This library implements the OpenID protocol (http://openid.net/). OpenID is a protocol to share identities on the network. The protocol itself uses simple basic HTTP, adding reliability using digitally signed messages.
Steps, as seen from the consumer (or relying partner).
<link rel="openid.server" href="server">
checkid_setup, asking to validate the given OpenID.
A consumer (an application that allows OpenID login) typically
uses this library through openid_user/3.
In addition, it must implement the hook http_openid:
to define accepted OpenID servers. Typically, this hook is used to
provide a white-list of aceptable servers. Note that accepting any
OpenID server is possible, but anyone on the internet can setup a dummy
OpenID server that simply grants and signs every request. Here is an
:- multifile http_openid:openid_hook/1. http_openid:openid_hook(trusted(_, OpenIdServer)) :- ( trusted_server(OpenIdServer) -> true ; throw(http_reply(moved_temporary('/openid/trustedservers'))) ). trusted_server('http://www.myopenid.com/server').
By default, information who is logged on is maintained with the
session using http_session_assert/1
with the term
openid(Identity). The hooks
login/logout/logged_in can be used to provide alternative administration
of logged-in users (e.g., based on client-IP, using cookies, etc.).
To create a server, you must do four things: bind the handlers
openid_server/2 and openid_grant/1
to HTTP locations, provide a user-page for registered users and define
grant(Request, Options) hook to verify your users. An
example server is provided in in
handler(Request) :- openid_user(Request, OpenID, ), ...
If the user is not yet logged on a sequence of redirects will follow:
verify, which calls openid_verify/2.
imgstructures where the
href is relative, clicking it opens the
given location after adding 'openid.return_to' and `stay'.
true, show a checkbox that allows the user to stay logged on.
http_dispatch.pl. Options processes:
openid.trust_rootattribute. Defaults to the root of the current server (i.e.,
openid.realmattribute. Default is the
The OpenId server will redirect to the
|OpenIDLogin||ID as typed by user (canonized)|
|OpenID||ID as verified by server|
|Server||URL of the OpenID server|
After openid_verify/2 has
redirected the browser to the OpenID server, and the OpenID
server did its magic, it redirects the browser back to this address. The
work is fairly trivial. If
cancel, the OpenId server denied. If
the OpenId server replied positive, but we must verify what the server
told us by checking the HMAC-SHA signature.
This call fails silently if their is no
field in the request.
openid(cancel)if request was cancelled by the OpenId server
openid(signature_mismatch)if the HMAC signature check failed
yes, check the authority (typically the password) and if all looks good redirect the browser to ReturnTo, adding the OpenID properties needed by the Relying Party to verify the login.
openid_associate(URL, Handle, Assoc, ).