I have been working on a WebGUI Auth module that supports OpenId.  

The module works well and I am currently testing it on some of my systems.

Do not install unless you have met the requirements/dependencies.   Please make sure you upgrade to the latest dependencies.   If OpenId is not working it is probably because you are not using the latest LWPx::ParanoidAgent or Net::OpenID::Consumer modules.

To install:

cp AuthOpenId.zip /data 

cd /data

unzip  AuthOpenId.zip 

Test the OpenId.pm module using the following commands:

• cd /data/WebGUI/lib/WebGUI/Auth
• perl -c OpenId.pm

ERROR:  Can't locate LWPx/ParanoidAgent.pm in @INC (@INC contains:...

     This means that the module LWPx::ParanoidAgent has not been installed.  Please follow the CPAN instructions to install this module.

ERROR:  Can't locate Net/OpenID/Consumer.pm in @INC (...

     This means that the module Net::OpenID::Consumer has not been installed.  Please follow the CPAN instructions to install this module.

ERROR:  Math::BigInt: couldn't load specified math lib(s), fallback to Math::BigInt::FastCalc ...

     Try installing Math::BigInt::GMP to solve this issue.  See http://www.perlmonks.org/?node_id=664894 for more info.

Add the proper parameters to your webgui.conf files... 

Add the OpenId auth method to the configuration file as follows:

"authMethods" : [
     "LDAP",
     "OpenId",
     "WebGUI"
]

Add a section to the configuration file called "RpxNow" with an "apiKey" as well as a "remoteService" parameter.   You will have to get the values to these parameters from the rpxnow.com website.

"RpxNow" : {
    "apiKey" : "__get__your__own_key_from_http://rpxnow.com",
    "openid.guest" : "__set_this_to_the_openid_guest_account_you_created__",
    "remoteService" : "https://rpxnow.com/api/v2/auth_info"
}

To get MySpace and FaceBook working login to your rpxnow.com account and follow their instructions.

Add the OpenId macro to your macros section:

"macros" : {
...
      "OpenId" : "OpenId",
...

restart apache (httpd)

add an "openid.guest" account to the webgui system and set the  authentication method to OpenId.  Make sure you give this user a very strong password and set the email address to the admin users address.  Set the openid.guest account status to "Deactivated" and don't allow the user to change username or password.   This user should match the openid.guest user in the configuration file under the value {RPXNow}->{openid.guest}.  Defaults to openid.guest.

You may use the Accept and Deny lists under the Admin settings/Authentication/Open Id section.  The lists of hosts/patterns should be separated by commas. 

Ex:  .bad.com,.whatever.com,.ask.com 

It is important to mention that the pattern "fair.com" will match "myhost.unfair.com|myhost.fair.com|mygreatproviderfair.com" instead of just "myhost.fair.com".

The Allow and Deny lists are totally inclusive.  If you place a pattern on the accept list only OpenId users using the provider that matches that pattern will be allowed. 

If you place  a pattern in the deny list, ALL users will be allowed except the ones matched by the pattern on the list.

If there are no entries on either list ALL valid OpenId users are allowed.

Place the Macro ^OpenId(); within an article somewhere on your website.

Create a snippet with the following values:

========= Cut this snippet code and use it on your site =========

<a class="rpxnow" onclick="return false;" href="https://yourRpxUri.rpxnow.com/openid/v2/signin?token_url=^u();/rpxlogin">Sign In</a>

<script src="https://rpxnow.com/openid/v2/widget" type="text/javascript"></script>
<script type="text/javascript">
RPXNOW.overlay = true;
RPXNOW.language_preference = 'en';
</script>

============== End Snippet code ==============

Use the above snippet where you want the RpxNow login link to appear.

When using the RpxNow widget you will have to setup a redirect link (/rpxlogin notice it above after the token_url=^u(); option) with the following settings:

URL: rpxlogin
Redirect URL:  /?op=auth;method=login;username=openid.guest;token=^FormParam(token);

I had a problem were the yahoo service was mangling some portions of the url and this was a great work around.

If you do not wish to use the RpxNow service then there is no need to configure the RpxNow sections or snippet.  You can just use the OpenId portion without the RpxNow service.

Please report any bugs to me directly.

P.S.  The demo website it pretty slow but it is currently the only server I have available for demo purposes. 

Thank you. 

Comments

dannymk: "
You can use this module with your existing WebGUI accounts, just make sure you set the authentication method to OpenId and the "OpenId Identity" under the edit user settings option.

If you would like users to automatically register and login using the OpenId auth module you must enable "Anonymous Registration" under the site settings. 
"

cap10morgan: "
Great module, dannymk!

I've written a patch for WebGUI::Auth::OpenId.pm that makes entry and verification of the OpenID URI's more forgiving. Mainly, it allows you to forget the "http://" on front and the trailing slash on the end at any point and everything still works (hopefully). I've pasted it below (it's not too complex).

I'll definitely be using this on my server. Now off to find (or create) an RFE to get this put into the core. :)

------------------------------------------------

--- WebGUI/Auth/OpenId.pm-orig  2007-09-23 11:34:15.000000000 -0600
+++ WebGUI/Auth/OpenId.pm       2007-09-23 11:33:22.000000000 -0600
@@ -132,16 +132,23 @@
 
 =cut
 
-sub _getUserName{
+sub _getUserName {
    my $self = shift;
    my $openIdUri = shift;
-       my $sql = "SELECT username FROM users
+   my($openIdUriRegExp,$regExpEnd);
+   if ($openIdUri =~ /\/$/) {
+     $regExpEnd = "?\$";
+   } else {
+     $regExpEnd = "/?\$";
+   }
+   $openIdUriRegExp = "&#94;$openIdUri" . $regExpEnd;
+   my $sql = "SELECT username FROM users
       inner join authentication on users.userId=authentication.userId
       and fieldName = 'openIdUri'     
-      and fieldData = ?";
+      and fieldData RLIKE ?";
   
    if ( $openIdUri ){
-      my $userInfo = $self->session->db->buildHashRef($sql,[ $openIdUri ]);
+      my $userInfo = $self->session->db->buildHashRef($sql,[ $openIdUriRegExp ]);
       my @userKeys = keys(%$userInfo);
       return $userInfo->{$userKeys[0]};
    }else{
@@ -203,7 +210,7 @@
       #my $verified_url = $vident->url;
       $error = ""; #You are $verified_url !";
       $self->session->stow->set('foundValidOpenIdUri',1);
-      $self->session->stow->set('openIdUri',$cacheRef->{'_uri'});     
+      $self->session->stow->set('openIdUri',$vident->url);     
       $cache->delete();
    } else {
       $error = $self->_i18n->get('error default') . $csr->err;
@@ -371,8 +378,12 @@
 
 sub editUserFormSave {
    my $self = shift;
+   my $openIdUri = $self->session->form->process('authOpenId_openIdUri');
+   if ($openIdUri !~ /&#94;http:\/\//) {
+     $openIdUri = "http://$openIdUri";
+   }
    my $properties = {};
-   $properties->{openIdUri} = $self->session->form->process('authOpenId_openIdUri');
+   $properties->{openIdUri} = $openIdUri;
    $self->SUPER::editUserFormSave($properties);
 }
"

dannymk: "
Hi Cap10,
   sorry I have not been on  a while.  I got a new job and have been working long hours.

Anyway, can you tell me how the conference went?  Did they talk about the OpenId module at all?

I will probably patch my source with the patch you sent and will let you know how it works.

Dan. 
"

dannymk: "
Hi, the patch shows a value: $vident->url

however, that value is not defined in the patch.

Where did you get that from?  Where did you set it?
"

dannymk: "
Hmmm... seems like Yahoo will be supporting OpenId 2.0 http://www.infoworld.com/article/08/01/17/Yahoo-to-support-OpenID-single-sign-on_1.html

Guesss I have to get this module updated! 
"

cap10morgan: "Sorry I've been MIA on this. I'm still hoping to revisit this at some point soon. dannymk, can we meet in IRC at some point to discuss the status of this module and get it ready for inclusion in"

dannymk: "
I have made some changes to the module to get ready for the upgraded release of http://search.cpan.org/~bradfitz/Net-OpenID-Consumer-0.14/lib/Net/OpenID/Consumer.pm which will support OpenId version 2.0 (http://brad.livejournal.com/).  It seems to be the only functioning/available Perl library.   The one at this website: http://code.sxip.com/openid4perl/ still seems to be under development and cannot be used in production.  I sent an email to Brad and he told me his team was working on an upgrade.  Lets hope Brad Fitzpatrick releases his modules soon.   If anyone else knows of a functioning OpenId perl implementation please let me know. 
"

dannymk: "Hmmm... The Auth::OpenId module works with 2.0.  It just requires an update of the Net::OpenID::Consumer module.  Also, make sure you restart the httpd daemon so that the new Net::OpenID::Consumer module can be used."

dannymk: "Version 3.0.0 uses the Net::OpenID::Consumer module as well as the RpxNow.Com service."

dannymk: "The current module 3.x.x is pretty stable. I have been testing it on a few of my sites and I am currently using it on a production system at work."

ehab: "How hard would it be to be an OpenID provider, where other sites can authenticate against your userbase?"

dannymk: "Not sure ehab, I never thought about writing a provider module for WebGUI.  My focus has always been easier authentication for WebGUI."

ehab: "I see this is updated regularly :) keep up the good work."