From 8149492cbeb3d485561ff55718441664c127a59b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <mcihar@novell.com>
Date: Wed, 2 Mar 2011 13:46:43 +0100
Subject: [PATCH] rfe #1640812 [auth] Add example for OpenID authentication
 using signon method.

---
 ChangeLog          |   1 +
 Documentation.html |   4 +-
 scripts/openid.php | 161 +++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 165 insertions(+), 1 deletion(-)
 create mode 100644 scripts/openid.php

diff --git a/ChangeLog b/ChangeLog
index e0e68664a..29dafd6e0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -142,6 +142,7 @@
   thanks to Thilanka Kaushalya
 - [interface] New default theme pmahomme, dropped darkblue_orange theme.
 - rfe #2936155 [auth] Allow to pass additional parameters using signon method.
+- rfe #1640812 [auth] Add example for OpenID authentication using signon method.
 
 3.3.10.0 (not yet released)
 - patch #3147400 [structure] Aria table size printed as unknown,
diff --git a/Documentation.html b/Documentation.html
index 956f67749..3c40382c6 100644
--- a/Documentation.html
+++ b/Documentation.html
@@ -758,7 +758,9 @@ since this link provides funding for phpMyAdmin.
                 as introduced in 2.10.0 allows you to log in from prepared PHP
                 session data. This is useful for implementing single signon
                 from another application. Sample way how to seed session is in
-                signon example: <code>scripts/signon.php</code>. You need to
+                signon example: <code>scripts/signon.php</code>. There is also
+                alternative example using OpenID -
+                <code>scripts/openid.php</code>.  You need to
                 configure <a href="#cfg_Servers_SignonSession"
                 class="configrule">session name</a> and <a
                 href="#cfg_Servers_SignonURL" class="configrule">signon
diff --git a/scripts/openid.php b/scripts/openid.php
new file mode 100644
index 000000000..b35408802
--- /dev/null
+++ b/scripts/openid.php
@@ -0,0 +1,161 @@
+<?php
+/* vim: set expandtab sw=4 ts=4 sts=4: */
+/**
+ * Single signon for phpMyAdmin using OpenID
+ *
+ * This is just example how to use single signon with phpMyAdmin, it is
+ * not intended to be perfect code and look, only shows how you can
+ * integrate this functionality in your application.
+ *
+ * It uses OpenID pear package, see http://pear.php.net/package/OpenID
+ *
+ * User first authenticates using OpenID and based on content of $AUTH_MAP
+ * the login information is passed to phpMyAdmin in session data.
+ *
+ * @package phpMyAdmin
+ * @subpackage Example
+ */
+
+require_once 'OpenID/RelyingParty.php';
+require_once 'OpenID/Discover.php';
+require_once 'OpenID/Store.php';
+require_once 'OpenID/Extension/SREG10.php';
+require_once 'OpenID/Extension/SREG11.php';
+require_once 'OpenID/Extension/AX.php';
+require_once 'OpenID/Extension/UI.php';
+require_once 'OpenID/Extension/OAuth.php';
+require_once 'OpenID/Message.php';
+require_once 'OpenID/Observer/Log.php';
+require_once 'Net/URL2.php';
+
+/* Map of authenticated users to MySQL user/password pairs */
+$AUTH_MAP = array(
+    'http://launchpad.net/~username' => array(
+        'user' => 'root',
+        'password' => '',
+        ),
+    );
+
+/**
+ * Simple function to show HTML page with given content.
+ */
+function show_page($contents) {
+    header('Content-Type: text/html; charset=utf-8');
+    echo '<?xml version="1.0" encoding="utf-8"?>' . "\n";
+    ?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
+<head>
+    <link rel="icon" href="../favicon.ico" type="image/x-icon" />
+    <link rel="shortcut icon" href="../favicon.ico" type="image/x-icon" />
+    <title>phpMyAdmin OpenID signon example</title>
+</head>
+<body>
+<?php
+if (isset($_SESSION) && isset($_SESSION['PMA_single_signon_error_message'])) {
+    echo '<p class="error">' . $_SESSION['PMA_single_signon_message'] . '</p>';
+    unset($_SESSION['PMA_single_signon_message']);
+}
+echo $contents;
+?>
+</body>
+</html>
+<?php
+}
+
+/* Need to have cookie visible from parent directory */
+session_set_cookie_params(0, '/', '', 0);
+/* Create signon session */
+$session_name = 'SignonSession';
+session_name($session_name);
+session_start();
+
+// Determine realm and return_to
+$base = 'http';
+if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') {
+    $base .= 's';
+}
+$base .= '://' . $_SERVER['SERVER_NAME'] . ':' . $_SERVER['SERVER_PORT'];
+
+$realm = $base . '/';
+$returnTo = $base . dirname($_SERVER['PHP_SELF']);
+if ($returnTo[strlen($returnTo) - 1] != '/') {
+    $returnTo .= '/';
+}
+$returnTo .= 'openid.php';
+
+/* Display form */
+if (!count($_GET) && !count($_POST) || isset($_GET['phpMyAdmin'])) {
+    /* Show simple form */
+    $content = '<form action="openid.php" method="post">
+OpenID: <input type="text" name="identifier" /><br />
+<input type="submit" name="start" />
+</form>
+</body>
+</html>';
+    show_page($content);
+    exit;
+}
+
+/* Grab identifier */
+if (isset($_POST['identifier'])) {
+    $identifier = $_POST['identifier'];
+} else if (isset($_SESSION['identifier'])) {
+    $identifier = $_SESSION['identifier'];
+} else {
+    $identifier = null;
+}
+
+/* Create OpenID object */
+try {
+    $o = new OpenID_RelyingParty($returnTo, $realm, $identifier);
+} catch (OpenID_Exception $e) {
+    $contents = "<div class='relyingparty_results'>\n";
+    $contents .= "<pre>" . $e->getMessage() . "</pre>\n";
+    $contents .= "</div class='relyingparty_results'>";
+    show_page($contents);
+    exit;
+}
+
+/* Redirect to OpenID provider */
+if (isset($_POST['start'])) {
+    try {
+        $authRequest = $o->prepare();
+    } catch (OpenID_Exception $e) {
+        $contents = "<div class='relyingparty_results'>\n";
+        $contents .= "<pre>" . $e->getMessage() . "</pre>\n";
+        $contents .= "</div class='relyingparty_results'>";
+        show_page($contents);
+        exit;
+    }
+
+    $url = $authRequest->getAuthorizeURL();
+
+    header("Location: $url");
+    exit;
+} else {
+    /* Grab query string */
+    if (!count($_POST)) {
+        list(, $queryString) = explode('?', $_SERVER['REQUEST_URI']);
+    } else {
+        // I hate php sometimes
+        $queryString = file_get_contents('php://input');
+    }
+
+    /* Check reply */
+    $message = new OpenID_Message($queryString, OpenID_Message::FORMAT_HTTP);
+
+    $id = $message->get('openid.claimed_id');
+
+    if (!empty($id) && isset($AUTH_MAP[$id])) {
+        $_SESSION['PMA_single_signon_user'] = $AUTH_MAP[$id]['user'];
+        $_SESSION['PMA_single_signon_password'] = $AUTH_MAP[$id]['password'];
+        session_write_close();
+        /* Redirect to phpMyAdmin (should use absolute URL here!) */
+        header('Location: ../index.php');
+    } else {
+        show_page('<p>User not allowed!</p>');
+        exit;
+    }
+}