Net-OpenID-Server-1.09000755001750001750 011656663014 13270 5ustar00rfcrfc000000000000Changes000644001750001750 1072511656663014 14670 0ustar00rfcrfc000000000000Net-OpenID-Server-1.091.09 Nov 09 2011 1.030099_002 Jan 01 2011 * Remove unusued _eurl function (Robert Norris) * Made 'assoc_handle' argument optional for indirect requests per http://openid.net/specs/openid-authentication-2_0.html#anchor27 (Mario Domgoergen) * Added example CGI program (Robert Norris) * Documentation tweaks (Robert Norris) 1.030099_001 Nov 06 2010 * Use Crypt::DH::GMP over Crypt::DH for speed (Robert Norris) * Set mode and claimed_id before redirect to setup in checkid_immediate. Without this some implementations (Movable Type) do not have enough context to understand what the client is trying to do (Adam Sjøgren) * Fix potential timing attack when checking signatures (Adam Sjøgren) (see http://lists.openid.net/pipermail/openid-security/2010-July/001156.html) * Support HMAC-SHA256 signatures (Adam Sjøgren) * Merge get_args and post_args into single 'args' parameter. get_args & post_args remain as deprecated parameters (Martin Atkins, Robert Norris) 1.02: * _mode_checkid(): Pass 'ns' through setup_map. (reported and fixed by Sergey Homenkow.) * signed_return_url(): verify and remove 'realm', if provided. (reported and fixed by Sergey Homenkow.) * "10.2.1. In Response to Immediate Requests" (Negative Assertions) OpenID2 return 'mode=setup_needed' and 'ns', OpenID1 return 'mode=id_res' and 'user_setup_url'. (reported and fixed by Sergey Homenkow.) * "8.2.4. Unsuccessful Response Parameters" (Establishing Associations) "If the OP does not support a session type or association type, it MUST respond with a direct error message indicating that the association request failed." (reported and fixed by Sergey Homenkow.) * Fix our openid.signed list to be consistent with what we actually sign when empty fields are present. Reported and fixed by Igor Gariev . * Don't include op_endpoint in 1.1 assertion messages. 1.01: * OpenID 2.0 support from kazeburo from mixi.jp. 0.13: 2007-09-09 * remove test's non-used/non-declared "use" of DSA modules. makes test in auto-testers now. also remove dead/old tests. 0.12: 2007-09-03 * make ->err method return false when no error: http://rt.cpan.org/Ticket/Display.html?id=29109 * doc fix: http://rt.cpan.org/Ticket/Display.html?id=29110 * doc fix in abstract (was previously copy/pasted from the consumer module) 0.11: (2007-04-16) - after year+ of being in svn, but not released. :) * basic support for OpenID extensions (2006-03-13) 0.10: (2005-09-01) * fix up old docs which mentioned the ancient public_key and private_key parameters * fix some warnings in make test. (Tatsuhiko Miyagawa) 0.09: * version 1.1 of the protocol, with 1.0 as a "compat" option (where both 1.0 and 1.1 response keys are sent) compat is either on, off, or unspecified, in which case it's on by default for one month 0.08: * security fix, as pointed out by meepbear: check_authentication shouldn't honor signature verification requests using assoc_handles that were given out in associate requests. that means that we must be able to distinguish (internally) handles that were given out to "dumb" consumbers (stateless) vs. ones we gave out in associate requests. for more information, see: http://lists.danga.com/pipermail/yadis/2005-July/001144.html 0.07: * openid.mode=cancel support * invalidate_handle support * fix a call to error_page that should've been _error_page * _secret_of_handle now only takes an assoc_handle, not also an assoc_type, as an assoc_handle should always self-imply its type 0.06: * make rand_chars public * remove old DSA-based code * test suite for new DH/HMAC-based code 0.05: * start implementing the new DH + HMAC-SHA1 spec, instead of being DSA-based. The DSA code is still working for now, and it'll do either protocol, but it'll be removed in time. 0.04: * add "signed_return" method and docs * require Convert::PEM 0.07, which was always required, but I forgot its version number before * add "redirect_for_setup" option on handle_page and docs 0.03: * stupid push_url_arg bugfix * more tests 0.02: * checkid_immediate vs checkid_setup mode (handle_page can return $type of "setup") 0.01: * initial release. test suite works. no example app yet. * requires Crypt::DSA or Crypt::OpenSSL::DSA t000755001750001750 011656663014 13454 5ustar00rfcrfc000000000000Net-OpenID-Server-1.0900-use.t000644001750001750 12311656663014 14765 0ustar00rfcrfc000000000000Net-OpenID-Server-1.09/t#!perl -T use Test::More tests => 1; BEGIN { use_ok( 'Net::OpenID::Server' ); } examples000755001750001750 011656663014 15027 5ustar00rfcrfc000000000000Net-OpenID-Server-1.09server.cgi000644001750001750 3003611656663014 17202 0ustar00rfcrfc000000000000Net-OpenID-Server-1.09/examples#!/usr/bin/env perl # Simple OpenID server/provider # Robert Norris, November 2010 # Public domain # This program demonstrates the use of Net::OpenID::Server to build an OpenID # server/provider (OP). It is not intended to be production quality, but just # show the basics needed to get an OP up and running. It uses CGI.pm since # everyone understands that :) use warnings; use strict; use CGI (); use CGI::Carp qw(fatalsToBrowser); use Net::OpenID::Server 1.030099; use URI::Escape; my $cgi = CGI->new; # determine our location based on the enviroment my $base = 'http://'.$ENV{HTTP_HOST}.$ENV{SCRIPT_NAME}; # get the parameters from the browser into something useable my $params = {$cgi->Vars}; # figure out what the caller is trying to do. there are four options: # endpoint: provide the endpoint interface to the RP. this is the main entry # point and is not normally accessed directly by the user # setup: handles setup, which is the openid term for interacting with the user # to determine if the user trusts the RP. here it presents a simple # login form # login: the target for the login form. this is not actually part of the # openid flow but it makes a useful and not-uncommon example # user: handles the actual identity urls, serving either HTML or XRDS pointing # to the endpoint. you need to implement this somewhere but its not # strictly part of the openid flow, and could just be one or more static # pages depending on your application my $action = delete $params->{action} || 'endpoint'; if ($action !~ m{\A endpoint | setup | login | user \z}x) { print $cgi->header(-status => 404); exit; } # arrange for the handler method to be called my $method = "handle_$action"; my $ret = do { no strict 'refs'; $method->($base, $params) }; # handle the return. these handlers return PSGI three-part arrays, so you # could easily port them to your PSGI-based application. here we convert that # into something to send back through CGI.pm my ($status, $headers, $content) = @$ret; push @$headers, ( Pragma => 'no-cache' ); my %headers; while (my ($k, $v) = splice @$headers, 0, 2) { $headers{"-$k"} = $v; } print $cgi->header(-status => $status, %headers); print join '', @$content; exit; # endpoint action handler. all interactions between the RP and the OP, either # directly or via browser redirects sub handle_endpoint { my ($base, $params) = @_; # get an Net::OpenID::Server object configured the way we want it my $openid = _get_openid_context($base, $params); # call the handler to figure out what the appropriate response it for the # given parameters my ($type, $data) = $openid->handle_page; # the server wants to redirect the browser somewhere, perhaps back to the # RP. the url is in $data. all we have to do is redirect them using # whatever redirect mechanism is provded by the web framework if ($type eq 'redirect') { return [ 302, [ 'Location' => $data, ], [] ]; } # the server has decided that it doesn't know if the user explicitly # trusts or distrusts the RP, and needs you to ask them somehow. this is # known as "setup", and is triggered when the is_identity or is_trusted # callbacks return false (see _get_openid_context below). # # $data is a hashref of parameters that should be passed to # signed_return_url (trust) or cancel_return_url (doesn't trust) to build # the appropriate response for the RP. if ($type eq 'setup') { # build the setup redirect url, passing along the parameters so they # can be given back to the server later to build the redirect url # later my $location = $openid->setup_url . '&' . join ('&', map { $_ . '=' . uri_escape(defined $data->{$_} ? $data->{$_} : '') } keys %$data); return [ 302, [ 'Location' => $location, ], [] ]; } # the server has a response to send back directly. this is either some # sort of error page for the browser, or a direct response to the RP. # $type contains the mime type and $data has the content return [ 200, [ 'Content-Type' => $type, ], [ $data ] ]; } # setup action handler. this is the entry point for determining if the user # trusts the RP. here we begin a login-type flow, but you can do whatever # makes most sense for your site. $params contains the parameters that came # from the setup response to handle_page above, and need to be passed back to # the server so it can construct the RP redirect url # # the most common flow for setup is to login the user if they're not already # logged in, then ask them if they trust the RP. that's usually a question # like "You are logging into as . Is this ok?". based on # that response you'll call signed_return_url or cancel_return_url. the realm # is available in $data->{trust_root}. most OPs also store this decision # somewhere so the user doesn't have to be asked next time. sub handle_setup { my ($base, $params) = @_; my $html = join("\n", "
", (map { defined $params->{$_} ? "" : '' } keys %$params), "username:
", "password:
", "", "", "
", ); return [ 200, [ 'Content-Type' => 'text/html', ], [ $html ] ]; } # login action handler. this is where the login form goes. for the sake of # this example we pretend that all logins succeed sub handle_login { my ($base, $params) = @_; my $user = delete $params->{user}; my $pass = delete $params->{pass}; # now we know who the user is we can construct their identity url and # include it in the parameters $params->{identity} = _identity_url($base, $user); # get the Net::OpenID::Server object configured the way we want it. this # time we include the user as well my $openid = _get_openid_context($base, $params, $user); # for this demo we're trusting anything. here you probably want to ask the # user if they trust the RP as described above # construct the RP redirect url to indicate the user trusts the RP my $return_url = $openid->signed_return_url(%$params); return [ 301, [ 'Location' => $return_url, ], [ ] ]; } # user action handler. this serves appropriate HTML or XRDS for an identity # url to point to the endpoint sub handle_user { my ($base, $params) = @_; # get the Net::OpenID::Server object configured the way we want it my $openid = _get_openid_context($base, $params); # construct the identity url for this user my $identity = _identity_url($base, $params->{user}); my $endpoint = $openid->endpoint_url; # return either XRDS or HTML depending on what the client asked for if ($ENV{HTTP_ACCEPT} =~ m{ \b application/xrds\+xml \b }x) { return [ 200, [ 'Content-Type' => 'application/xrds+xml', ], [ _user_xrds($identity, $endpoint) ] ]; } else { return [ 200, [ 'Content-Type' => 'text/html', ], [ _user_html($identity, $endpoint) ] ]; } } # helper function to construct the identity url for the given user sub _identity_url { my ($base, $user) = @_; return $base.'?action=user&user='.$user; } # helper function to prepare a Server object sub _get_openid_context { my ($base, $params, $user) = @_; my $openid = Net::OpenID::Server->new( # args can take a number of different objects that may contain the # request parameters from the browser, eg a CGI, Apache::Request, # Apache2::Request or similar (see the documentation for more). if a # coderef is provided (as is the case here), it will be passed a # single argument containing the wanted parameter, and should return # the value of that parameter, or undef if its not available args => sub { $params->{+shift} }, # get_user returns an identifier for the currently logged-in user, or # undef if there's no user. the return value is not used but is passed # as-is to is_identity and is_trusted get_user => sub { return $user; }, # is_identity returns true if the passed user "owns" the passed # identity url. the user is the one returned from get_user, whereas # the identity typically comes from the RP via the browser. this could # conceivably return false in the case where the user is logged in to # the OP but has specified an identifier that is not their own. in # that case you return false here which will trigger setup is_identity => sub { my ($user, $identity) = @_; return if not $user; return $identity eq _identity_url($base, $user); }, # is_trusted returns true if the user trusts the passed realm (trust # root). the user and is_identity parameters are the same as what was # returned by get_user and is_identity. if you're keeping a record # of realms the user trusts, its here that you'd check that record is_trusted => sub { my ($user, $realm, $is_identity) = @_; return if not $user; return $is_identity; }, # urls for endpoint and setup. these are used when constructing # redirect urls endpoint_url => $base, setup_url => $base.'?action=setup', # server_secret takes a coderef that is called to generate and sign # per-consumer secrets. it is passed a single argument containing a # unix timestamp and should produce a unique, reproducable and # non-guessable value based on that time. if this value does not meet # those criteria your RP is vulnerable to replay attacks # # for the sake of this demo we return a static string here. you MUST # NOT do this in a production environment server_secret => sub { return 'abc123'; }, ); return $openid; } # helper function to return an XRDS structure for the identity and endpoint sub _user_xrds { my ($identity, $endpoint) = @_; return < http://specs.openid.net/auth/2.0/signon $endpoint $identity http://openid.net/signon/1.1 $endpoint $identity http://openid.net/signon/1.0 $endpoint $identity XRDS ; } # helper function to return an HTML page for the identity and endpoint sub _user_html { my ($identity, $endpoint) = @_; return < OpenID identity page

This is an OpenID identity page. It will direct an OpenID RP to the OpenID endpoint at $endpoint to provide service for $identity.

HTML ; } __END__ =pod =head1 NAME server.cgi - demo OpenID server/provider using Net::OpenID::Server =head1 DESCRIPTION This program demonstrates the use of Net::OpenID::Server to build an OpenID server/provider (OP). It is not intended to be production quality, but just show the basics needed to get an OP up and running. It should work under pretty much any web server that can run CGI programs. Its been tested under lighttpd on Linux. It services identity URLs of the form: server.cgi?action=user&user= Read the code to find out how it all works! =head1 AUTHOR Robert Norris Erob@eatenbyagrue.orgE =head1 LICENSE This program is in the public domain. =cut OpenID000755001750001750 011656663014 15623 5ustar00rfcrfc000000000000Net-OpenID-Server-1.09/lib/NetServer.pm000644001750001750 11162611656663014 17635 0ustar00rfcrfc000000000000Net-OpenID-Server-1.09/lib/Net/OpenID# LICENSE: You're free to distribute this under the same terms as Perl itself. use strict; use Carp (); use Net::OpenID::Common; use Net::OpenID::IndirectMessage; ############################################################################ package Net::OpenID::Server; BEGIN { $Net::OpenID::Server::VERSION = '1.09'; } use fields ( 'last_errcode', # last error code we got 'last_errtext', # last error code we got 'get_user', # subref returning a defined value representing the logged in user, or undef if no user. # this return value ($u) is passed to the other subrefs 'get_identity', # subref given a ( $u, $identity_url). 'is_identity', # subref given a ($u, $identity_url). should return true if $u owns the URL # tree given by $identity_url. not that $u may be undef, if get_user returned undef. # it's up to you if you immediately return 0 on $u or do some work to make the # timing be approximately equal, so you don't reveal if somebody's logged in or not 'is_trusted', # subref given a ($u, $trust_root, $is_identity). should return true if $u wants $trust_root # to know about their identity. if you don't care about timing attacks, you can # immediately return 0 if ! $is_identity, as the entire case can't succeed # unless both is_identity and is_trusted pass, and is_identity is called first. 'handle_request', # callback to handle a request. If present, get_user, get_identity, is_identity and is_trusted # are all ignored and this single callback is used to replace all of them. 'endpoint_url', 'setup_url', # setup URL base (optionally with query parameters) where users should go # to login/setup trust/etc. 'setup_map', # optional hashref mapping some/all standard keys that would be added to # setup_url to your preferred names. 'args', # thing to get args 'message', # current IndirectMessage object 'server_secret', # subref returning secret given $time 'secret_gen_interval', 'secret_expire_age', 'compat', # version 1.0 compatibility flag (otherwise only sends 1.1 parameters) ); use Carp; use URI; use MIME::Base64 (); use Digest::SHA qw(sha1 sha1_hex sha256 sha256_hex hmac_sha1 hmac_sha1_hex hmac_sha256 hmac_sha256_hex); use Time::Local qw(timegm); my $OPENID2_NS = qq!http://specs.openid.net/auth/2.0!; my $OPENID2_ID_SELECT = qq!http://specs.openid.net/auth/2.0/identifier_select!; sub new { my Net::OpenID::Server $self = shift; $self = fields::new( $self ) unless ref $self; my %opts = @_; $self->{last_errcode} = undef; $self->{last_errtext} = undef; if (exists $opts{get_args}) { carp "Option 'get_args' is deprecated, use 'args' instead"; $self->args(delete $opts{get_args}); } if (exists $opts{post_args}) { carp "Option 'post_args' is deprecated, use 'args' instead"; $self->args(delete $opts{post_args}); } $self->args(delete $opts{args}); $opts{'secret_gen_interval'} ||= 86400; $opts{'secret_expire_age'} ||= 86400 * 14; $opts{'get_identity'} ||= sub { $_[1] }; # use compatibility mode until 30 days from July 10, 2005 unless (defined $opts{'compat'}) { $opts{'compat'} = time() < 1121052339 + 86400*30 ? 1 : 0; } $self->$_(delete $opts{$_}) foreach (qw( get_user get_identity is_identity is_trusted handle_request endpoint_url setup_url setup_map server_secret secret_gen_interval secret_expire_age compat )); Carp::croak("Unknown options: " . join(", ", keys %opts)) if %opts; return $self; } sub get_user { &_getsetcode; } sub get_identity { &_getsetcode; } sub is_identity { &_getsetcode; } sub is_trusted { &_getsetcode; } sub handle_request { &_getsetcode; } sub endpoint_url { &_getset; } sub setup_url { &_getset; } sub setup_map { &_getset; } sub compat { &_getset; } sub server_secret { &_getset; } sub secret_gen_interval { &_getset; } sub secret_expire_age { &_getset; } # returns ($content_type, $page), where $content_type can be "redirect" # in which case a temporary redirect should be done to the URL in $page # $content_type can also be "setup", in which case the setup_map variables # are in $page as a hashref, and caller has full control from there. # # returns undef on error, in which case caller should generate an error # page using info in $nos->err. sub handle_page { my Net::OpenID::Server $self = shift; my %opts = @_; my $redirect_for_setup = delete $opts{'redirect_for_setup'}; Carp::croak("Unknown options: " . join(", ", keys %opts)) if %opts; Carp::croak("handle_page must be called in list context") unless wantarray; my $mode = $self->_message_mode; return $self->_mode_associate if $self->_message_mode eq "associate"; return $self->_mode_check_authentication if $self->_message_mode eq "check_authentication"; unless ($mode) { return ("text/html", "OpenID EndpointThis is an OpenID server endpoint, not a human-readable resource. For more information, see http://openid.net/."); } return $self->_error_page("Unknown mode") unless $mode =~ /^checkid_(?:immediate|setup)/; return $self->_mode_checkid($mode, $redirect_for_setup); } # given something that can have GET arguments, returns a subref to get them: # Apache # Apache::Request # CGI # HASH of get args # CODE returning get arg, given key # ... sub args { my Net::OpenID::Server $self = shift; if (my $what = shift) { unless (ref $what) { return $self->{args} ? $self->{args}->($what) : Carp::croak("No args defined"); } else { Carp::croak("Too many parameters") if @_; my $message = Net::OpenID::IndirectMessage->new($what, ( minimum_version => $self->minimum_version, )); $self->{message} = $message; $self->{args} = $message ? $message->getter : sub { undef }; } } $self->{args}; } sub message { my Net::OpenID::Server $self = shift; if (my $key = shift) { return $self->{message} ? $self->{message}->get($key) : undef; } else { return $self->{message}; } } sub minimum_version { # TODO: Make this configurable 1; } sub _message_mode { my $message = $_[0]->message; return $message ? $message->mode : undef; } sub _message_version { my $message = $_[0]->message; return $message ? $message->protocol_version : undef; } sub cancel_return_url { my Net::OpenID::Server $self = shift; my %opts = @_; my $return_to = delete $opts{'return_to'}; Carp::croak("Unknown options: " . join(", ", keys %opts)) if %opts; my $ret_url = $return_to; OpenID::util::push_url_arg(\$ret_url, "openid.mode" => "cancel"); return $ret_url; } sub signed_return_url { my Net::OpenID::Server $self = shift; my %opts = @_; my $identity = delete $opts{'identity'}; my $claimed_id = delete $opts{'claimed_id'}; my $return_to = delete $opts{'return_to'}; my $assoc_handle = delete $opts{'assoc_handle'}; my $assoc_type = delete $opts{'assoc_type'} || 'HMAC-SHA1'; my $ns = delete $opts{'ns'}; my $extra_fields = delete $opts{'additional_fields'} || {}; # verify the trust_root and realm, if provided if (my $realm = delete $opts{'realm'}) { return undef unless _url_is_under($realm, $return_to); delete $opts{'trust_root'}; } elsif (my $trust_root = delete $opts{'trust_root'}) { return undef unless _url_is_under($trust_root, $return_to); } Carp::croak("Unknown options: " . join(", ", keys %opts)) if %opts; my $ret_url = $return_to; my $c_sec; my $invalid_handle; if ($assoc_handle) { $c_sec = $self->_secret_of_handle($assoc_handle, type=>$assoc_type); # tell the consumer that their provided handle is bogus # (or we forgot it) and that they should stop using it $invalid_handle = $assoc_handle unless $c_sec; } unless ($c_sec) { # dumb consumer mode ($assoc_handle, $c_sec, undef) = $self->_generate_association(type => $assoc_type, dumb => 1); } $claimed_id ||= $identity; $claimed_id = $identity if $claimed_id eq $OPENID2_ID_SELECT; my @sign = qw(mode claimed_id identity op_endpoint return_to response_nonce assoc_handle assoc_type); my $now = time(); my %arg = ( mode => "id_res", identity => $identity, claimed_id => $claimed_id, return_to => $return_to, assoc_handle => $assoc_handle, assoc_type => $assoc_type, response_nonce => OpenID::util::time_to_w3c($now) . _rand_chars(6), ); $arg{'op_endpoint'} = $self->endpoint_url if $self->endpoint_url && $ns eq $OPENID2_NS; $arg{'ns'} = $ns if $ns; # compatibility mode with version 1.0 of the protocol which still # had absolute dates if ($self->{compat}) { $arg{issued} = OpenID::util::time_to_w3c($now); $arg{valid_to} = OpenID::util::time_to_w3c($now + 3600); push @sign, "issued", "valid_to"; } # add in the additional fields foreach my $k (keys %{ $extra_fields }) { die "Invalid extra field: $k" unless $k =~ /^\w+\./; $arg{$k} = $extra_fields->{$k}; push @sign, $k; } # since signing of empty fields is not well defined, # remove such fields from the list of fields to be signed @sign = grep { defined $arg{$_} && $arg{$_} ne '' } @sign; $arg{signed} = join(",", @sign); my @arg; # arguments we'll append to the URL my $token_contents = ""; foreach my $f (@sign) { $token_contents .= "$f:$arg{$f}\n"; push @arg, "openid.$f" => $arg{$f}; delete $arg{$f}; } # include the arguments we didn't sign in the URL push @arg, map { ( "openid.$_" => $arg{$_} ) } sort keys %arg; # include (unsigned) the handle we're telling the consumer to invalidate if ($invalid_handle) { push @arg, "openid.invalidate_handle" => $invalid_handle; } # finally include the signature if ($assoc_type eq 'HMAC-SHA1') { push @arg, "openid.sig" => OpenID::util::b64(hmac_sha1($token_contents, $c_sec)); } elsif ($assoc_type eq 'HMAC-SHA256') { push @arg, "openid.sig" => OpenID::util::b64(hmac_sha256($token_contents, $c_sec)); } else { die "Unknown assoc_type $assoc_type"; } OpenID::util::push_url_arg(\$ret_url, @arg); return $ret_url; } sub _mode_checkid { my Net::OpenID::Server $self = shift; my ($mode, $redirect_for_setup) = @_; my $return_to = $self->args("openid.return_to"); return $self->_fail("no_return_to") unless $return_to =~ m!^https?://!; my $trust_root = $self->args("openid.trust_root") || $return_to; $trust_root = $self->args("openid.realm") if $self->args('openid.ns') eq $OPENID2_NS; return $self->_fail("invalid_trust_root") unless _url_is_under($trust_root, $return_to); my $identity = $self->args("openid.identity"); # chop off the query string, in case our trust_root came from the return_to URL $trust_root =~ s/\?.*//; my $is_identity = 0; my $is_trusted = 0; if (0 && $self->{handle_request}) { } else { my $u = $self->_proxy("get_user"); if ( $self->args('openid.ns') eq $OPENID2_NS && $identity eq $OPENID2_ID_SELECT ) { $identity = $self->_proxy("get_identity", $u, $identity ); } $is_identity = $self->_proxy("is_identity", $u, $identity); $is_trusted = $self->_proxy("is_trusted", $u, $trust_root, $is_identity); } # assertion path: if ($is_identity && $is_trusted) { my $ret_url = $self->signed_return_url( identity => $identity, claimed_id => $self->args('openid.claimed_id'), return_to => $return_to, assoc_handle => $self->args("openid.assoc_handle"), assoc_type => $self->args("openid.assoc_type"), ns => $self->args('openid.ns'), ); return ("redirect", $ret_url); } # assertion could not be made, so user requires setup (login/trust.. something) # two ways that can happen: caller might have asked us for an immediate return # with a setup URL (the default), or explictly said that we're in control of # the user-agent's full window, and we can do whatever we want with them now. my %setup_args = ( $self->_setup_map("trust_root"), $trust_root, $self->_setup_map("realm"), $trust_root, $self->_setup_map("return_to"), $return_to, $self->_setup_map("identity"), $identity, ); $setup_args{$self->_setup_map('ns')} = $self->args('openid.ns') if $self->args('openid.ns'); if ( $self->args("openid.assoc_handle") ) { $setup_args{ $self->_setup_map("assoc_handle") } = $self->args("openid.assoc_handle"); $setup_args{ $self->_setup_map("assoc_type") } = $self->_determine_assoc_type_from_assoc_handle( $self->args("openid.assoc_handle") ); } my $setup_url = $self->{setup_url} or Carp::croak("No setup_url defined."); OpenID::util::push_url_arg(\$setup_url, %setup_args); if ($mode eq "checkid_immediate") { my $ret_url = $return_to; OpenID::util::push_url_arg(\$setup_url, 'openid.mode'=>'checkid_setup'); OpenID::util::push_url_arg(\$setup_url, 'openid.claimed_id'=>$identity); if ($self->args('openid.ns') eq $OPENID2_NS) { OpenID::util::push_url_arg(\$ret_url, "openid.ns", $self->args('openid.ns')); OpenID::util::push_url_arg(\$ret_url, "openid.mode", "setup_needed"); } else { OpenID::util::push_url_arg(\$ret_url, "openid.mode", "id_res"); } # We send this even in the 2.0 case -- despite what the spec says -- # because several consumer implementations, including Net::OpenID::Consumer # at this time, depend on it. OpenID::util::push_url_arg(\$ret_url, "openid.user_setup_url", $setup_url); return ("redirect", $ret_url); } else { # the "checkid_setup" mode, where we take control of the user-agent # and return to their return_to URL later. if ($redirect_for_setup) { return ("redirect", $setup_url); } else { return ("setup", \%setup_args); } } } sub _determine_assoc_type_from_assoc_handle { my ($self, $assoc_handle)=@_; my $assoc_type=$self->args("openid.assoc_type"); return $assoc_type if ($assoc_type); # set? Just return it. if ($assoc_handle) { my (undef, undef, $hmac_part)=split /:/, $assoc_handle, 3; my $len=length($hmac_part); # see _generate_association if ($len==16) { $assoc_type='HMAC-SHA256'; } elsif ($len==10) { $assoc_type='HMAC-SHA1'; } } return $assoc_type; } sub _setup_map { my Net::OpenID::Server $self = shift; my $key = shift; Carp::croak("Too many parameters") if @_; return $key unless ref $self->{setup_map} eq "HASH" && $self->{setup_map}{$key}; return $self->{setup_map}{$key}; } sub _proxy { my Net::OpenID::Server $self = shift; my $meth = shift; my $getter = $self->{$meth}; Carp::croak("You haven't defined a subref for '$meth'") unless ref $getter eq "CODE"; return $getter->(@_); } sub _get_server_secret { my Net::OpenID::Server $self = shift; my $time = shift; my $ss; if (ref $self->{server_secret} eq "CODE") { $ss = $self->{server_secret}; } elsif ($self->{server_secret}) { $ss = sub { return $self->{server_secret}; }; } else { Carp::croak("You haven't defined a server_secret value or subref defined.\n"); } my $sec = $ss->($time); Carp::croak("Server secret too long") if length($sec) > 255; return $sec; } # returns ($assoc_handle, $secret, $expires) sub _generate_association { my Net::OpenID::Server $self = shift; my %opts = @_; my $type = delete $opts{type}; my $dumb = delete $opts{dumb} || 0; Carp::croak("Unknown options: " . join(", ", keys %opts)) if %opts; die unless $type =~ /^HMAC-SHA(1|256)$/; my $now = time(); my $sec_time = $now - ($now % $self->secret_gen_interval); my $s_sec = $self->_get_server_secret($sec_time) or Carp::croak("server_secret didn't return a secret given what should've been a valid time ($sec_time)\n"); my $nonce = _rand_chars(20); $nonce = "STLS.$nonce" if $dumb; # flag nonce as stateless my $handle = "$now:$nonce"; if ($type eq 'HMAC-SHA1') { $handle .= ":" . substr(hmac_sha1_hex($handle, $s_sec), 0, 10); } elsif ($type eq 'HMAC-SHA256') { $handle .= ":" . substr(hmac_sha256_hex($handle, $s_sec), 0, 16); } my $c_sec = $self->_secret_of_handle($handle, dumb => $dumb, type=>$type) or return (); my $expires = $sec_time + $self->secret_expire_age; return ($handle, $c_sec, $expires); } sub _secret_of_handle { my Net::OpenID::Server $self = shift; my ($handle, %opts) = @_; my $dumb_mode = delete $opts{'dumb'} || 0; my $no_verify = delete $opts{'no_verify'} || 0; my $type = delete $opts{'type'} || 'HMAC-SHA1'; my %hmac_functions_hex=( 'HMAC-SHA1' =>\&hmac_sha1_hex, 'HMAC-SHA256'=>\&hmac_sha256_hex, ); my %hmac_functions=( 'HMAC-SHA1' =>\&hmac_sha1, 'HMAC-SHA256'=>\&hmac_sha256, ); my %nonce_80_lengths=( 'HMAC-SHA1'=>10, 'HMAC-SHA256'=>16, ); my $nonce_80_len=$nonce_80_lengths{$type}; my $hmac_function_hex=$hmac_functions_hex{$type} || Carp::croak "No function for $type"; my $hmac_function=$hmac_functions{$type} || Carp::croak "No function for $type"; Carp::croak("Unknown options: " . join(", ", keys %opts)) if %opts; my ($time, $nonce, $nonce_sig80) = split(/:/, $handle); return unless $time =~ /^\d+$/ && $nonce && $nonce_sig80; # check_authentication mode only verifies signatures made with # dumb (stateless == STLS) handles, so if that caller requests it, # don't return the secrets here of non-stateless handles return if $dumb_mode && $nonce !~ /^STLS\./; my $sec_time = $time - ($time % $self->secret_gen_interval); my $s_sec = $self->_get_server_secret($sec_time) or return; length($nonce) == ($dumb_mode ? 25 : 20) or return; length($nonce_sig80) == $nonce_80_len or return; return unless $no_verify || $nonce_sig80 eq substr($hmac_function_hex->("$time:$nonce", $s_sec), 0, $nonce_80_len); return $hmac_function->($handle, $s_sec); } sub _mode_associate { my Net::OpenID::Server $self = shift; my $now = time(); my %prop; my $assoc_type = $self->message('assoc_type') || "HMAC-SHA1"; if ($self->message('ns') eq $OPENID2_NS && ($self->message('assoc_type') ne $assoc_type || $self->message('session_type') ne 'DH-SHA1')) { $prop{'ns'} = $self->message('ns') if $self->message('ns'); $prop{'error_code'} = "unsupported-type"; $prop{'error'} = "This server support $assoc_type only."; $prop{'assoc_type'} = $assoc_type; $prop{'session_type'} = "DH-SHA1"; return $self->_serialized_props(\%prop); } my ($assoc_handle, $secret, $expires) = $self->_generate_association(type => $assoc_type); # make absolute form of expires my $exp_abs = $expires > 1000000000 ? $expires : $expires + $now; # make relative form of expires my $exp_rel = $exp_abs - $now; $prop{'ns'} = $self->args('openid.ns') if $self->args('openid.ns'); $prop{'assoc_type'} = $assoc_type; $prop{'assoc_handle'} = $assoc_handle; $prop{'assoc_type'} = $assoc_type; $prop{'expires_in'} = $exp_rel; if ($self->{compat}) { $prop{'expiry'} = OpenID::util::time_to_w3c($exp_abs); $prop{'issued'} = OpenID::util::time_to_w3c($now); } if ($self->args("openid.session_type") =~ /^DH-SHA(1|256)$/) { my $p = OpenID::util::arg2int($self->args("openid.dh_modulus")); my $g = OpenID::util::arg2int($self->args("openid.dh_gen")); my $cpub = OpenID::util::arg2int($self->args("openid.dh_consumer_public")); my $dh = OpenID::util::get_dh($p, $g); return $self->_error_page("invalid dh params p=$p, g=$g, cpub=$cpub") unless $dh and $cpub; my $dh_sec = $dh->compute_secret($cpub); $prop{'dh_server_public'} = OpenID::util::int2arg($dh->pub_key); $prop{'session_type'} = $self->message("session_type"); if ($self->args("openid.session_type") eq 'DH-SHA1') { $prop{'enc_mac_key'} = OpenID::util::b64($secret ^ sha1(OpenID::util::int2bytes($dh_sec))); } elsif ($self->args("openid.session_type") eq 'DH-SHA256') { $prop{'enc_mac_key'} = OpenID::util::b64($secret ^ sha256(OpenID::util::int2bytes($dh_sec))); } } else { $prop{'mac_key'} = OpenID::util::b64($secret); } return $self->_serialized_props(\%prop); } sub _mode_check_authentication { my Net::OpenID::Server $self = shift; my $signed = $self->args("openid.signed") || ""; my $token = ""; foreach my $param (split(/,/, $signed)) { next unless $param =~ /^[\w\.]+$/; my $val = $param eq "mode" ? "id_res" : $self->args("openid.$param"); next unless defined $val; next if $val =~ /\n/; $token .= "$param:$val\n"; } my $sig = $self->args("openid.sig"); my $ahandle = $self->args("openid.assoc_handle") or return $self->_error_page("no_assoc_handle"); my $c_sec = $self->_secret_of_handle($ahandle, dumb => 1) or return $self->_error_page("bad_handle"); my $assoc_type = $self->args('openid.assoc_type') || 'HMAC-SHA1'; my $good_sig; if ($assoc_type eq 'HMAC-SHA1') { $good_sig = OpenID::util::b64(hmac_sha1($token, $c_sec)); } elsif ($assoc_type eq 'HMAC-SHA256') { $good_sig = OpenID::util::b64(hmac_sha256($token, $c_sec)); } else { die "Unknown assoc_type $assoc_type"; } my $is_valid = OpenID::util::timing_indep_eq($sig, $good_sig); my $ret = { is_valid => $is_valid ? "true" : "false", }; $ret->{'ns'} = $self->args('openid.ns') if $self->args('openid.ns'); if ($self->{compat}) { $ret->{lifetime} = 3600; $ret->{WARNING} = "The lifetime parameter is deprecated and will " . "soon be removed. Use is_valid instead. " . "See openid.net/specs.bml."; } # tell them if a handle they asked about is invalid, too if (my $ih = $self->args("openid.invalidate_handle")) { $c_sec = $self->_secret_of_handle($ih); $ret->{"invalidate_handle"} = $ih unless $c_sec; } return $self->_serialized_props($ret); } sub _error_page { my Net::OpenID::Server $self = shift; return $self->_serialized_props({ 'error' => $_[0] }); } sub _serialized_props { my Net::OpenID::Server $self = shift; my $props = shift; my $body = ""; foreach (sort keys %$props) { $body .= "$_:$props->{$_}\n"; } return ("text/plain", $body); } sub _get_key_contents { my Net::OpenID::Server $self = shift; my $key = shift; Carp::croak("Too many parameters") if @_; Carp::croak("Unknown key type") unless $key =~ /^public|private$/; my $mval = $self->{"${key}_key"}; my $contents; if (ref $mval eq "CODE") { $contents = $mval->(); } elsif ($mval !~ /\n/ && -f $mval) { local *KF; return $self->_fail("key_open_failure", "Couldn't open key file for reading") unless open(KF, $mval); $contents = do { local $/; ; }; close KF; } else { $contents = $mval; } return $self->_fail("invalid_key", "$key file not in correct format") unless $contents =~ /\-\-\-\-BEGIN/ && $contents =~ /\-\-\-\-END/; return $contents; } sub _getset { my Net::OpenID::Server $self = shift; my $param = (caller(1))[3]; $param =~ s/.+:://; if (@_) { my $val = shift; Carp::croak("Too many parameters") if @_; $self->{$param} = $val; } return $self->{$param}; } sub _getsetcode { my Net::OpenID::Server $self = shift; my $param = (caller(1))[3]; $param =~ s/.+:://; if (my $code = shift) { Carp::croak("Too many parameters") if @_; Carp::croak("Expected CODE reference") unless ref $code eq "CODE"; $self->{$param} = $code; } return $self->{$param}; } sub _fail { my Net::OpenID::Server $self = shift; $self->{last_errcode} = shift; $self->{last_errtext} = shift; wantarray ? () : undef; } sub err { my Net::OpenID::Server $self = shift; return undef unless $self->{last_errcode}; $self->{last_errcode} . ": " . $self->{last_errtext}; } sub errcode { my Net::OpenID::Server $self = shift; $self->{last_errcode}; } sub errtext { my Net::OpenID::Server $self = shift; $self->{last_errtext}; } # FIXME: duplicated in Net::OpenID::Consumer's VerifiedIdentity sub _url_is_under { my ($root, $test, $err_ref) = @_; my $err = sub { $$err_ref = shift if $err_ref; return undef; }; my $ru = URI->new($root); return $err->("invalid root scheme") unless $ru->scheme =~ /^https?$/; my $tu = URI->new($test); return $err->("invalid test scheme") unless $tu->scheme =~ /^https?$/; return $err->("schemes don't match") unless $ru->scheme eq $tu->scheme; return $err->("ports don't match") unless $ru->port == $tu->port; # check hostnames my $ru_host = $ru->host; my $tu_host = $tu->host; my $wildcard_host = 0; if ($ru_host =~ s!^\*\.!!) { $wildcard_host = 1; } unless ($ru_host eq $tu_host) { if ($wildcard_host) { return $err->("host names don't match") unless $tu_host =~ /\.\Q$ru_host\E$/; } else { return $err->("host names don't match"); } } # check paths my $ru_path = $ru->path || "/"; my $tu_path = $tu->path || "/"; $ru_path .= "/" unless $ru_path =~ m!/$!; $tu_path .= "/" unless $tu_path =~ m!/$!; return $err->("path not a subpath") unless $tu_path =~ m!^\Q$ru_path\E!; return 1; } sub _rand_chars { shift if @_ == 2; # shift off classname/obj, if called as method my $length = shift; my $chal = ""; my $digits = "abcdefghijklmnopqrstuvwzyzABCDEFGHIJKLMNOPQRSTUVWZYZ0123456789"; for (1..$length) { $chal .= substr($digits, int(rand(62)), 1); } return $chal; } # also a public interface: *rand_chars = \&_rand_chars; __END__ =head1 NAME Net::OpenID::Server - Library for building your own OpenID server/provider =head1 VERSION version 1.09 =head1 SYNOPSIS use Net::OpenID::Server; my $nos = Net::OpenID::Server->new( args => $cgi, get_user => \&get_user, get_identity => \&get_identity, is_identity => \&is_identity, is_trusted => \&is_trusted, endpoint_url => "http://example.com/server.bml", setup_url => "http://example.com/pass-identity.bml", ); # From your OpenID server endpoint: my ($type, $data) = $nos->handle_page; if ($type eq "redirect") { WebApp::redirect_to($data); } elsif ($type eq "setup") { my %setup_opts = %$data; # ... show them setup page(s), with options from setup_map # it's then your job to redirect them at the end to "return_to" # (or whatever you've named it in setup_map) } else { WebApp::set_content_type($type); WebApp::print($data); } =head1 DESCRIPTION This is the Perl API for (the server half of) OpenID, a distributed identity system based on proving you own a URL, which is then your identity. More information is available at: http://openid.net/ As of version 1.01 this module has support for both OpenID 1.1 and 2.0. Prior to this, only 1.1 was supported. =head1 CONSTRUCTOR =over 4 =item Net::OpenID::Server->B([ %opts ]) You can set anything in the constructor options that there are getters/setters methods for below. That includes: args, get_user, is_identity, is_trusted, setup_url, and setup_map. See below for docs. =back =head1 METHODS =over 4 =item ($type, $data) = $nos->B([ %opts ]) Returns a $type and $data, where $type can be: =over =item C ... in which case you redirect the user (via your web framework's redirect functionality) to the URL specified in $data. =item C ... in which case you should show the user a page (or redirect them to one of your pages) where they can setup trust for the given "trust_root" in the hashref in $data, and then redirect them to "return_to" at the end. Note that the parameters in the $data hashref are as you named them with setup_map. =item Some content type Otherwise, set the content type to $type and print the page out, the contents of which are in $data. =back The optional %opts may contain: =over =item C If set to a true value, signals that you don't want to handle the C return type from handle_page, and you'd prefer it just be converted to a C type to your already-defined C, with the arguments from setup_map already appended. =back =item $url = $nos->B( %opts ) Generates a positive identity assertion URL that you'd redirect a user to. Typically this would be after they've completed your setup_url. Once trust has been setup, the C method will redirect you to this signed return automatically. The URL generated is the consumer site's return_to URL, with a signed identity included in the GET arguments. The %opts are: =over =item C Required. The identity URL to sign. =item C Optional. The claimed_id URL to sign. =item C Required. The base of the URL being generated. =item C The association handle to use for the signature. If blank, dumb consumer mode is used, and the library picks the handle. =item C Optional. If present, the C URL will be checked to be within ("under") this trust_root. If not, the URL returned will be undef. =item C Optional. =item C Optional. If present, must be a hashref with keys starting with "\w+\.". All keys and values will be returned in the response, and signed. This is used for OpenID extensions. =back =item $url = $nos->B( %opts ) Generates a cancel notice to the return_to URL, if a user declines to share their identity. %opts are: =over =item C Required. The base of the URL being generated. =back =item $nos->B Can be used in 1 of 3 ways: 1. Setting the way which the Server instances obtains parameters: $nos->args( $reference ) Where $reference is either a HASH ref, CODE ref, Apache $r (for get_args only), Apache::Request $apreq, or CGI.pm $cgi. If a CODE ref, the subref must return the value given one argument (the parameter to retrieve) 2. Get a paramater: my $foo = $nos->get_args("foo"); When given an unblessed scalar, it retrieves the value. It croaks if you haven't defined a way to get at the parameters. 3. Get the getter: my $code = $nos->get_args; Without arguments, returns a subref that returns the value given a parameter name. =item $nos->B($code) =item $code = $nos->B; $u = $code->(); Get/set the subref returning a defined value representing the logged in user, or undef if no user. The return value (let's call it $u) is not touched. It's simply given back to your other callbacks (is_identity and is_trusted). =item $nos->B($code) =item $code = $nos->B; $identity = $code->($u, $identity); For OpenID 2.0. Get/set the subref returning a identity. This is called when claimed identity is 'identifier_select'. =item $nos->B($code) =item $code = $nos->B; $code->($u, $identity_url) Get/set the subref which is responsible for returning true if the logged in user $u (which may be undef if user isn't logged in) owns the URL tree given by $identity_url. Note that if $u is undef, your function should always return 0. The framework doesn't do that for you so you can do unnecessary work on purpose if you care about exposing information via timing attacks. =item $nos->B($code) =item $code = $nos->B; $code->($u, $trust_root, $is_identity) Get/set the subref which is responsible for returning true if the logged in user $u (which may be undef if user isn't logged in) trusts the URL given by $trust_root to know his/her identity. Note that if either $u is undef, or $is_identity is false (this is the result of your previous is_identity callback), you should return 0. But your callback is always run so you can avoid timing attacks, if you care. =item $nos->B($scalar) =item $nos->B($code) =item $code = $nos->B; ($secret) = $code->($time); The server secret is used to generate and sign lots of per-consumer secrets, and is never handed out directly. In the simplest (and least secure) form, you configure a static secret value with a scalar. If you use this method and change the scalar value, all consumers that have cached their per-consumer secrets will start failing, since their secrets no longer work. The recommended usage, however, is to supply a subref that returns a secret based on the provided I<$time>, a unix timestamp. And if one doesn't exist for that time, create, store and return it (with appropriate locking so you never return different secrets for the same time.) Your secret can just be random characters, but it's your responsibility to do the locking and storage. If you want help generating random characters, call C. Your secret may not exceed 255 characters. =item $nos->B($url) =item $url = $nos->B Get/set the user setup URL. This is the URL the user is told to go to if they're either not logged in, not who they said they were, or trust hasn't been setup. You use the same URL in all three cases. Your setup URL may contain existing query parameters. =item $nos->B($url) =item $url = $nos->B For OpenID 2.0. Get/set the op_endpoint URL. =item $nos->B($hashref) =item $hashref = $nos->B When this module gives a consumer site a user_setup_url from your provided setup_url, it also has to append a number of get parameters onto your setup_url, so your app based at that setup_url knows what it has to setup. Those keys are named, by default, "trust_root", "return_to", "identity", and "assoc_handle". If you don't like those parameter names, this $hashref setup_map lets you change one or more of them. The hashref's keys should be the default values, with values being the parameter names you want. =item Net::OpenID::Server->rand_chars($len) Utility function to return a string of $len random characters. May be called as package method, object method, or regular function. =item $nos->B Returns the last error, in form "errcode: errtext"; =item $nos->B Returns the last error code. =item $nos->B Returns the last error text. =back =head1 COPYRIGHT This module is Copyright (c) 2005 Brad Fitzpatrick. All rights reserved. You may distribute under the terms of either the GNU General Public License or the Artistic License, as specified in the Perl README file. If you need more liberal licensing terms, please contact the maintainer. =head1 WARRANTY This is free software. IT COMES WITHOUT WARRANTY OF ANY KIND. =head1 MAILING LIST The Net::OpenID family of modules has a mailing list powered by Google Groups. For more information, see http://groups.google.com/group/openid-perl . =head1 SEE ALSO OpenID website: http://openid.net/ =head1 AUTHORS Brad Fitzpatrick META.yml000644001750001750 132311656663014 14620 0ustar00rfcrfc000000000000Net-OpenID-Server-1.09--- abstract: 'Library for building your own OpenID server/provider' author: - 'Robert Norris ' build_requires: Test::More: 0 configure_requires: ExtUtils::MakeMaker: 6.31 dynamic_config: 0 generated_by: 'Dist::Zilla version 4.101900, CPAN::Meta::Converter version 2.101670' license: perl meta-spec: url: http://module-build.sourceforge.net/META-spec-v1.4.html version: 1.4 name: Net-OpenID-Server requires: Digest::SHA: 0 MIME::Base64: 0 Net::OpenID::Common: 1.11 URI: 0 resources: bugtracker: http://rt.cpan.org/NoAuth/Bugs.html?Dist=Net-OpenID-Server homepage: http://groups.google.com/group/openid-perl repository: git://github.com/robn/Net-OpenID-Server.git version: 1.09 LICENSE000644001750001750 4353011656663014 14402 0ustar00rfcrfc000000000000Net-OpenID-Server-1.09This software is copyright (c) 2005 by Brad Fitzpatrick. This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself. Terms of the Perl programming language system itself a) the GNU General Public License as published by the Free Software Foundation; either version 1, or (at your option) any later version, or b) the "Artistic License" --- The GNU General Public License, Version 1, February 1989 --- This software is Copyright (c) 2005 by Brad Fitzpatrick. This is free software, licensed under: The GNU General Public License, Version 1, February 1989 GNU GENERAL PUBLIC LICENSE Version 1, February 1989 Copyright (C) 1989 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The license agreements of most software companies try to keep users at the mercy of those companies. By contrast, our General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. The General Public License applies to the Free Software Foundation's software and to any other program whose authors commit to using it. You can use it for your programs, too. When we speak of free software, we are referring to freedom, not price. Specifically, the General Public License is designed to make sure that you have the freedom to give away or sell copies of free software, that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of a such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must tell them their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License Agreement applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any work containing the Program or a portion of it, either verbatim or with modifications. Each licensee is addressed as "you". 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this General Public License and to the absence of any warranty; and give any other recipients of the Program a copy of this General Public License along with the Program. You may charge a fee for the physical act of transferring a copy. 2. You may modify your copy or copies of the Program or any portion of it, and copy and distribute such modifications under the terms of Paragraph 1 above, provided that you also do the following: a) cause the modified files to carry prominent notices stating that you changed the files and the date of any change; and b) cause the whole of any work that you distribute or publish, that in whole or in part contains the Program or any part thereof, either with or without modifications, to be licensed at no charge to all third parties under the terms of this General Public License (except that you may choose to grant warranty protection to some or all third parties, at your option). c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the simplest and most usual way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this General Public License. d) You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. Mere aggregation of another independent work with the Program (or its derivative) on a volume of a storage or distribution medium does not bring the other work under the scope of these terms. 3. You may copy and distribute the Program (or a portion or derivative of it, under Paragraph 2) in object code or executable form under the terms of Paragraphs 1 and 2 above provided that you also do one of the following: a) accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Paragraphs 1 and 2 above; or, b) accompany it with a written offer, valid for at least three years, to give any third party free (except for a nominal charge for the cost of distribution) a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Paragraphs 1 and 2 above; or, c) accompany it with the information you received as to where the corresponding source code may be obtained. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form alone.) Source code for a work means the preferred form of the work for making modifications to it. For an executable file, complete source code means all the source code for all modules it contains; but, as a special exception, it need not include source code for modules which are standard libraries that accompany the operating system on which the executable file runs, or for standard header files or definitions files that accompany that operating system. 4. You may not copy, modify, sublicense, distribute or transfer the Program except as expressly provided under this General Public License. Any attempt otherwise to copy, modify, sublicense, distribute or transfer the Program is void, and will automatically terminate your rights to use the Program under this License. However, parties who have received copies, or rights to use copies, from you under this General Public License will not have their licenses terminated so long as such parties remain in full compliance. 5. By copying, distributing or modifying the Program (or any work based on the Program) you indicate your acceptance of this license to do so, and all its terms and conditions. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. 7. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of the license which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of the license, you may choose any version ever published by the Free Software Foundation. 8. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 9. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 10. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS Appendix: How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to humanity, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) 19yy This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 1, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) 19xx name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (a program to direct compilers to make passes at assemblers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice That's all there is to it! --- The Artistic License 1.0 --- This software is Copyright (c) 2005 by Brad Fitzpatrick. This is free software, licensed under: The Artistic License 1.0 The Artistic License Preamble The intent of this document is to state the conditions under which a Package may be copied, such that the Copyright Holder maintains some semblance of artistic control over the development of the package, while giving the users of the package the right to use and distribute the Package in a more-or-less customary fashion, plus the right to make reasonable modifications. Definitions: - "Package" refers to the collection of files distributed by the Copyright Holder, and derivatives of that collection of files created through textual modification. - "Standard Version" refers to such a Package if it has not been modified, or has been modified in accordance with the wishes of the Copyright Holder. - "Copyright Holder" is whoever is named in the copyright or copyrights for the package. - "You" is you, if you're thinking about copying or distributing this Package. - "Reasonable copying fee" is whatever you can justify on the basis of media cost, duplication charges, time of people involved, and so on. (You will not be required to justify it to the Copyright Holder, but only to the computing community at large as a market that must bear the fee.) - "Freely Available" means that no fee is charged for the item itself, though there may be fees involved in handling the item. It also means that recipients of the item may redistribute it under the same conditions they received it. 1. You may make and give away verbatim copies of the source form of the Standard Version of this Package without restriction, provided that you duplicate all of the original copyright notices and associated disclaimers. 2. You may apply bug fixes, portability fixes and other modifications derived from the Public Domain or from the Copyright Holder. A Package modified in such a way shall still be considered the Standard Version. 3. You may otherwise modify your copy of this Package in any way, provided that you insert a prominent notice in each changed file stating how and when you changed that file, and provided that you do at least ONE of the following: a) place your modifications in the Public Domain or otherwise make them Freely Available, such as by posting said modifications to Usenet or an equivalent medium, or placing the modifications on a major archive site such as ftp.uu.net, or by allowing the Copyright Holder to include your modifications in the Standard Version of the Package. b) use the modified Package only within your corporation or organization. c) rename any non-standard executables so the names do not conflict with standard executables, which must also be provided, and provide a separate manual page for each non-standard executable that clearly documents how it differs from the Standard Version. d) make other distribution arrangements with the Copyright Holder. 4. You may distribute the programs of this Package in object code or executable form, provided that you do at least ONE of the following: a) distribute a Standard Version of the executables and library files, together with instructions (in the manual page or equivalent) on where to get the Standard Version. b) accompany the distribution with the machine-readable source of the Package with your modifications. c) accompany any non-standard executables with their corresponding Standard Version executables, giving the non-standard executables non-standard names, and clearly documenting the differences in manual pages (or equivalent), together with instructions on where to get the Standard Version. d) make other distribution arrangements with the Copyright Holder. 5. You may charge a reasonable copying fee for any distribution of this Package. You may charge any fee you choose for support of this Package. You may not charge a fee for this Package itself. However, you may distribute this Package in aggregate with other (possibly commercial) programs as part of a larger (possibly commercial) software distribution provided that you do not advertise this Package as a product of your own. 6. The scripts and library files supplied as input to or produced as output from the programs of this Package do not automatically fall under the copyright of this Package, but belong to whomever generated them, and may be sold commercially, and may be aggregated with this Package. 7. C or perl subroutines supplied by you and linked into this Package shall not be considered part of this Package. 8. The name of the Copyright Holder may not be used to endorse or promote products derived from this software without specific prior written permission. 9. THIS PACKAGE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. The End README000644001750001750 50611656663014 14211 0ustar00rfcrfc000000000000Net-OpenID-Server-1.09 This archive contains the distribution Net-OpenID-Server, version 1.09: Library for building your own OpenID server/provider This software is copyright (c) 2005 by Brad Fitzpatrick. This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself. MANIFEST000644001750001750 16711656663014 14465 0ustar00rfcrfc000000000000Net-OpenID-Server-1.09Changes LICENSE MANIFEST META.json META.yml Makefile.PL README examples/server.cgi lib/Net/OpenID/Server.pm t/00-use.t META.json000644001750001750 250511656663014 14773 0ustar00rfcrfc000000000000Net-OpenID-Server-1.09{ "abstract" : "Library for building your own OpenID server/provider", "author" : [ "Robert Norris " ], "dynamic_config" : 0, "generated_by" : "Dist::Zilla version 4.101900, CPAN::Meta::Converter version 2.101670", "license" : [ "perl_5" ], "meta-spec" : { "url" : "http://search.cpan.org/perldoc?CPAN::Meta::Spec", "version" : "2" }, "name" : "Net-OpenID-Server", "prereqs" : { "configure" : { "requires" : { "ExtUtils::MakeMaker" : "6.31" } }, "runtime" : { "requires" : { "Digest::SHA" : 0, "MIME::Base64" : 0, "Net::OpenID::Common" : "1.11", "URI" : 0 } }, "test" : { "requires" : { "Test::More" : 0 } } }, "release_status" : "stable", "resources" : { "bugtracker" : { "mailto" : "bug-net-openid-server@rt.cpan.org", "web" : "http://rt.cpan.org/NoAuth/Bugs.html?Dist=Net-OpenID-Server" }, "homepage" : "http://groups.google.com/group/openid-perl", "repository" : { "type" : "git", "url" : "git://github.com/robn/Net-OpenID-Server.git", "web" : "http://github.com/robn/Net-OpenID-Server" } }, "version" : "1.09" } Makefile.PL000644001750001750 215411656663014 15324 0ustar00rfcrfc000000000000Net-OpenID-Server-1.09 use strict; use warnings; use ExtUtils::MakeMaker 6.31; my %WriteMakefileArgs = ( 'ABSTRACT' => 'Library for building your own OpenID server/provider', 'AUTHOR' => 'Robert Norris ', 'BUILD_REQUIRES' => { 'Test::More' => '0' }, 'CONFIGURE_REQUIRES' => { 'ExtUtils::MakeMaker' => '6.31' }, 'DISTNAME' => 'Net-OpenID-Server', 'EXE_FILES' => [], 'LICENSE' => 'perl', 'NAME' => 'Net::OpenID::Server', 'PREREQ_PM' => { 'Digest::SHA' => '0', 'MIME::Base64' => '0', 'Net::OpenID::Common' => '1.11', 'URI' => '0' }, 'VERSION' => '1.09', 'test' => { 'TESTS' => 't/*.t' } ); unless ( eval { ExtUtils::MakeMaker->VERSION(6.56) } ) { my $br = delete $WriteMakefileArgs{BUILD_REQUIRES}; my $pp = $WriteMakefileArgs{PREREQ_PM}; for my $mod ( keys %$br ) { if ( exists $pp->{$mod} ) { $pp->{$mod} = $br->{$mod} if $br->{$mod} > $pp->{$mod}; } else { $pp->{$mod} = $br->{$mod}; } } } delete $WriteMakefileArgs{CONFIGURE_REQUIRES} unless eval { ExtUtils::MakeMaker->VERSION(6.52) }; WriteMakefile(%WriteMakefileArgs);