Poidsy A PHP OpenID Consumer

Changelog

0.6 → 0.7

• Disable logging by default
• Fix error when logging from within methods which take objects or arrays as arguments (thanks to Erik Johnson for the bug report)
• Fix incorrect detection of HTTPS in some cases (thanks to Liam for the bug report)
• Fixed a potential timer attack vulnerability
• Fixed errors when handling a revocation (thanks to Daniele Venzano for the bug report)

0.5 → 0.6

• After a successful login, the 'brute force' counter is now reduced by one
• Added logging functionality to assist in debugging
• Change "gmail.com" to full URL in basic example, as XRDS discovery only seems to work on the latter now
• Fixed problem where claimed ID/identity/delegate were being set the wrong way around, causing incompatibility with some providers such as signon.com (thanks to Huma Javed for the bug report)
• Added check for allow_url_fopen to test.php (thanks to Lyceuhns for bringing this up)
• Discoverer now correctly handles <link/> elements that contain multiple entries in their 'rel' attributes
• Discoverer now takes redirections into account when performing Yadis discovery, fixes compatibility with signon.com
• Discoverer now allows html discovery when checking an identity provided by an OP, fixes compatibility with flickr.com
• Responses from IdPs sent with HTTP error codes are now still processed by Poidsy
• Poidsy now supports IdPs saying they don't support a certain association or session type, and will try to accomodate them
• Poidsy now correctly validates the return_to URL provided by IdPs
• Fix potential bug when using Poidsy over HTTPS on a port other than 80
• Poidsy now correctly validates the claimed_id (OpenID 2.0) or identity (OpenID 1.1) returned by IdPs
• Decoupled simple registration extension — to use this you must now include sreg.ext.php before including Poidsy's processor
• Repurposed SREG_* constants so they can be used when defining OPENID_SREG_* settings
• Added support for Attribute Exchange extension

0.4 → 0.5

• Diffie-Hellman encrypted keys are now decrypted when they're received, rather than every time that they're used
• Fixed the Discoverer raising E_NOTICE errors in some cases
• Documented all methods of the KeyManager class
• Further refactoring and tidying of request processor
• Renamed some methods of the KeyManager class to use better terminology
• The trust_root URL will now be truncated to contain the return_to URL (thanks to Bernd Eckenfels for the bug report)
• Added support for Yadis discovery
• Fixed E_NOTICE errors when receiving SREG information
• Clarify reasons why checkid_immediate might not work properly in the JavaScript example
• Added support for sending the correct OpenID 2.0 namespace parameter when discovery indicates the end point supports 2.0
• Fixed E_NOTICE errors when POSTing to an URL failed for any reason
• Requests to OpenID 2.0 end points now send openid.realm not openid.trust_root
• Support for OpenID 2.0 identifier selection
• OpenID 1.x requests no longer send an openid.ns parameter (fixes errors when using Blogger accounts)
• Added Google and Yahoo shortcuts to the basic example
• The discovery agent now tracks all servers and services it's told about

0.3 → 0.4

• Added support for HMAC-SHA256 association type
• The processor will now accept $_POST['openid_identifier'] if $_POST['openid_url'] is not set (and OPENID_URL is not defined)
• Added support for discovery via openid2.provider and openid2.local_id links
• Abstracted dumb authorisation procedure into KeyManager
• Removed autherror error code (all authorisation errors are now "noauth")
• Messages instructing Poidsy to invalidate an association handle are now authenticated with the provider before the handle is actually invalidated.
• Poidsy now sends the openid.claimed_id argument to identity providers
• Changed the behaviour of OPENID_IMMEDIATE. If the constant is defined, an immediate request will be attempted first (as before). If the constant is true, then Poidsy will fail if the provider requires setup (for use in "AJAX"-like applications). If the constant is false, Poidsy will continue on to a setup request as it did in 0.2 and earlier.
• Fix bug in discovery engine which could be used to authenticate illegal, fake identifiers.
• Add support for Diffie-Hellman key exchange (DH-SHA1 and DH-SHA256 session types)
• Fixed wrong session_type being sent due to misreading of the specs
• Refactoring and general tidying of the main request processor

0.2 → 0.3

• Added support for the Simple Registration Extension
• Updated demo to request and display SREG fields
• Added keymanager library and keycache file
• Poidsy now supports associate mode, and uses it by default
• Added compatibility test script
• Poidsy now passes openid.ns in all requests
• Poidsy will no longer send an initial checkid_immediate request unless OPENID_IMMEDIATE is defined
• Moved the demo.php file into examples/basic/
• Poidsy now always passes the trust_root argument as some providers break without it. By default it is sent as the current URL, but can be overridden using the OPENID_TRUSTROOT constant
• HTML entities are now handled properly when discovering identity provider URLs
• The URL normaliser has been improved to prevent people expressing the same identity in multiple ways. Changes include:
  • Usernames (and passwords) are now stripped unless OPENID_ALLOWUSER is set
  • Queries are now stripped unless OPENID_ALLOWQUERY is set
  • Empty and default ports are now stripped
  • Trailing full stops are now stripped from domain names
  • /./ and /../ in paths are now collapsed
• Added a new example that uses JavaScript and a hidden iframe
• Added error codes — whenever an error is encountered $_SESSION['openid']['errorcode'] is now populated with a short string identifying the problem. This is to allow implementors to perform different actions on certain errors, or to localise the error messages.
• Fixed minor bug in URL builder that lead to an extra ampersand in URLs in some cases
• The discovery engine can now specify the version of the data it has recovered

0.1 → 0.2

• Added version and link to the top of the license header in each file
• The processor now catches exceptions thrown by the discovery agent
• The processor now catches exceptions thrown when trying to POST data to the provider
• The identity returned by the identity provider is now checked against the identity that poidsy was trying to validate
• The processor no longer requires that openid_url be present in $_REQUEST as well as $_POST
• The URL can now be passed to the processor using the OPENID_URL constant, instead of as a POST var
• Wrapped most lines in processor.php to be less than 80 characters long
• Added lots of comments to the demonstration consumer explaining what's happening
• Return URLs now have a 'nonce' added to them that's checked against the user's session. This prevents request replay attacks.
• Improved detection of the URL that user should be redirected to. Poidsy now preserves all non-OpenID GET arguments.
• Added throttling to prevent malicious users from using Poidsy to launch a DoS attack against a remote site.
• Poidsy is now aware of HTTP redirects when trying to discover the OpenID server, and updates the identity accordingly. This prevents people from "stealing" URLs that redirect to their own site
• The URL normaliser now adds a trailing forward-slash if one isn't included