3 package IkiWiki::Plugin::openid;
10 add_underlay("openid-selector");
11 hook(type => "checkconfig", id => "openid", call => \&checkconfig);
12 hook(type => "getsetup", id => "openid", call => \&getsetup);
13 hook(type => "auth", id => "openid", call => \&auth);
14 hook(type => "formbuilder_setup", id => "openid",
15 call => \&formbuilder_setup, last => 1);
20 # Intercept normal signin form, so the openid selector
23 # When other auth hooks are registered, give the selector
24 # a reference to the normal signin form.
27 if (keys %{$IkiWiki::hooks{auth}} > 1) {
28 $real_cgi_signin=\&IkiWiki::cgi_signin;
30 inject(name => "IkiWiki::cgi_signin", call => sub ($$) {
31 openid_selector($real_cgi_signin, @_);
45 description => "url pattern of openid realm (default is cgiurl)",
51 description => "url to ikiwiki cgi to use for openid authentication (default is cgiurl)",
58 my $real_cgi_signin=shift;
62 my $openid_url=$q->param('openid_identifier');
65 if (! load_openid_module()) {
66 if ($real_cgi_signin) {
67 $real_cgi_signin->($q, $session);
70 error(sprintf(gettext("failed to load openid module: "), @_));
72 elsif (defined $q->param("action") && $q->param("action") eq "verify") {
73 validate($q, $session, $openid_url, sub {
78 my $template=IkiWiki::template("openid-selector.tmpl");
80 cgiurl => IkiWiki::cgiurl(),
81 (defined $openid_error ? (openid_error => $openid_error) : ()),
82 (defined $openid_url ? (openid_url => $openid_url) : ()),
83 ($real_cgi_signin ? (nonopenidform => $real_cgi_signin->($q, $session, 1)) : ()),
86 IkiWiki::printheader($session);
87 print IkiWiki::misctemplate("signin", $template->output);
91 sub formbuilder_setup (@) {
94 my $form=$params{form};
95 my $session=$params{session};
98 if ($form->title eq "preferences" &&
99 IkiWiki::openiduser($session->param("name"))) {
100 $form->field(name => "openid_identifier", disabled => 1,
101 label => htmllink("", "", "ikiwiki/OpenID", noimageinline => 1),
102 value => $session->param("name"),
103 size => length($session->param("name")), force => 1,
104 fieldset => "login");
105 $form->field(name => "email", type => "hidden");
109 sub validate ($$$;$) {
112 my $openid_url=shift;
113 my $errhandler=shift;
115 my $csr=getobj($q, $session);
117 my $claimed_identity = $csr->claimed_identity($openid_url);
118 if (! $claimed_identity) {
120 $errhandler->($csr->err);
128 # Ask for client to provide a name and email, if possible.
130 if ($claimed_identity->can("set_extension_args")) {
131 $claimed_identity->set_extension_args(
132 'http://openid.net/extensions/sreg/1.1',
134 optional => 'email,fullname,nickname',
137 $claimed_identity->set_extension_args(
138 'http://openid.net/srv/ax/1.0',
140 mode => 'fetch_request',
141 'required' => 'email,fullname,nickname,firstname',
142 'type.email' => "http://schema.openid.net/contact/email",
143 'type.fullname' => "http://axschema.org/namePerson",
144 'type.nickname' => "http://axschema.org/namePerson/friendly",
145 'type.firstname' => "http://axschema.org/namePerson/first",
150 my $cgiurl=$config{openid_cgiurl};
151 $cgiurl=$q->url if ! defined $cgiurl;
153 my $trust_root=$config{openid_realm};
154 $trust_root=$cgiurl if ! defined $trust_root;
156 my $check_url = $claimed_identity->check_url(
157 return_to => "$cgiurl?do=postsignin",
158 trust_root => $trust_root,
161 # Redirect the user to the OpenID server, which will
162 # eventually bounce them back to auth()
163 IkiWiki::redirect($q, $check_url);
171 if (defined $q->param('openid.mode')) {
172 my $csr=getobj($q, $session);
174 if (my $setup_url = $csr->user_setup_url) {
175 IkiWiki::redirect($q, $setup_url);
177 elsif ($csr->user_cancel) {
178 IkiWiki::redirect($q, IkiWiki::baseurl(undef));
180 elsif (my $vident = $csr->verified_identity) {
181 $session->param(name => $vident->url);
184 if ($vident->can("signed_extension_fields")) {
185 @extensions=grep { defined } (
186 $vident->signed_extension_fields('http://openid.net/extensions/sreg/1.1'),
187 $vident->signed_extension_fields('http://openid.net/srv/ax/1.0'),
191 foreach my $ext (@extensions) {
192 foreach my $field (qw{value.email email}) {
193 if (exists $ext->{$field} &&
194 defined $ext->{$field} &&
195 length $ext->{$field}) {
196 $session->param(email => $ext->{$field});
197 if (! defined $nickname &&
198 $ext->{$field}=~/(.+)@.+/) {
204 foreach my $field (qw{value.nickname nickname value.fullname fullname value.firstname}) {
205 if (exists $ext->{$field} &&
206 defined $ext->{$field} &&
207 length $ext->{$field}) {
208 $nickname=$ext->{$field};
213 if (defined $nickname) {
214 $session->param(nickname =>
215 Encode::decode_utf8($nickname));
219 error("OpenID failure: ".$csr->err);
222 elsif (defined $q->param('openid_identifier')) {
223 # myopenid.com affiliate support
224 validate($q, $session, $q->param('openid_identifier'));
232 eval q{use Net::OpenID::Consumer};
236 eval q{use LWPx::ParanoidAgent};
238 $ua=LWPx::ParanoidAgent->new;
241 $ua=LWP::UserAgent->new;
244 # Store the secret in the session.
245 my $secret=$session->param("openid_secret");
246 if (! defined $secret) {
248 $session->param(openid_secret => $secret);
251 my $cgiurl=$config{openid_cgiurl};
252 $cgiurl=$q->url if ! defined $cgiurl;
254 return Net::OpenID::Consumer->new(
257 consumer_secret => sub { return shift()+$secret },
258 required_root => $cgiurl,
262 sub load_openid_module {
263 # Give up if module is unavailable to avoid needing to depend on it.
264 eval q{use Net::OpenID::Consumer};
266 debug("unable to load Net::OpenID::Consumer, not enabling OpenID login ($@)");