Sunday, June 3, 2012

PHP Tutorial for OpenId and OAuth

Is there a good tutorial for implementing OpenId and OAuth together in PHP? All of the OpenId tutorials I've seen on the official OpenId site haven't been as helpful or as simple as they could have been. I don't think I've seen any tutorials on using both of them together. (For OpenId, I'd want to be both a provider and a consumer.) If there are no tutorials for using them together, tutorials on implementing either one in PHP would also be helpful.

Source: Tips4all


  1. This is a complex solution which is why it's not easy to make simple. oAuth is not OpenID is a good post on some of the specifics of each. It might help to look at tutorials for any language, and figure out how to port it to PHP. oAuth is sort of new, and thus people have just started implementing it.

    You use your domain as your OpenID Provider.

    If you want a pre-baked solution, try to utilize one of the libraries created for php (or port another).

    Here are some resources:


    Plaxo's Open ID Guide

    Libraries for OpenID

    Reference for the Zend OpenID


    Slides on oAuth Authentication

    Libraries for oAuth

    How to get started | Visual View of oAuth

    Here's an example of how to use oAuth in PHP for Consumer and Server using oauth-php on Google Code.

    Protocol Overview (OpenID)

    The end user initiates authentication (Initiation) by presenting a User-Supplied Identifier to the Relying Party via their User-Agent.
    After normalizing (Normalization) the User-Supplied Identifier, the Relying Party performs discovery (Discovery) on it and establishes the OP Endpoint URL that the end user uses for authentication. It should be noted that the User-Supplied Identifier may be an OP Identifier, as discussed in Section 7.3.1 (Discovered Information), which allows selection of a Claimed Identifier at the OP or for the protocol to proceed without a Claimed Identifier if something else useful is being done via an extension (Extensions).
    (optional) The Relying Party and the OP establish an association (Establishing Associations) -- a shared secret established using Diffie-Hellman Key Exchange (Rescorla, E., “Diffie-Hellman Key Agreement Method,” .) [RFC2631]. The OP uses an association to sign subsequent messages and the Relying Party to verify those messages; this removes the need for subsequent direct requests to verify the signature after each authentication request/response.
    The Relying Party redirects the end user's User-Agent to the OP with an OpenID Authentication request (Requesting Authentication).
    The OP establishes whether the end user is authorized to perform OpenID Authentication and wishes to do so. The manner in which the end user authenticates to their OP and any policies surrounding such authentication is out of scope for this document.
    The OP redirects the end user's User-Agent back to the Relying Party with either an assertion that authentication is approved (Positive Assertions) or a message that authentication failed (Negative Assertions).
    The Relying Party verifies (Verifying Assertions) the information received from the OP including checking the Return URL, verifying the discovered information, checking the nonce, and verifying the signature by using either the shared key established during the association or by sending a direct request to the OP.

  2. Could you explain a little more clearly what you're trying to do? There should be any need to have a tutorial to explain how to implement them both as they solve different problems, OpenID for authentication and OAuth for authorization.

    Thats said, the only libraries I could find that would do everything you like are oauth-php (which has basically no documentation) and Zend_OpenID.

  3. Tutorial describes, how to integrate OpenId into your login system using OpenID in PHP.