FAQ
Hi,

I just uploaded to CPAN version 0.01 of
Catalyst::Plugin::Authentication::OpenID, which provides support for using
OpenID auth in Catalyst apps. More about OpenID: <http://www.openid.net/>.

It plays well with existing session plugins, and in fact, is recommended to
be used alongside any of the session plugins. From the synopsis:

use Catalyst qw( Authentication::OpenID );

sub begin : Private {
my($self, $c) = @_;
if ($c->authenticate_openid) {
my $identity = $c->req->{openid_identity};
} else {
$c->res->redirect('<your-login-screen>')
unless $c->res->redirect;
}
}

Hope this is helpful. I know it's been pretty useful in building some demo
apps internally, so we figured it was generally useful for building apps
without having to worry about building explicit authentication. Thoughts?

Ben

Search Discussions

  • Sebastian Riedel at Nov 12, 2005 at 9:00 am

    Am 12.11.2005 um 08:02 schrieb Benjamin Trott:

    Hi,

    I just uploaded to CPAN version 0.01 of
    Catalyst::Plugin::Authentication::OpenID, which provides support
    for using
    OpenID auth in Catalyst apps. More about OpenID: <http://
    www.openid.net/>.

    It plays well with existing session plugins, and in fact, is
    recommended to
    be used alongside any of the session plugins. From the synopsis:

    use Catalyst qw( Authentication::OpenID );

    sub begin : Private {
    my($self, $c) = @_;
    if ($c->authenticate_openid) {
    my $identity = $c->req->{openid_identity};
    } else {
    $c->res->redirect('<your-login-screen>')
    unless $c->res->redirect;
    }
    }

    Hope this is helpful. I know it's been pretty useful in building
    some demo
    apps internally, so we figured it was generally useful for building
    apps
    without having to worry about building explicit authentication.
    Thoughts?
    Nice! This was our try. :)

    http://dev.catalyst.perl.org/file/trunk/Catalyst-Plugin-
    Authenticate-OpenID/lib/Catalyst/Plugin/Authenticate/OpenID.pm


    --
    sebastian
  • Yuval Kogman at Nov 13, 2005 at 10:07 am

    On Fri, Nov 11, 2005 at 23:02:14 -0800, Benjamin Trott wrote:
    Hi,

    I just uploaded to CPAN version 0.01 of
    Catalyst::Plugin::Authentication::OpenID, which provides support for using
    OpenID auth in Catalyst apps. More about OpenID: <http://www.openid.net/>.
    Please try to integrate it with the new authentication/authorization
    stuff - i'm not sure whether OpenID is more of a backend-less-store
    or a credential verifier, but i'd be very happy to debate this on
    irc.perl.org's #catalyst or even here[1].

    The new plugins decouple the aspects of
    auth*:

    * storing user info

    * verifying user credentials

    * remembering the authenticated status of a user using sessions

    * allowing or denying access to parts of the application based on
    the authenticated user's authorizations

    And it seems like the code you wrote could be slightly simplified,
    and also standardized to fit with the other authentication plugins,
    so that the authorization plugins can get along with it better.

    Ciao!

    1. Based on your example code I think the OpenID stuff is a credential
    verifier that is supposed to interface with a store that knows about
    OpenIDs.

    --
    () Yuval Kogman <nothingmuch@woobling.org> 0xEBD27418 perl hacker &
    /\ kung foo master: /methinks long and hard, and runs away: neeyah!!!

    -------------- next part --------------
    A non-text attachment was scrubbed...
    Name: not available
    Type: application/pgp-signature
    Size: 189 bytes
    Desc: not available
    Url : http://lists.rawmode.org/pipermail/catalyst/attachments/20051113/4d2f6a0c/attachment.pgp
  • Benjamin Trott at Nov 13, 2005 at 10:14 am
    OpenID is a credential verifier. It provides identity based on a URI, which
    is first "claimed" by a user, then verified/asserted by the third-party
    service that the URI points to using service auto-discovery.

    So, that's all the plugin does--it's a very simple wrapper around
    Net::OpenID::Consumer, which does all of the actual verification.

    Could you point me at the new authentication/authorization stuff you're
    referring to? And let me know what other ideas you have re: simplification.

    Thanks,
    Ben

    On 11/13/05 1:12 AM, "Yuval Kogman" wrote:
    On Fri, Nov 11, 2005 at 23:02:14 -0800, Benjamin Trott wrote:
    Hi,

    I just uploaded to CPAN version 0.01 of
    Catalyst::Plugin::Authentication::OpenID, which provides support for using
    OpenID auth in Catalyst apps. More about OpenID: <http://www.openid.net/>.
    Please try to integrate it with the new authentication/authorization
    stuff - i'm not sure whether OpenID is more of a backend-less-store
    or a credential verifier, but i'd be very happy to debate this on
    irc.perl.org's #catalyst or even here[1].

    The new plugins decouple the aspects of
    auth*:

    * storing user info

    * verifying user credentials

    * remembering the authenticated status of a user using sessions

    * allowing or denying access to parts of the application based on
    the authenticated user's authorizations

    And it seems like the code you wrote could be slightly simplified,
    and also standardized to fit with the other authentication plugins,
    so that the authorization plugins can get along with it better.

    Ciao!

    1. Based on your example code I think the OpenID stuff is a credential
    verifier that is supposed to interface with a store that knows about
    OpenIDs.
  • Yuval Kogman at Nov 13, 2005 at 11:11 am

    On Sun, Nov 13, 2005 at 01:19:57 -0800, Benjamin Trott wrote:
    OpenID is a credential verifier. It provides identity based on a URI, which
    is first "claimed" by a user, then verified/asserted by the third-party
    service that the URI points to using service auto-discovery.
    Okay, then I think I get it.

    (note that in this part I assume you've read the link at the bottom
    of the email)

    So what we would really like is to turn the credential verification
    process on it's head - first verify the ID, and then get the user
    for that ID, as opposed to first get the user for the ID, and then
    get the user.

    In this case the plugin, used on it's own, should be able to verify
    an ID, but additionally it should do this:

    if ( $c->isa("Catalyst::Plugin::Authentication") ) {
    $c->set_authenticated( $c->get_user( $id ) )
    }

    And it should also be able to verify a user object like this:

    my $user = shift;
    my $openid = $user->id;

    # do your stuff

    $c->set_authenticated( $user ) if $is_ok;

    That way your plugin can be used on it's own, or in concert with
    Catalyst::Plugin::Authentication, and most importantly any auth
    store.
    So, that's all the plugin does--it's a very simple wrapper around
    Net::OpenID::Consumer, which does all of the actual verification.
    Most catalyst plugins are like that - gluing a generic module so
    that it's integrated with other catalyst goodness.. However, this is
    still a very important job that someone has to do =)
    Could you point me at the new authentication/authorization stuff you're
    referring to? And let me know what other ideas you have re: simplification.
    http://lists.rawmode.org/pipermail/catalyst/2005-November/002356.html


    --
    () Yuval Kogman <nothingmuch@woobling.org> 0xEBD27418 perl hacker &
    /\ kung foo master: /me dodges cabbages like macalypse log N: neeyah!

    -------------- next part --------------
    A non-text attachment was scrubbed...
    Name: not available
    Type: application/pgp-signature
    Size: 189 bytes
    Desc: not available
    Url : http://lists.rawmode.org/pipermail/catalyst/attachments/20051113/9d70045f/attachment.pgp
  • Benjamin Trott at Nov 14, 2005 at 6:08 am

    So what we would really like is to turn the credential verification
    process on it's head - first verify the ID, and then get the user
    for that ID, as opposed to first get the user for the ID, and then
    get the user

    In this case the plugin, used on it's own, should be able to verify
    an ID, but additionally it should do this:
    I'm not sure what you mean by "used on its own." Do you mean, used outside
    of Catalyst? I'm not sure what the point of that would be--after all, if
    someone wanted to write an OpenID consumer outside of Catalyst, the best
    approach would be to use Net::OpenID::Consumer directly.

    The only purpose of this module is to provide the glue between Catalyst--the
    request & response objects, mainly--and Net::OpenID::Consumer. Let me know
    if I'm misunderstanding...
    if ( $c->isa("Catalyst::Plugin::Authentication") ) {
    $c->set_authenticated( $c->get_user( $id ) )
    }

    And it should also be able to verify a user object like this:

    my $user = shift;
    my $openid = $user->id;

    # do your stuff

    $c->set_authenticated( $user ) if $is_ok;

    That way your plugin can be used on it's own, or in concert with
    Catalyst::Plugin::Authentication, and most importantly any auth
    store.
    I'm assuming that an auth store is something like a session plugin--is that
    right? My usage of this plugin basically goes like as described in the
    example in the POD docs:

    <http://search.cpan.org/~btrott/Catalyst-Plugin-Authentication-OpenID-0.01/l
    ib/Catalyst/Plugin/Authentication/OpenID.pm#EXAMPLE>

    Does that make it clearer how the module can currently be used, and can
    interact with a session store?

    Ben
  • Yuval Kogman at Nov 14, 2005 at 8:45 am

    On Sun, Nov 13, 2005 at 21:13:49 -0800, Benjamin Trott wrote:
    So what we would really like is to turn the credential verification
    process on it's head - first verify the ID, and then get the user
    for that ID, as opposed to first get the user for the ID, and then
    get the user

    In this case the plugin, used on it's own, should be able to verify
    an ID, but additionally it should do this:
    I'm not sure what you mean by "used on its own." Do you mean, used outside
    of Catalyst?
    No, without Catalyst::Plugin::Authentication - and thus not implying
    anything about e.g. $c->user being an object which you can ask
    questions, and so forth.
    I'm assuming that an auth store is something like a session plugin--is that
    right? My usage of this plugin basically goes like as described in the
    example in the POD docs:
    An auth store is an object or class that provides several methods:

    get_user
    from_session

    And has a name, and is registered in the catalyst application.

    This store returns a user object that inherits
    Catalyst::Plugin::Authentication::User. This class provides the
    'supports' method, which you can use to introspect the user, e.g.:

    $user->supports( qw/password clear/ ); # implies an interface is available

    if ( $user->password eq $password ) {
    # login successful
    }

    Which is reallly just a cheap hack to emulate role-ish behavior.

    A credential verifier is, autonomously of the store, something that
    performs authentication. For example:
    http://dev.catalyst.perl.org/repos/Catalyst/trunk/Catalyst-Plugin-Authentication/lib/Catalyst/Plugin/Authentication/Credential/Password.pm

    This plugin has the 'login' method which accepts a user object, or a
    user id, and a password.

    If it got a user object it will check if the object supports any
    known password scheme, and if this is OK, it will mark the user as
    authenticated (Catalyst::Plugin::Authenticate::set_authenticated
    sets $c->user, and puts the user object in $c->session if configured
    to do so).

    What we achieve here is a scheme where authentication and user
    storage modeling are decoupled. Your plugin is designed in such a
    way that it's very easy to plug it into existing code, but it neeeds
    just a tiny bit more effort.

    As I see it your plugin's job is to take either a user object or an
    openid URI, and then verify it. If the ID is OK, it does
    $c->set_authenticated( $user ). If it got an openid uri instead of a
    user object it will call $c->get_user( $id ) (which goes to the
    default store), and assuming the store can retrieve users by their
    URI it will get a user object back, and mark it as authenticated
    instead.

    In this way your plugin gets integration with existing
    functionality. For example, I can use a DBIC store and declare the
    open_id column as my primary key, and then 'get_user' for that store
    will return a object that might be used in conjunction with
    C::P::Authorization::Roles.

    Does that make it clearer how the module can currently be used, and can
    interact with a session store?
    Yes, but

    a) $c->req->{user} is now a Bad Thing(tm) (sri says so ;-)
    b) you can get this functionality for free, including user
    restoratoin on prepare, since the code to do that is already
    written

    --
    () Yuval Kogman <nothingmuch@woobling.org> 0xEBD27418 perl hacker &
    /\ kung foo master: uhm, no, I think I'll sit this one out..: neeyah!

    -------------- next part --------------
    A non-text attachment was scrubbed...
    Name: not available
    Type: application/pgp-signature
    Size: 189 bytes
    Desc: not available
    Url : http://lists.rawmode.org/pipermail/catalyst/attachments/20051114/29824239/attachment-0001.pgp
  • Yuval Kogman at Dec 4, 2005 at 1:57 pm

    On Fri, Nov 11, 2005 at 23:02:14 -0800, Benjamin Trott wrote:
    Hi,

    I just uploaded to CPAN version 0.01 of
    Catalyst::Plugin::Authentication::OpenID, which provides support for using
    OpenID auth in Catalyst apps. More about OpenID: <http://www.openid.net/>.
    Can you please join #catalyst on IRC and we'll discuss how to update
    this to the new authentication framework? The change should be very
    simple.

    --
    () Yuval Kogman <nothingmuch@woobling.org> 0xEBD27418 perl hacker &
    /\ kung foo master: /methinks long and hard, and runs away: neeyah!!!

    -------------- next part --------------
    A non-text attachment was scrubbed...
    Name: not available
    Type: application/pgp-signature
    Size: 189 bytes
    Desc: not available
    Url : http://lists.rawmode.org/pipermail/catalyst/attachments/20051204/9c76915d/attachment.pgp

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcatalyst @
categoriescatalyst, perl
postedNov 12, '05 at 7:56a
activeDec 4, '05 at 1:57p
posts8
users3
websitecatalystframework.org
irc#catalyst

People

Translate

site design / logo © 2021 Grokbase