl !\";\n} else {\ndie \"Error validating identity: \" . $csr->err;\n}", "tldr_summary": null, "tldr_examples": [], "tldr_source": null, "flags": [], "examples": [], "see_also": [], "section_outline": [ { "name": "NAME", "lines": 2, "subsections": [] }, { "name": "VERSION", "lines": 2, "subsections": [] }, { "name": "SYNOPSIS", "lines": 90, "subsections": [] }, { "name": "DESCRIPTION", "lines": 5, "subsections": [] }, { "name": "CONSTRUCTOR", "lines": 8, "subsections": [] }, { "name": "METHODS", "lines": 1, "subsections": [ { "name": "State", "lines": 28 }, { "name": "Configuration", "lines": 233 }, { "name": "Performing Discovery", "lines": 11 }, { "name": "Handling Provider Responses", "lines": 99 } ] }, { "name": "ERROR CODES", "lines": 100, "subsections": [] }, { "name": "PROTOCOL VARIANCES", "lines": 31, "subsections": [] }, { "name": "COPYRIGHT", "lines": 6, "subsections": [] }, { "name": "WARRANTY", "lines": 2, "subsections": [] }, { "name": "MAILING LIST", "lines": 3, "subsections": [] }, { "name": "SEE ALSO", "lines": 8, "subsections": [] }, { "name": "AUTHORS", "lines": 10, "subsections": [] } ], "sections": { "NAME": { "content": "Net::OpenID::Consumer - Library for consumers of OpenID identities\n", "subsections": [] }, "VERSION": { "content": "version 1.18\n", "subsections": [] }, "SYNOPSIS": { "content": "use Net::OpenID::Consumer;\n\nmy $csr = Net::OpenID::Consumer->new(\nua => LWPx::ParanoidAgent->new,\ncache => Cache::File->new( cacheroot => '/tmp/mycache' ),\nargs => $cgi,\nconsumersecret => ...,\nrequiredroot => \"http://site.example.com/\",\nassocoptions => [\nmaxencrypt => 1,\nsessionnoencrypthttps => 1,\n],\n);\n\n# Say a user enters \"bradfitz.com\" as his/her identity. The first\n# step is to perform discovery, i.e., fetch that page, parse it,\n# find out the actual identity provider and other useful information,\n# which gets encapsulated in a Net::OpenID::ClaimedIdentity object:\n\nmy $claimedidentity = $csr->claimedidentity(\"bradfitz.com\");\nunless ($claimedidentity) {\ndie \"not actually an openid? \" . $csr->err;\n}\n\n# We can then launch the actual authentication of this identity.\n# The first step is to redirect the user to the appropriate URL at\n# the identity provider. This URL is constructed as follows:\n#\nmy $checkurl = $claimedidentity->checkurl(\nreturnto => \"http://example.com/openid-check.app?yourarg=val\",\ntrustroot => \"http://example.com/\",\n\n# to do a \"checkidsetup mode\" request, in which the user can\n# interact with the provider, e.g., so that the user can sign in\n# there if s/he has not done so already, you will need this,\ndelayedreturn => 1\n\n# otherwise, this will be a \"checkimmediate mode\" request, the\n# provider will have to immediately return some kind of answer\n# without interaction\n);\n\n# Once you redirect the user to $checkurl, the provider should\n# eventually redirect back, at which point you need some kind of\n# handler at openid-check.app to deal with that response.\n\n# You can either use the callback-based API (recommended)...\n#\n$csr->handleserverresponse(\nnotopenid => sub {\ndie \"Not an OpenID message\";\n},\nsetupneeded => sub {\nif ($csr->message->protocolversion >= 2) {\n# (OpenID 2) retry request in checkidsetup mode (above)\n}\nelse {\n# (OpenID 1) redirect user to $csr->usersetupurl\n}\n},\ncancelled => sub {\n# User hit cancel; restore application state prior to checkurl\n},\nverified => sub {\nmy ($vident) = @;\nmy $verifiedurl = $vident->url;\nprint \"You are $verifiedurl !\";\n},\nerror => sub {\nmy ($errcode,$errtext) = @;\ndie(\"Error validating identity: $errcode: $errcode\");\n},\n);\n\n# ... or handle the various cases yourself\n#\nunless ($csr->isserverresponse) {\ndie \"Not an OpenID message\";\n} elsif ($csr->setupneeded) {\n# (OpenID 2) retry request in checkidsetup mode\n# (OpenID 1) redirect/link/popup user to $csr->usersetupurl\n} elsif ($csr->usercancel) {\n# User hit cancel; restore application state prior to checkurl\n} elsif (my $vident = $csr->verifiedidentity) {\nmy $verifiedurl = $vident->url;\nprint \"You are $verifiedurl !\";\n} else {\ndie \"Error validating identity: \" . $csr->err;\n}\n", "subsections": [] }, "DESCRIPTION": { "content": "This is the Perl API for (the consumer half of) OpenID, a distributed identity system based on\nproving you own a URL, which is then your identity. More information is available at:\n\nhttp://openid.net/\n", "subsections": [] }, "CONSTRUCTOR": { "content": "new\nmy $csr = Net::OpenID::Consumer->new( %options );\n\nThe following option names are recognized: \"ua\", \"cache\", \"args\", \"consumersecret\",\n\"minimumversion\", \"requiredroot\", \"assocoptions\", and \"nonceoptions\" in the constructor.\nIn each case the option value is treated exactly as the argument to the corresponding method\ndescribed below under Configuration.\n", "subsections": [] }, "METHODS": { "content": "", "subsections": [ { "name": "State", "content": "$csr->message($key)\nReturns the value for the given key/field from the OpenID protocol message contained in the\nrequest URL parameters (i.e., the value for the URL parameter \"openid.$key\"). This can only\nbe used to obtain core OpenID fields not extension fields.\n\nCalling this method without a $key argument returns a Net::OpenID::IndirectMessage object\nrepresenting the protocol message, at which point the various object methods are available,\nincluding\n\n$csr->message->protocolversion\n$csr->message->hasext\n$csr->message->getext\n\nReturns undef in either case if no URL parameters have been supplied (i.e., because args()\nhas not been initialized) or if the request is not an actual OpenID message.\n\n$csr->err\nReturns the last error, in form \"errcode: errtext\", as set by the various handlers below.\n\n$csr->errcode\nReturns the last error code. See Error Codes below.\n\n$csr->errtext\nReturns the last error text.\n\n$csr->jsonerr\nReturns the last error code/text in JSON format.\n" }, { "name": "Configuration", "content": "$csr->ua($useragent)\n$csr->ua\nGetter/setter for the LWP::UserAgent (or subclass) instance which will be used when direct\nHTTP requests to a provider are needed. It's highly recommended that you use\nLWPx::ParanoidAgent, or at least read its documentation so you're aware of why you should\ncare.\n\n$csr->cache($cache)\n$csr->cache\nGetter/setter for the cache instance which is used for storing fetched HTML or XRDS pages,\nkeys for associations with identity providers, and received responsenonce values from\npositive provider assertions.\n\nThe $cache object can be anything that has a ->get($key) and ->set($key,$value[,$expire])\nmethods. See URI::Fetch for more information. This cache object is passed to URI::Fetch\ndirectly.\n\nSetting a cache instance is not absolutely required, But without it, provider associations\nwill not be possible and the same pages may be fetched multiple times during discovery. It\nwill also not be possible to check for repetition of the responsenonce, which may then\nleave you open to replay attacks.\n\n$csr->consumersecret($scalar)\n$csr->consumersecret($code)\n$code = $csr->B; ($secret) = $code->($time);\n\nThe consumer secret is used to generate self-signed nonces for the returnto URL, to prevent\nspoofing.\n\nIn the simplest (and least secure) form, you configure a static secret value with a scalar.\nIf you use this method and change the scalar value, any outstanding requests from the last\n30 seconds or so will fail.\n\nYou may also supply a subref that takes one argument, *$time*, a unix timestamp and returns\na secret.\n\nYour secret may not exceed 255 characters.\n\nFor the best protection against replays and login cross-site request forgery,\nconsumersecret should additionally depend on something known to be specific to the client\nbrowser instance and not visible to an attacker. If \"SSHSESSIONID\" is available, you\nshould use that. Otherwise you'll need to set a (Secure) cookie on the (HTTPS) page where\nthe signin form appears in order to establish a pre-login session, then make sure to change\nthis cookie upon successful login.\n\n$csr->minimumversion(2)\n$csr->minimumversion\nGet or set the minimum OpenID protocol version supported. Currently the only useful value\nyou can set here is 2, which will cause 1.1 identifiers to fail discovery with the error\n\"protocolversionincorrect\" and responses from version 1 providers to not be recognized.\n\nIn most cases you'll want to allow both 1.1 and 2.0 identifiers, which is the default. If\nyou want, you can set this property to 1 to make this behavior explicit.\n\n$csr->args($ref)\n$csr->args($param)\n$csr->args\nCan be used in 1 of 3 ways:\n\n1. Set the object from which URL parameter names and values are to be retrieved:\n\n$csr->args( $reference )\n\nwhere $reference is either an unblessed \"HASH\" ref, a \"CODE\" ref, or some kind of\n\"request object\" — the latter being either a CGI, Apache, Apache::Request,\nApache2::Request, or Plack::Request object.\n\nIf you pass in a \"CODE\" ref, it must,\n\n* given a single parameter name argument, return the corresponding parameter value,\n*and*,\n\n* given no arguments at all, return the full list of parameter names from the request.\n\nIf you pass in an Apache (modperl 1.x interface) object and this is a POST request, you\nmust *not* have already called \"$r->content\" as this routine will be making said call\nitself in order to extract the request parameters.\n\n2. Get a parameter value:\n\nmy $foo = $csr->args(\"foo\");\n\nWhen given an unblessed scalar, it retrieves the value. It croaks if you haven't defined\na way to get at the parameters.\n\nMost callers should instead use the \"message\" method above, which abstracts away the\nneed to understand OpenID's message serialization.\n\n3. Get the parameter getter:\n\nmy $code = $csr->args;\n\nthis being a subref that takes a parameter name and returns the corresponding value.\n\nMost callers should instead use the \"message\" method above with no arguments, which\nreturns an object from which extension attributes can be obtained by their documented\nnamespace URI.\n\n$csr->requiredroot($urlprefix)\n$csr->requiredroot\nGets or sets the string prefix that, if nonempty, all returnto URLs must start with.\nMessages with returnto URLS that don't match will be considered invalid (spoofed from\nanother site).\n\n$csr->assocoptions(...)\n$csr->assocoptions\nGet or sets the hash of parameters that determine how associations with identity providers\nwill be made. Available options include:\n\n\"assoctype\"\nAssociation type, (default 'HMAC-SHA1')\n\n\"sessiontype\"\nAssociation session type, (default 'DH-SHA1')\n\n\"maxencrypt\"\n(boolean) Use best encryption available for protocol version for both session type and\nassociation type. This overrides \"sessiontype\" and \"assoctype\"\n\n\"sessionnoencrypthttps\"\n(boolean) Use an unencrypted session type if the ID provider URL scheme is \"https:\".\nThis overrides \"maxencrypt\" if both are set.\n\n\"alloweavesdropping\"\n(boolean) Because it is generally a bad idea, we abort associations where an unencrypted\nsession over a non-SSL connection is called for. However the OpenID 1.1 specification\ntechnically allows this, so if that is what you really want, set this flag true. Ignored\nunder protocol version 2.\n\n$csr->nonceoptions(...)\n$csr->nonceoptions\nGets or sets the hash of options for how responsenonce should be checked.\n\nIn OpenID 2.0, responsenonce is sent by the identity provider as part of a positive\nidentity assertion in order to help prevent replay attacks. In the checkauthentication\nphase, the provider is also required to not authenticate the same responsenonce twice.\n\nThe relying party is strongly encouraged but not required to reject multiple occurrences of\na nonce (which can matter if associations are in use and there is no checkauthentication\nphase). Relying party may also choose to reject a nonce on the basis of the timestamp being\nout of an acceptable range.\n\nAvailable options include:\n\n\"nocheck\"\n(boolean) Skip responsenonce checking entirely. This overrides all other nonceoptions.\n\n\"nocheck\" is implied and is the only possibility if $csr->cache is unset.\n\n\"lifetime\"\n(integer) Cache entries for nonces will expire after this many seconds.\n\nDefaults to the value of \"window\", below.\n\nIf \"lifetime\" is zero or negative, expiration times will not be set at all; entries will\nexpire as per the default behavior for your cache (or you will need to purge them via\nsome separate process).\n\nIf your cache implementation ignores the third argument on $entry->set() calls (see\nCache::Entry), then this option has no effect beyond serving as a default for \"window\".\n\n\"ignoretime\"\n(boolean) Do not do any checking of timestamps, i.e., only test whether nonce is in the\ncache. This overrides all other nonce options except for \"lifetime\" and \"nocheck\"\n\n\"skew\"\n(integer) Number of seconds that a provider clock can be ahead of ours before we deem it\nto be misconfigured.\n\nDefault skew is 300 (5 minutes) or \"window/2\", if \"window\" is specified and \"window/2\"\nis smaller.\n\n(\"skew\" is treated as 0 if set negative, but don't do that).\n\nMisconfiguration of the provider clock means its timestamps are not reliable, which then\nmeans there is no way to know whether or not the nonce could have been sent before the\nstart of the cache window, which nullifies any obligation to detect all multiply sent\nnonces. Conversely, if proper configuration can be assumed, then the timestamp value\nminus \"skew\" will be the earliest possible time that we could have received a previous\ninstance of this responsenonce, and if the cache is reliable about holding entries from\nthat time forward, then (and only then) can one be certain that an uncached nonce\ninstance is indeed the first.\n\n\"start\"\n(integer) Reject nonces where *timestamp* minus \"skew\" is earlier than \"start\" (absolute\nseconds; default is zero a.k.a. midnight 1/1/1970 UTC)\n\nIf you know the start time of your HTTP server (or your cache server, if that is\nseparate — or the maximum of the start times if you have multiple cache servers), you\nshould use this option to declare that.\n\n\"window\"\n(integer) Reject nonces where *timestamp* minus \"skew\" is more than \"window\" seconds\nago. Zero or negative values of \"window\" are treated as infinite (i.e., allow\neverything).\n\nIf \"lifetime\" is specified, \"window\" defaults to that. If \"lifetime\" is not specified,\n\"window\" defaults to 1800 (30 minutes), adjusted upwards if \"skew\" is specified and\nlarger than the default skew.\n\nOn general principles, \"window\" should be a maximal expected propagation delay plus\ntwice the \"skew\".\n\nValues between 0 and \"skew\" (causing all nonces to be rejected) and values greater than\n\"lifetime\" (cache may fail to keep all nonces that are still within the window) are\n*not* recommended.\n\n\"timecop\"\n(boolean) Reject nonces from The Future (i.e., timestamped more than \"skew\" seconds from\nnow).\n\nNote that rejecting future nonces is not required. Nor does it protect from anything\nsince an attacker can retry the message once it has expired from the cache but is still\nwithin the time interval where we would not yet *expect* that it could expire — this\nbeing the essential problem with future nonces. It may, however, be useful to have\nwarnings about misconfigured provider clocks — and hence about this insecurity — at the\ncost of impairing interoperability (since this rejects messages that are otherwise\nallowed by the protocol), hence this option.\n\nIn most cases it will be enough to either set \"nocheck\" to dispense with responsenonce\nchecking entirely because some other (better) method of preventing replay attacks (see\nconsumersecret) has been implemented, or use \"lifetime\" to declare/set the lifetime of\ncache entries for nonces whether because the default lifetime is unsatisfactory or because\nthe cache implementation is incapable of setting individual expiration times. All other\noptions should default reasonably in these cases.\n\nIn order for the nonce check to be as reliable/secure as possible (i.e., that it block all\ninstances of duplicate nonces from properly configured providers as defined by \"skew\", which\nis the best we can do), \"start\" must be no earlier than the cache start time and the cache\nmust be guaranteed to hold nonce entries for at least \"window\" seconds (though, to be sure,\nif you can tolerate being vulnerable for the first \"window\" seconds of a server run, then\nyou do not need to set \"start\").\n" }, { "name": "Performing Discovery", "content": "$csr->claimedidentity($url)\nGiven a user-entered $url (which could be missing http://, or have extra whitespace, etc),\nconverts it to canonical form, performs partial discovery to confirm that at least one\nprovider endpoint exists, and returns a Net::OpenID::ClaimedIdentity object, or, on failure\nof any of the above, returns undef and sets last error ($csr->err).\n\nNote that the identity returned is *not* verified yet. It's only who the user claims they\nare, but they could be lying.\n\nIf this method returns undef, an error code will be set. See Error Codes below.\n" }, { "name": "Handling Provider Responses", "content": "The following routines are for handling a redirected provider response and assume that, among\nother things, $csr->args has been properly populated with the URL parameters.\n\n$csr->handleserverresponse( %callbacks );\nWhen a request comes in that contains a response from an OpenID provider, figure out what it\nmeans and dispatch to an appropriate callback to handle the request. This is the\ncallback-based alternative to explicitly calling the methods below in the correct sequence,\nand is recommended unless you need to do something strange.\n\nAnything you return from the selected callback function will be returned by this method\nverbatim. This is useful if the caller needs to return something different in each case.\n\nThe available callbacks are:\n\n\"notopenid\"\nthe request isn't an OpenID response after all.\n\n\"setupneeded\"\na checkidimmediate mode request was rejected, indicating that the provider requires\nuser interaction.\n\n\"cancelled\"\nthe user cancelled the authentication request from the provider's UI.\n\n\"verified ($verifiedidentity)\"\nthe user's identity has been successfully verified. A Net::OpenID::VerifiedIdentity\nobject is passed in.\n\n\"error ($errcode, $errmsg)\"\nan error has occurred. An error code and message are provided. See Error Codes below for\nthe meanings of the codes.\n\nFor the sake of legacy code we also allow\n\n\"setuprequired ($setupurl)\"\n[DEPRECATED] a checkidimmediate mode request was rejected *and* $setupurl was\nprovided.\n\nClients using this callback should be updated to use setupneeded at the earliest\nopportunity. Here $setupurl is the same as returned by $csr->usersetupurl.\n\n$csr->isserverresponse\nReturns true if a set of URL parameters has been supplied (via $csr->args) and constitutes\nan actual OpenID protocol message.\n\n$csr->setupneeded\nReturns true if a checkidimmediate request failed because the provider requires user\ninteraction. The correct action to take at this point depends on the OpenID protocol version\n\n(Version 1) Redirect to or otherwise make available a link to $csr->\"usersetupurl\".\n\n(Version 2) Retry the request in checkidsetup mode; the provider will then issue redirects\nas needed.\n\nN.B.: While some providers have been known to supply the \"usersetupurl\" parameter in\nVersion 2 \"setupneeded\" responses, you *cannot* rely on this, and, moreover, since the\nOpenID 2.0 specification has nothing to say about the meaning of such a parameter, you\ncannot rely on it meaning anything in particular even if it is supplied.\n\n$csr->usersetupurl( [ %opts ] )\n(Version 1 only) Returns the URL the user must return to in order to login, setup trust, or\ndo whatever the identity provider needs them to do in order to make the identity assertion\nwhich they previously initiated by entering their claimed identity URL.\n\nN.B.: Checking whether \"usersetupurl\" is set in order to determine whether a\ncheckidimmediate request failed is DEPRECATED and will fail under OpenID 2.0. Use\n\"setupneeded()\" instead.\n\nThe base URL that this function returns can be modified by using the following options in\n%opts:\n\n\"postgrant\"\nWhat you're asking the identity provider to do with the user after they setup trust. Can\nbe either \"return\" or \"close\" to return the user back to the returnto URL, or close the\nbrowser window with JavaScript. If you don't specify, the behavior is undefined\n(probably the user gets a dead-end page with a link back to the returnto URL). In any\ncase, the identity provider can do whatever it wants, so don't depend on this.\n\n$csr->usercancel\nReturns true if the user declined to share their identity, false otherwise. (This function\nis literally one line: returns true if \"openid.mode\" eq \"cancel\")\n\nIt's then your job to restore your app to where it was prior to redirecting them off to the\nusersetupurl, using the other query parameters that you'd sent along in your returnto\nURL.\n\n$csr->verifiedidentity( [ %opts ] )\nReturns a Net::OpenID::VerifiedIdentity object, or returns undef and sets last error\n($csr->err). Verification includes double-checking the reported identity URL declares the\nidentity provider, verifying the signature, etc.\n\nThe options in %opts may contain:\n\n\"requiredroot\"\nSets the requiredroot just for this request. Values returns to its previous value\nafterwards.\n\nIf this method returns undef, an error code will be set. See Error Codes below.\n" } ] }, "ERROR CODES": { "content": "This is the complete list of error codes that can be set. Errors marked with (C) are set by\nclaimedidentity. Other errors occur during handling of provider responses and can be set by\nargs (A), verifiedidentity (V), and usersetupurl (S), all of which can show up in the \"error\"\ncallback for handleserverresponse.\n\n\"providererror\"\n(A) The protocol message is a (2.0) error mode (i.e., \"openid.mode = 'error'\") message,\ntypically used for provider-specific error responses. Use $csr->message to get at the\n\"contact\" and \"reference\" fields.\n\n\"emptyurl\"\n(C) Tried to do discovery on an empty or all-whitespace string.\n\n\"bogusurl\"\n(C) Tried to do discovery on a non-http:/https: URL.\n\n\"protocolversionincorrect\"\n(C) None of the ID providers found support even the minimum protocol version\n($csr->minimumversion)\n\n\"noidentityserver\"\n(CV) Tried to do discovery on a URL that does not seem to have any providers at all.\n\n\"badmode\"\n(SV) The \"openid.mode\" was expected to be \"idres\" (positive assertion or, in version 1,\ncheckidimmediate failed).\n\n\"noidentity\"\n(V) The \"openid.identity\" parameter is missing.\n\n\"nosig\"\n(V) The \"openid.sig\" parameter is missing.\n\n\"noreturnto\"\n(V) The \"openid.returnto\" parameter is missing\n\n\"bogusreturnto\"\n(V) The \"returnto\" URL does not match $csr->requiredroot\n\n\"noncemissing\"\n(V) The \"openid.responsenonce\" parameter is missing.\n\n\"noncereused\"\n(V) A previous assertion from this provider used this responsenonce already. Someone\nmay be attempting a replay attack.\n\n\"nonceformat\"\n(V) Either the responsenonce timestamp was not in the correct format (e.g., tried to\nhave fractional seconds or not UTC) or one of the components was out of range (e.g.,\nmonth = 13).\n\n\"noncefuture\"\n(V) \"timecop\" was set and we got a responsenonce that was more than \"skew\" seconds into\nthe future.\n\n\"noncestale\"\n(V) We got a responsenonce that was either prior to the start time or more than window\nseconds ago.\n\n\"timeexpired\"\n(V) The returnto signature time (\"oic.time\") is from too long ago.\n\n\"timeinfuture\"\n(V) The returnto signature time (\"oic.time\") is too far into the future.\n\n\"timebadsig\"\n(V) The HMAC of the returnto signature (\"oic.time\") is not what it should be.\n\n\"servernotallowed\"\n(V) None of the provider endpoints found for the given ID match the server specified by\nthe \"openid.opendpoint\" parameter (OpenID 2 only).\n\n\"unexpectedurlredirect\"\n(V) Discovery for the given ID ended up at the wrong place\n\n\"bogusdelegation\"\n(V) Asserted identity (\"openid.identity\") does not match claimedid or\nlocalid/delegate.\n\n\"unsignedfield\"\n(V) In OpenID 2.0, \"openid.opendpoint\", \"openid.returnto\", \"openid.responsenonce\",\nand \"openid.assochandle\" must always be signed, while \"openid.claimedid\" and\n\"openid.identity\" must be signed if present.\n\n\"expiredassociation\"\n(V) \"openid.assochandle\" is for an association that has expired.\n\n\"signaturemismatch\"\n(V) An attempt to confirm the positive assertion using the association given by\n\"openid.assochandle\" failed; the signature is not what it should be.\n\n\"naiveverifyfailednetwork\"\n(V) An attempt to confirm the positive assertion via direct contact\n(checkauthentication) with the provider failed with no response or a bad status code\n(!= 200).\n\n\"naiveverifyfailedreturn\"\n(V) An attempt to confirm a positive assertion via direct contact (checkauthentication)\nreceived an explicitly negative response (\"openid.isvalid = FALSE\").\n", "subsections": [] }, "PROTOCOL VARIANCES": { "content": "XRI-based identities are not supported.\n\nMeanwhile, here are answers to the security profile questions from section 15.6 of the OpenID\n2.0 specification that are\nrelevant to the Consumer/Relying-Party:\n\n1. *Are wildcards allowed in realms?* Yes.\n\n2. N/A.\n\n3. *Types of claimed identifiers accepted.* HTTP or HTTPS\n\n4. *Are self-issued certificates allowed for authentication?* Depends entirely on the user\nagent (\"ua\") supplied. LWP::UserAgent, as of version 6.0, can be configured to only accept\nconnections to sites with certificates deriving from a set of trusted roots.\n\n5. *Must the XRDS file be signed?* No.\n\n6. *Must the XRDS file be retrieved over secure channel?* No.\n\n7. *What types of session types can be used when creating associations?* Any of\n\"no-encryption\",\"DH-SHA1\",\"DH-SHA256\"\n\n8. N/A.\n\n9. N/A.\n\n10. *Must the association request take place over a secure channel?* If the session type is\n\"no-encryption\", then Yes for version 2.0 providers and likewise for version 1.1 providers\nif \"alloweavesdropping\" is not set, otherwise No.\n", "subsections": [] }, "COPYRIGHT": { "content": "This module is Copyright (c) 2005 Brad Fitzpatrick. All rights reserved.\n\nYou may distribute under the terms of either the GNU General Public License or the Artistic\nLicense, as specified in the Perl README file. If you need more liberal licensing terms, please\ncontact the maintainer.\n", "subsections": [] }, "WARRANTY": { "content": "This is free software. IT COMES WITHOUT WARRANTY OF ANY KIND.\n", "subsections": [] }, "MAILING LIST": { "content": "The Net::OpenID family of modules has a mailing list powered by Google Groups. For more\ninformation, see .\n", "subsections": [] }, "SEE ALSO": { "content": "OpenID website: \n\nNet::OpenID::ClaimedIdentity -- part of this module\n\nNet::OpenID::VerifiedIdentity -- part of this module\n\nNet::OpenID::Server -- another module, for implementing an OpenID identity provider/server\n", "subsections": [] }, "AUTHORS": { "content": "Brad Fitzpatrick \n\nTatsuhiko Miyagawa \n\nMartin Atkins \n\nRobert Norris \n\nRoger Crew \n", "subsections": [] } } } }