Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 18

Thread: OpenID -> PHP?

  1. #1
    New Coder
    Join Date
    Sep 2011
    Posts
    61
    Thanks
    9
    Thanked 1 Time in 1 Post

    OpenID -> PHP?

    Okay...
    It is really easy to find examples of how to set up OpenID libraries etc. However it is close to impossible to figure out how I would then retrieve the information from the OpenID.

    So, I am working on putting a Steam login on my page, so I have downloaded their button and added the link to their login form to this button.
    When people press the button they are redirected to the login form on Steam's website and then sent back, that part works fine.
    What I need is how I get the 64-bit SteamID from the user who logged in?
    I need this ID to access different information through the Steam API which is using JSON, XML and VDF as output, where I think I will be using XML.
    Need help?
    I work with the following languages:
    HTML: Professional - PHP: Professional - Visual C#: Average - CSS: Average - ASP: Please don't hurt me! ;(
    Currently practicing: Visual C#

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    If the steam API provides it, you can retrieve it. In PHP, this has to be either a string or binary string. PHP doesn't support unsigned integers, so even if you have an x64 build PHP, the numbers will not make sense. As a string though, you can parse it as a number, but typically speaking you cannot manipulate it (you can treat it as a string with [s]printf and provide a hex or unsigned long output). You can break it into parts and do manual calculations of course, but that's a lot more work than a simple +.

  • #3
    New Coder
    Join Date
    Sep 2011
    Posts
    61
    Thanks
    9
    Thanked 1 Time in 1 Post
    Quote Originally Posted by Fou-Lu View Post
    If the steam API provides it, you can retrieve it. In PHP, this has to be either a string or binary string. PHP doesn't support unsigned integers, so even if you have an x64 build PHP, the numbers will not make sense. As a string though, you can parse it as a number, but typically speaking you cannot manipulate it (you can treat it as a string with [s]printf and provide a hex or unsigned long output). You can break it into parts and do manual calculations of course, but that's a lot more work than a simple +.
    Well, thats not exactly what I mean.
    I randomly stumbled upon the link I should use to redirect to the login page, however when users click login and are sent back to me, their steam id is sent to me via the get method. The steamid lies in an index called openid.identity but if i use var_dump on it, it just returns null... I suppose this is some part of the object oriented PHP which I have been trying to understand for a long time without any further success.
    The 64 bit key is a string, and since it's specifically made for use with PHP, ASP and JScript, I suppose it should also work.
    Their documentation is not very descriptive though and I have never worked with objects or openid's before - and their documentation seems to assume you have done this before with another openid provider.
    Need help?
    I work with the following languages:
    HTML: Professional - PHP: Professional - Visual C#: Average - CSS: Average - ASP: Please don't hurt me! ;(
    Currently practicing: Visual C#

  • #4
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Can you post an example of the URL itself? You can use 0's for the id's, I'm assuming we're looking at probably a guid anyway.
    As well, can you show what you are meaning by accessing it? This sounds like you may have something that's specific to the steam api, a provided class of some sorts, which may be incorrectly used. Are you sure the class want to work via GET, and not something like curl?

  • #5
    New Coder
    Join Date
    Sep 2011
    Posts
    61
    Thanks
    9
    Thanked 1 Time in 1 Post
    Quote Originally Posted by Fou-Lu View Post
    Can you post an example of the URL itself? You can use 0's for the id's, I'm assuming we're looking at probably a guid anyway.
    As well, can you show what you are meaning by accessing it? This sounds like you may have something that's specific to the steam api, a provided class of some sorts, which may be incorrectly used. Are you sure the class want to work via GET, and not something like curl?
    1. By accessing - I mean being able to store the login so I can make sure the user is authenticated when he/she is using my website

    2. When I complete logging in, I am sent to my own website with this URL:
    Code:
    http://sv2.zeroyear.net/gmod/applications/index.php?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fsteamcommunity.com%2Fopenid%2Flogin&openid.claimed_id=http%3A%2F%2Fsteamcommunity.com%2Fopenid%2Fid%2F76561197999640847&openid.identity=http%3A%2F%2Fsteamcommunity.com%2Fopenid%2Fid%2F76561197999640847&openid.return_to=http%3A%2F%2Fsv2.zeroyear.net%2Fgmod%2Fapplications&openid.response_nonce=2011-11-15T22%3A05%3A32ZEAkBgdDHokZ6yVQLbh%2FzGv6wheY%3D&openid.assoc_handle=1234567890&openid.signed=signed%2Cop_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle&openid.sig=mdAq6kLGyUN%2B8h7eFlkVR7EZaJg%3D
    The variable it should return (As MY user) would be http://steamcommunity/openid/id/76561197999640847 as it appears in their documentation.
    Quote Originally Posted by Documentation
    Steam can act as an OpenID provider. [...] use http://steamcommunity.com/openid as the provider. The returned Claimed ID will contain the user's 64-bit SteamID. The Claimed ID format is: http://steamcommunity.com/openid/id/<steamid>
    The 64-bit key would then be "76561197999640847"

    EDIT: Also the ID's are publicly available and are used to access members' profile pages - so it doesn't matter to me anyway
    I just need it in order to know which player to display and use information from.
    What I am actually building is a system where you nominate another person (And only once pr. profile, profile also needs to have the appropriate game to prevent multiple accounts) - and it would be easier to just use Steam, as my site is not interesting to people who don't have a Steam account anyway.
    The Steam API allows me to check which games they have purchased. If their profile is marked as private, they simply just have to make it publicly available for a short while - otherwise they will just be rejected and told to publish their profile, perhaps removing harmful content if any.
    Last edited by Time Sheep; 11-15-2011 at 10:17 PM.
    Need help?
    I work with the following languages:
    HTML: Professional - PHP: Professional - Visual C#: Average - CSS: Average - ASP: Please don't hurt me! ;(
    Currently practicing: Visual C#

  • #6
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    By access, I meant what are you doing to access the returned value.
    I don't think I'll need it though. Just noticed these are . separated. PHP does not allow . within their variable names, and are replaced with _ instead. So you should be able to retrieve that url under $_GET['openid_claimed_id']. To pull the part out, just use parse_url() to pull the parts or use explode to separate the bits.

  • Users who have thanked Fou-Lu for this post:

    Time Sheep (11-15-2011)

  • #7
    New Coder
    Join Date
    Sep 2011
    Posts
    61
    Thanks
    9
    Thanked 1 Time in 1 Post
    Okay, so one last thing...
    What can I then do in order to prevent people from just taking the URL and enter another 64-bit key?
    As I said, those are publicly available, and people could then log into other people's accounts without the password...
    If people enter an URL, is the referer then null, or the page they were on when they pressed enter?
    Need help?
    I work with the following languages:
    HTML: Professional - PHP: Professional - Visual C#: Average - CSS: Average - ASP: Please don't hurt me! ;(
    Currently practicing: Visual C#

  • #8
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Quote Originally Posted by Time Sheep View Post
    Okay, so one last thing...
    What can I then do in order to prevent people from just taking the URL and enter another 64-bit key?
    As I said, those are publicly available, and people could then log into other people's accounts without the password...
    If people enter an URL, is the referer then null, or the page they were on when they pressed enter?
    Does the returned result change upon logging in again? If so, that's simply a session identifier. If it doesn't change, and just accessing it provides authentication, they have themselves a serious security flaw (which I can't see being the case). Something screams that you are missing something though, you should have a handling library of some sorts that does all the heavy work for you and the returned results should be contacting a specific handle on your site.

  • #9
    New Coder
    Join Date
    Sep 2011
    Posts
    61
    Thanks
    9
    Thanked 1 Time in 1 Post
    Quote Originally Posted by Fou-Lu View Post
    Does the returned result change upon logging in again? If so, that's simply a session identifier. If it doesn't change, and just accessing it provides authentication, they have themselves a serious security flaw (which I can't see being the case). Something screams that you are missing something though, you should have a handling library of some sorts that does all the heavy work for you and the returned results should be contacting a specific handle on your site.
    I _think_ that the value called something with once is a session identifier... I didn't manage to pull this trick on another site at least.
    Yes, I installed an openid library, however I don't know how it works, how to use it, and what it can do...
    This one exactly, the PHP5 version: http://www.openidenabled.com/php-openid/
    Need help?
    I work with the following languages:
    HTML: Professional - PHP: Professional - Visual C#: Average - CSS: Average - ASP: Please don't hurt me! ;(
    Currently practicing: Visual C#

  • #10
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    I think you'll need to jump through the documentation examples there to determine exactly what you need to do. I'm afraid I've never used the library, so I cannot write any examples for you.

  • #11
    New Coder
    Join Date
    Sep 2011
    Posts
    61
    Thanks
    9
    Thanked 1 Time in 1 Post
    Quote Originally Posted by Fou-Lu View Post
    I think you'll need to jump through the documentation examples there to determine exactly what you need to do. I'm afraid I've never used the library, so I cannot write any examples for you.
    Well, I have already looked for one, however I cannot find any :/
    Have you ever used any other PHP compatible libraries that you can recommend? Including a link to it's documentation
    Need help?
    I work with the following languages:
    HTML: Professional - PHP: Professional - Visual C#: Average - CSS: Average - ASP: Please don't hurt me! ;(
    Currently practicing: Visual C#

  • #12
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Quote Originally Posted by Time Sheep View Post
    Well, I have already looked for one, however I cannot find any :/
    Have you ever used any other PHP compatible libraries that you can recommend? Including a link to it's documentation
    No, I've always just written anything I needed to match a created API instead. The only times I've needed to do this was controlled by both sides, so I wrote an API in php to provide web access to game extensions wrote in lua.

  • #13
    New Coder
    Join Date
    Sep 2011
    Posts
    61
    Thanks
    9
    Thanked 1 Time in 1 Post
    But shouldn't it be fine to just store the ID in the $_SESSION array?
    Need help?
    I work with the following languages:
    HTML: Professional - PHP: Professional - Visual C#: Average - CSS: Average - ASP: Please don't hurt me! ;(
    Currently practicing: Visual C#

  • #14
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Quote Originally Posted by Time Sheep View Post
    But shouldn't it be fine to just store the ID in the $_SESSION array?
    I would say so yes. No matter what, when it comes to external communication you can only do so much to protect it. There are other alternatives such as CURL that lets you do this in the background, but that may depend on their TOS if you are allowed to use it (as it can intercept username and password combinations).
    If it is just a session identifier, then your goal should simply be to remove it from the url so the user cannot copy and paste it into something for everyone else to see. If you provide a return page that detects this data then stores it as a session with an immediate redirect, that should limit most of the chance of copying it out (though not eliminate it of course). I'd check the steam forums as well, there may be people with questions and examples of steam specific usage too.

  • #15
    New Coder
    Join Date
    Sep 2011
    Posts
    61
    Thanks
    9
    Thanked 1 Time in 1 Post
    Quote Originally Posted by Fou-Lu View Post
    I would say so yes. No matter what, when it comes to external communication you can only do so much to protect it. There are other alternatives such as CURL that lets you do this in the background, but that may depend on their TOS if you are allowed to use it (as it can intercept username and password combinations).
    If it is just a session identifier, then your goal should simply be to remove it from the url so the user cannot copy and paste it into something for everyone else to see. If you provide a return page that detects this data then stores it as a session with an immediate redirect, that should limit most of the chance of copying it out (though not eliminate it of course). I'd check the steam forums as well, there may be people with questions and examples of steam specific usage too.
    Which brings me to something I was about to ask someone about yesterday but forgot.
    header("Location: http://www.example.com/") needs to be sent before any information is sent... It never works for me however. Not even if I put it in the <head> block of my HTML...
    Need help?
    I work with the following languages:
    HTML: Professional - PHP: Professional - Visual C#: Average - CSS: Average - ASP: Please don't hurt me! ;(
    Currently practicing: Visual C#


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •