Move Poidsy website to gh-pages

changelog.html

@@ -0,0 +1,165 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html>
+ <head>
+  <title>Poidsy - A PHP OpenID Consumer - Changelog</title>
+  <link rel="stylesheet" href="style.css" type="text/css">
+ </head>
+ <body>
+  <h1><img src="openid.png" alt="OpenID logo"> Poidsy <small>A PHP OpenID Consumer</small></h1>
+  <ul id="menu">
+   <li><a href="index.html">Home</a></li>
+   <li><a href="instructions.html">Instructions</a></li>
+   <li><a href="changelog.html">Changelog</a></li>
+  </ul>
+  <div class="left">
+   <h2 class="first">Changelog</h2>
+   <h3 id="6">0.6 &rarr; 0.7</h3>
+   <ul>
+    <li>Disable logging by default</li>
+    <li>Fix error when logging from within methods which take objects or arrays as arguments (thanks to Erik Johnson for the bug report)</li>
+    <li>Fix incorrect detection of HTTPS in some cases (thanks to Liam for the bug report)</li>
+    <li>Fixed a potential timer attack vulnerability</li>
+    <li>Fixed errors when handling a revocation (thanks to Daniele Venzano for the bug report)</li>
+   </ul>
+   <h3 id="5">0.5 &rarr; 0.6</h3>
+   <ul>
+    <li>After a successful login, the 'brute force' counter is now reduced by one</li>
+    <li>Added logging functionality to assist in debugging</li>
+    <li>Change "gmail.com" to full URL in basic example, as XRDS discovery only seems to work on the latter now</li>
+    <li>Fixed problem where claimed ID/identity/delegate were being set the wrong way around, causing incompatibility with some providers such as signon.com (thanks to Huma Javed for the bug report)</li>
+    <li>Added check for allow_url_fopen to test.php (thanks to Lyceuhns for bringing this up)</li>
+    <li>Discoverer now correctly handles &lt;link/&gt; elements that contain multiple entries in their 'rel' attributes</li>
+    <li>Discoverer now takes redirections into account when performing Yadis discovery, fixes compatibility with signon.com</li>
+    <li>Discoverer now allows html discovery when checking an identity provided by an OP, fixes compatibility with flickr.com</li>
+    <li>Responses from IdPs sent with HTTP error codes are now still processed by Poidsy</li>
+    <li>Poidsy now supports IdPs saying they don't support a certain association or session type, and will try to accomodate them</li>
+    <li>Poidsy now correctly validates the return_to URL provided by IdPs</li>
+    <li>Fix potential bug when using Poidsy over HTTPS on a port other than 80</li>
+    <li>Poidsy now correctly validates the claimed_id (OpenID 2.0) or identity (OpenID 1.1) returned by IdPs</li>
+    <li>Decoupled simple registration extension &mdash; to use this you must now include <tt>sreg.ext.php</tt> before including Poidsy's processor</li>
+    <li>Repurposed <tt>SREG_*</tt> constants so they can be used when defining <tt>OPENID_SREG_*</tt> settings</li>
+    <li>Added support for Attribute Exchange extension</li>
+   </ul>
+   <h3 id="4">0.4 &rarr; 0.5</h3>
+   <ul>
+    <li>Diffie-Hellman encrypted keys are now decrypted when they're received, rather than every time that they're used</li>
+    <li>Fixed the Discoverer raising E_NOTICE errors in some cases</li>
+    <li>Documented all methods of the KeyManager class</li>
+    <li>Further refactoring and tidying of request processor</li>
+    <li>Renamed some methods of the KeyManager class to use better terminology</li>
+    <li>The trust_root URL will now be truncated to contain the return_to URL (thanks to Bernd Eckenfels for the bug report)</li>
+    <li>Added support for Yadis discovery</li>
+    <li>Fixed E_NOTICE errors when receiving SREG information</li>
+    <li>Clarify reasons why checkid_immediate might not work properly in the JavaScript example</li>
+    <li>Added support for sending the correct OpenID 2.0 namespace parameter when discovery indicates the end point supports 2.0</li>
+    <li>Fixed E_NOTICE errors when POSTing to an URL failed for any reason</li>
+    <li>Requests to OpenID 2.0 end points now send openid.realm not openid.trust_root</li>
+    <li>Support for OpenID 2.0 identifier selection</li>
+    <li>OpenID 1.x requests no longer send an openid.ns parameter (fixes errors when using Blogger accounts)</li>
+    <li>Added Google and Yahoo shortcuts to the basic example</li>
+    <li>The discovery agent now tracks all servers and services it's told about</li>
+   </ul>
+   <h3 id="3">0.3 &rarr; 0.4</h3>
+   <ul>
+    <li>Added support for HMAC-SHA256 association type</li>
+    <li>The processor will now accept $_POST['openid_identifier'] if $_POST['openid_url'] is not set (and OPENID_URL is not defined)</li>
+    <li>Added support for discovery via openid2.provider and openid2.local_id links</li>
+    <li>Abstracted dumb authorisation procedure into KeyManager</li>
+    <li>Removed autherror error code (all authorisation errors are now "noauth")</li>
+    <li>Messages instructing Poidsy to invalidate an association handle are now 
+    authenticated with the provider before the handle is actually invalidated.</li>
+    <li>Poidsy now sends the openid.claimed_id argument to identity providers</li>
+    <li>Changed the behaviour of OPENID_IMMEDIATE. If the constant is defined, 
+    an immediate request will be attempted first (as before). If the constant is
+    true, then Poidsy will fail if the provider requires setup (for use in
+    "AJAX"-like applications). If the constant is false, Poidsy will continue
+    on to a setup request as it did in 0.2 and earlier.</li>
+    <li>Fix bug in discovery engine which could be used to authenticate illegal,
+    fake identifiers.</li>
+    <li>Add support for Diffie-Hellman key exchange (DH-SHA1 and DH-SHA256 session types)</li>
+    <li>Fixed wrong session_type being sent due to misreading of the specs</li>
+    <li>Refactoring and general tidying of the main request processor</li>
+   </ul>
+   <h3 id="2">0.2 &rarr; 0.3</h3>
+   <ul>
+    <li>Added support for the Simple Registration Extension</li>
+    <li>Updated demo to request and display SREG fields</li>
+    <li>Added keymanager library and keycache file</li>
+    <li>Poidsy now supports associate mode, and uses it by default</li>
+    <li>Added compatibility test script</li>
+    <li>Poidsy now passes openid.ns in all requests</li>
+    <li>Poidsy will no longer send an initial checkid_immediate request unless
+    OPENID_IMMEDIATE is defined</li>
+    <li>Moved the demo.php file into examples/basic/</li>
+    <li>Poidsy now always passes the trust_root argument as some providers break
+    without it. By default it is sent as the current URL, but can be overridden
+    using the OPENID_TRUSTROOT constant</li>
+    <li>HTML entities are now handled properly when discovering identity provider
+    URLs</li>
+    <li>The URL normaliser has been improved to prevent people expressing the same
+    identity in multiple ways. Changes include:
+     <ul>
+      <li>Usernames (and passwords) are now stripped unless OPENID_ALLOWUSER is set</li>
+      <li>Queries are now stripped unless OPENID_ALLOWQUERY is set</li>
+      <li>Empty and default ports are now stripped</li>
+      <li>Trailing full stops are now stripped from domain names</li>
+      <li>/./ and /../ in paths are now collapsed</li>
+     </ul>
+    </li>
+    <li>Added a new example that uses JavaScript and a hidden iframe</li>
+    <li>Added error codes &mdash; whenever an error is encountered
+    $_SESSION['openid']['errorcode'] is now populated with a short string
+    identifying the problem. This is to allow implementors to perform different
+    actions on certain errors, or to localise the error messages.</li>
+    <li>Fixed minor bug in URL builder that lead to an extra ampersand in URLs
+    in some cases</li>
+    <li>The discovery engine can now specify the version of the data it has recovered</li>
+   </ul>
+   <h3 id="1">0.1 &rarr; 0.2</h3>
+   <ul>
+    <li>Added version and link to the top of the license header in each file</li>
+    <li>The processor now catches exceptions thrown by the discovery agent</li>
+    <li>The processor now catches exceptions thrown when trying to POST data to
+    the provider</li>
+    <li>The identity returned by the identity provider is now checked against the
+    identity that poidsy was trying to validate</li>
+    <li>The processor no longer requires that openid_url be present in $_REQUEST
+    as well as $_POST</li>
+    <li>The URL can now be passed to the processor using the OPENID_URL constant,
+    instead of as a POST var</li>
+    <li>Wrapped most lines in processor.php to be less than 80 characters long</li>
+    <li>Added lots of comments to the demonstration consumer explaining what's happening</li>
+    <li>Return URLs now have a 'nonce' added to them that's checked against the
+    user's session. This prevents request replay attacks.</li>
+    <li>Improved detection of the URL that user should be redirected to. Poidsy
+    now preserves all non-OpenID GET arguments.</li>
+    <li>Added throttling to prevent malicious users from using Poidsy to launch
+    a DoS attack against a remote site.</li>
+    <li>Poidsy is now aware of HTTP redirects when trying to discover the OpenID
+    server, and updates the identity accordingly. This prevents people from
+    "stealing" URLs that redirect to their own site</li>
+    <li>The URL normaliser now adds a trailing forward-slash if one isn't included</li>
+   </ul>
+  </div>
+  <div class="right">
+   <h2 class="first">Contents</h2>
+   <ul>
+    <li><a href="#1">0.1 &rarr; 0.2</a></li>
+    <li><a href="#2">0.2 &rarr; 0.3</a></li>
+    <li><a href="#3">0.3 &rarr; 0.4</a></li>
+    <li><a href="#4">0.4 &rarr; 0.5</a></li>
+    <li><a href="#5">0.5 &rarr; 0.6</a></li>
+    <li><a href="#6">0.6 &rarr; 0.7</a></li>
+   </ul>
+   <h2>Downloads</h2>
+   <ul>
+    <li><a href="poidsy-0.6.tgz">poidsy-0.6.tgz</a> (23K)</li>
+    <li><a href="poidsy-0.5.tgz">poidsy-0.5.tgz</a> (18K)</li>
+    <li><a href="poidsy-0.4.tgz">poidsy-0.4.tgz</a> (14K)</li>
+    <li><a href="poidsy-0.3.tgz">poidsy-0.3.tgz</a> (9.9K)</li>
+    <li><a href="poidsy-0.2.tgz">poidsy-0.2.tgz</a> (5.7K)</li>
+    <li><a href="poidsy-0.1.tgz">poidsy-0.1.tgz</a> (3.9K)</li>
+   </ul>
+  </div>
+ </body>
+</html>

index.html

@@ -0,0 +1,65 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html>
+ <head>
+  <title>Poidsy - A PHP OpenID Consumer</title>
+  <link rel="stylesheet" href="style.css" type="text/css">
+ </head>
+ <body>
+  <h1><img src="openid.png" alt="OpenID logo"> Poidsy <small>A PHP OpenID Consumer</small></h1>
+  <ul id="menu">
+   <li><a href="index.html">Home</a></li>
+   <li><a href="instructions.html">Instructions</a></li>
+   <li><a href="changelog.html">Changelog</a></li>
+  </ul>
+  <div class="left">
+  <h2 class="first">Background</h2>
+  <p>
+   <em>Poidsy</em> is a set of PHP scripts
+   that serve as an OpenID consumer. OpenID consumers allow users to authenticate
+   themselves with an OpenID identifier. For more information about OpenID, see
+   <a href="http://openid.net/">openid.net</a>.
+  </p>
+  <p>
+   At the time of writing, there were several consumer "libraries" available
+   for PHP developers. From what I saw of them, they all exposed far too much
+   of the OpenID logic to the implementor for my liking &mdash; you pretty much
+   needed to build your own consumer using their libraries, rather than simply
+   using a pre-made one.
+  </p>
+  <h2>Use it</h2>
+  <p>
+   The current version of Poidsy is <em>0.6</em>. At this stage, Poidsy has
+   support for both OpenID 1.x and 2.x, as well as a couple of extensions
+   to those. If you encounter any providers that do not work with
+   Poidsy, please <a href="http://chris.smith.name/">contact me</a>.
+  </p>
+  <p>
+   You can download the consumer here:
+   <a href="poidsy-0.6.tgz">poidsy-0.6.tgz</a> (18KB) | <a href="changelog.html">Changelog</a>
+  </p>
+  <p><a href="instructions.html">Instructions</a> for integrating Poidsy with an
+     existing login script are available.</p>
+  </div>
+  <div class="right">
+  <h2 class="first">Feedback</h2>
+  <p>
+   If you're using Poidsy (or are trying to but are having
+   problems) then I'd love to hear from you. My contact details can be found
+   on my <a href="http://chris.smith.name/" rel="me">personal website</a>.
+  </p>
+  <h2>Sites</h2>
+  <p>
+   The following sites allow OpenID authentication using Poidsy:
+  </p>
+  <ul>
+   <li><a href="http://apsps.MD87.co.uk/quotes/">Quote DB</a></li>
+   <li><a href="http://addons.dmdirc.com/">DMDirc addons site</a></li>
+   <li><a href="http://www.zipplet.co.uk/">Zipplet's Stuff</a> *</li>
+   <li><a href="http://home.dataforce.org.uk/">Home.Dataforce.org.uk</a> *</li>
+  </ul>
+  <div id="footnote">
+   * via a third-party <abbr title="single sign on">sso</abbr> service
+  </div>
+  </div>
+ </body>
+</html>

instructions.html

@@ -0,0 +1,328 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html>
+ <head>
+  <title>Poidsy - A PHP OpenID Consumer</title>
+  <link rel="stylesheet" href="style.css" type="text/css">
+  <link href="prettify.css" type="text/css" rel="stylesheet">
+  <script type="text/javascript" src="prettify.js"></script>
+ </head>
+ <body onLoad="prettyPrint();">
+  <h1><img src="openid.png" alt="OpenID logo"> Poidsy <small>A PHP OpenID Consumer</small></h1>
+  <ul id="menu">
+   <li><a href="index.html">Home</a></li>
+   <li><a href="instructions.html">Instructions</a></li>
+   <li><a href="changelog.html">Changelog</a></li>
+  </ul>
+  <div class="left">
+   <h2 class="first">Background Information</h2>
+   <p>
+    Poidsy is designed to be both easy to use and easy to integrate with
+    existing systems. This document explains the developer's interface to
+    Poidsy, and works through modifying a basic authentication script
+    to accept OpenID logins with Poidsy.
+   </p>
+   <h3>Requirements</h3>
+   <p>
+    Before you begin using Poidsy, you need to check that your environment
+    is supported. The easiest way to do this is to download a release of
+    Poidsy, and view the included test.php file in your web browser. This will
+    tell you about any problems it has encountered, and what will/will not work
+    as a result.
+   </p>
+   <h3>How it works</h3>
+   <p>
+    The bulk of the work done by Poidsy is done by the <code>processor.php</code>
+    script. This is the file that you will be including into your login page.
+   </p>
+   <p>
+    The processor is designed to be invoked in response to a form submission.
+    At present (version 0.1), it requires that <code>$_POST['openid_url']</code> is set to
+    the user-supplied identifier.
+   </p>
+   <p>
+    Once the processor has finished authenticating (or rejecting) the user's
+    identifier, it will supply the details in a session variable. Thus, to
+    actually make use of Poidsy's results, you will need to call
+    <code>session_start()</code> on your login page (if you're not already).
+   </p>
+   <p>
+    While Poidsy is authenticating an identifier, the user may be redirected
+    between the login page and their identity provider a number of times.
+    Whenever the user is redirected to the login page during this process,
+    the <code>openid.mode</code> parameter will be present.
+   </p>
+   <h2>Adding OpenID support to an existing login form</h2>
+   <p>
+    This example will walk through adding Poidsy to an existing login form.
+    The system we'll be modifying currently deals with usernames and passwords.
+    It is assumed that the Poidsy files are extracted to a <code>poidsy</code>
+    directory in the same directory as the login file.
+   </p>
+   <p>
+    The example code that we'll be modifying is included below. For the sake
+    of brevity, the specific logic of finding users, checking passwords, and
+    actually logging them in is abstracted away.
+   </p>
+<code class="prettyprint"> &lt;?PHP
+
+ if (isset($_POST['user']) &amp;&amp; isset($_POST['pass'])) {
+  if (passwordMatches($_POST['user'], hashPassword($_POST['pass']))) {
+   setUser($_POST['user']);
+   redirectAndExit();
+  } else {
+   define('ERROR', 'Invalid username/password combination');
+  }
+ }
+
+ if (defined('ERROR')) {
+  echo '&lt;div class="error"&gt;ERROR: ', htmlentities(ERROR), '&lt;/div&gt;';
+ }
+
+?&gt;
+&lt;p&gt;Enter your details below to login:&lt;/p&gt;
+&lt;form action="login.php" method="post"&gt;
+ &lt;label&gt;Username: &lt;input type="text" name="user"&gt;&lt;/label&gt;
+ &lt;label&gt;Password: &lt;input type="password" name="pass"&gt;&lt;/label&gt;
+ &lt;input type="submit" value="Login"&gt;
+&lt;/form&gt;
+</code>
+   <h3>Step 1: Adding a new form</h3>
+   <p>
+    The first step is to provide users with a second form to enter their
+    OpenID identifier in. It's good practice to include a little OpenID
+    logo in the input field, so users can instantly see that it's for an
+    OpenID identifier. Poidsy handily comes with such a logo.
+   </p>
+   <p>
+    The following code is added below the existing form:
+   </p>
+<code class="prettyprint">&lt;p&gt;Alternatively, login using an OpenID identifier:&lt;/p&gt;
+&lt;form action="login.php" method="post"&gt;
+ &lt;input type="text" name="openid_url"
+        style="background-image: url('poidsy/openid.gif') no-repeat;
+               padding-left: 20px;"&gt;
+ &lt;input type="submit" value="Login"&gt;
+&lt;/form&gt;
+</code>
+   <h3>Step 2: Starting a session</h3>
+   <p>
+    As described above, Poidsy uses sessions to track data and return its
+    results. As our login form currently doesn't use sessions, we need to
+    add a call to <code>session_start();</code> before we'll be using
+    Poidsy or its results.
+   </p>
+   <p>
+    The session start code therefore needs to be added before the main if statement.
+   </p>
+<code class="prettyprint"><span style="opacity: 0.5;">&lt;?PHP</span>
+
+ session_start();
+
+<span style="opacity: 0.5;"> if (isset($_POST['user']) &amp;&amp; isset($_POST['pass'])) {</span>
+</code>
+   <h3>Step 3: Including the processor</h3>
+   <p>
+    The next step is to include Poidsy's processor when there's processing to be
+    done. This is either when the user has just submitted the OpenID form, or
+    when they've been redirected back from their provider during the
+    authentication process.
+   </p>
+   <p>
+    We prepend the following conditions to the start of the if statement to
+    include the processor when neccessary. Note that PHP translates the
+    openid.mode argument to openid_mode.
+   </p>
+<code class="prettyprint"><span style="opacity: 0.5;"> session_start(); </span>
+
+ if (isset($_POST['openid_url']) || isset($_REQUEST['openid_mode'])) {
+
+  // OpenID login attempt
+  require('poidsy/processor.php');
+
+ } else <span style="opacity: 0.5;">if (isset($_POST['user']) &amp;&amp; isset($_POST['pass'])) {</span>
+</code>
+   <h3>Step 4: Handling errors</h3>
+   <p>
+    Just like normal login attempts, OpenID authentications can fail for a
+    variety of reasons (such as the identifier not being a valid OpenID
+    endpoint, or the provide refusing to authenticate the client), so we
+    need to handle errors and display them to the user.
+   </p>
+   <p>
+    If an error is encountered, Poidsy will have set the
+    <code>$_SESSION['openid']['error']</code> variable with a description
+    of the problem. We simply check for this and pass it on to the user:
+   </p>
+<code class="prettyprint"><span style="opacity:0.5;">require('poidsy/processor.php');</span>
+
+ } else if (isset($_SESSION['openid']['error'])) {
+
+  // Failed OpenID login attempt
+  define('ERROR', $_SESSION['openid']['error']);
+  unset($_SESSION['openid']['error']);
+
+ <span style="opacity: 0.5;">} else if (isset($_POST['user']) &amp;&amp; isset($_POST['pass'])) {</span>
+</code>
+   <h3>Step 5: Handling success</h3>
+   <p>
+    The final thing to do is to handle the case when a user has successfully
+    authenticated themselves using an OpenID identifier. In a typical
+    environment this will be a two-step process: creating a new account for
+    the user if they haven't previously logged in, and then logging the user
+    in to their account.
+   </p>
+   <p>
+    The following code adds another branch to our if statement:
+   </p>
+<code class="prettyprint"><span style="opacity:0.5;">unset($_SESSION['openid']['error']);</span>
+
+ } else if (isset($_SESSION['openid']['validated']) &amp;&amp; $_SESSION['openid']['validated']) {
+
+  // OpenID authentication successful
+
+  if (!isAccount($_SESSION['openid']['identity'])) {
+
+   // Create an account if they need one, using a fake
+   // password hash so users can't login normally
+   createAccount($_SESSION['openid']['identity'], 'invalid'):
+
+  }
+
+  setUser($_SESSION['openid']['identity']);
+  unset($_SESSION['openid']['validated']);
+  redirectAndExit();
+
+ <span style="opacity: 0.5;">} else if (isset($_POST['user']) &amp;&amp; isset($_POST['pass'])) {</span>
+</code>
+   <h2>Summary</h2>
+   <p>
+    Hopefully this document has given you a sense of how to use Poidsy.
+    It is designed to work transparently with your existing applications,
+    and as demonstrated above can be integrated in five simple steps.
+   </p>
+   <p>
+    Note that, of course, how you implement Poidsy very much depends on
+    your existing system and your requirements. If you are going to switch
+    to using just OpenID, there is obviously no need to deal with
+    password hashes as was done in this example, and you could in fact
+    not use a backend database at all for your users &mdash; just rely on
+    Poidsy to populate the $_SESSION['openid'] array.
+   </p>
+  </div>
+  <div class="right">
+  <h2 class="first">Feedback</h2>
+  <p>
+   If you're using Poidsy (or are trying to but are having
+   problems) then I'd love to hear from you. My contact details can be found
+   on my <a href="http://chris.smith.name/" rel="me">personal website</a>.
+  </p>
+  <h2>Constant reference</h2>
+  <p>
+   You can define a set of constants to control the behaviour of
+   Poidsy. These should be defined before the processor is included.
+  </p>
+  <p class="asof">From Poidsy 0.1:</p>
+  <dl>
+   <dt>OPENID_URL</dt>
+   <dd>
+    The user-supplied OpenID URL to validate. This should only be specified
+    for the initial request (not any subsequent redirects where openid.mode is
+    set). If not provided, Poidsy will use the value of $_POST['openid_url'] if it exists
+   </dd>
+  </dl>
+  <p class="asof">From Poidsy 0.2:</p>
+  <dl>
+   <dt>OPENID_THROTTLE_NUM</dt>
+   <dd>
+    The maximum number of requests to allow before throttling a user.
+    Default value is 3.
+   </dd>
+   <dt>OPENID_THROTTLE_GAP</dt>
+   <dd>
+    The number of seconds that have to ellapse between requests before the
+    user's counter is reset. Default value is 30.
+   </dd>
+  </dl>
+  <p class="asof">From Poidsy 0.3:</p>
+  <dl>
+   <dt>OPENID_SREG_REQUEST</dt>
+   <dd>
+    A comma-separated list of fields to request from the user via the simple
+    registration extension. Use of this constant implies that the user will
+    be required to manually input the data if their provider doesn't supply it.
+   </dd>
+   <dt>OPENID_SREG_OPTIONAL</dt>
+   <dd>
+    A comma-separated list of fields that the user's provider may provide, but
+    aren't required by the application.
+   </dd>
+   <dt>OPENID_SREG_POLICY</dt>
+   <dd>
+    An URL for a document that describes how the data requested using SREG is
+    going to be used.
+   </dd>
+   <dt>OPENID_NOKEYMANAGER</dt>
+   <dd>
+    Stops Poidsy using its key manager, forcing it to use dumb mode instead.
+    The value of the constant is irrelevant, only whether it is defined or not.
+   </dd>
+   <dt>OPENID_IMMEDIATE</dt>
+   <dd>
+    Forces Poidsy to try an openid_immediate request first. If not defined,
+    Poidsy will send an openid_setup request, which allows the identity provider
+    to interact with the user.</dd><dd>As of 0.4, if this is set to <code>true</code>,
+    Poidsy will error if the provider requires interaction, otherwise Poidsy
+    will send a setup request. Previous behaviour always errored.
+   </dd>
+   <dt>OPENID_TRUSTROOT</dt>
+   <dd>
+    The trust root to send to providers. Used to tell users what site they're
+    logging into. Should be a fully qualified URL that encompasses the URL of
+    the login script. Defaults to the current URL. </dd><dd>As of 0.5, this may 
+    be truncated in order to ensure it is above the return_to URL.
+   </dd>
+   <dt>OPENID_ALLOWUSER</dt>
+   <dd>
+    If defined, allows usernames (and passwords) in identity URLs. These are
+    stripped by default to prevent users using the same identity with multiple
+    (bogus, unused) usernames.
+   </dd>
+   <dt>OPENID_ALLOWQUERY</dt>
+   <dd>
+    If defined, allows queries (the part of the URL after the "?" character) in
+    identity URLs. These are stripped by default to prevent users from using
+    the same identity with multiple (unused) query strings.
+   </dd>
+  </dl>
+  <h2>Error codes</h2>
+  <p>
+   As of Poidsy 0.3, each error has an associated errorcode that defines
+   the type of error. These error codes are:
+  </p>
+  <dl>
+   <dt style="text-decoration: line-through;">autherror</dt>
+   <dd>Error when trying to POST data to authenticate a request in dumb mode, probably because the provider went down. Removed as of Poidsy 0.4.</dd>
+   <dt>cancelled</dt>
+   <dd>The user or their identity provider cancelled the request for some reason</dd>
+   <dt>diffid</dt>
+   <dd>The provider validated a different identity to the one Poidsy requested. Indicates that the provider is probably broken.</dd>
+   <dt>diffreturnto</dt>
+   <dd>The provider gave a different return_to URL to the one the user arrived at</dd>
+   <dt>discovery</dt>
+   <dd>There was an error during discovery (site down, unsupported protocol, etc)</dd>
+   <dt>noauth</dt>
+   <dd>The signature of the provider's response didn't match the response. This could mean that something is broken, or that someone is trying one of a variety of attacks.</dd>
+   <dt>noimmediate</dt>
+   <dd>OPENID_IMMEDIATE was defined but the request couldn't be completed immediately</dd>
+   <dt>nonce</dt>
+   <dd>The nonce used by Poidsy didn't match what it was expecting. This normally means the user tried to go to an expired page, or someone was trying to perform a replay attack.</dd>
+   <dt>notvalid</dt>
+   <dd>The identity isn't valid (no openid.server link found)</dd>
+   <dt>perror</dt>
+   <dd>The provider returned an error at some stage</dd>
+   <dt>throttled</dt>
+   <dd>The user is being throttled by Poidsy. See the description of the OPENID_THROTTLE constants above.</dd>
+  </dl>
+  </div>
+ </body>
+</html>

prettify.css

@@ -0,0 +1,27 @@
+/* Pretty printing styles. Used with prettify.js. */
+
+.str { color: #080; }
+.kwd { color: #008; }
+.com { color: #800; }
+.typ { color: #606; }
+.lit { color: #066; }
+.pun { color: #660; }
+.pln { color: #000; }
+.tag { color: #008; }
+.atn { color: #606; }
+.atv { color: #080; }
+.dec { color: #606; }
+.prettyprint { display: block; padding: 2px; border: 1px solid #888; }
+
+@media print {
+  .str { color: #060; }
+  .kwd { color: #006; font-weight: bold; }
+  .com { color: #600; font-style: italic; }
+  .typ { color: #404; font-weight: bold; }
+  .lit { color: #044; }
+  .pun { color: #440; }
+  .pln { color: #000; }
+  .tag { color: #006; font-weight: bold; }
+  .atn { color: #404; }
+  .atv { color: #060; }
+}

prettify.js

@@ -0,0 +1,29 @@
+// See http://code.google.com/p/google-code-prettify/
+(function () { 
+var F={};(function(){var b=["abstract bool break case catch char class const const_cast continue default delete deprecated dllexport dllimport do double dynamic_cast else enum explicit extern false float for friend goto if inline int long mutable naked namespace new noinline noreturn nothrow novtable operator private property protected public register reinterpret_cast return selectany short signed sizeof static static_cast struct switch template this thread throw true try typedef typeid typename union unsigned using declaration, directive uuid virtual void volatile while typeof",
+"as base by byte checked decimal delegate descending event finally fixed foreach from group implicit in interface internal into is lock null object out override orderby params readonly ref sbyte sealed stackalloc string select uint ulong unchecked unsafe ushort var","package synchronized boolean implements import throws instanceof transient extends final strictfp native super","debugger export function with NaN Infinity","require sub unless until use elsif BEGIN END","and assert def del elif except exec global lambda not or pass print raise yield False True None",
+"then end begin rescue ensure module when undef next redo retry alias defined","done fi"];for(var c=0;c<b.length;c++){var a=b[c].split(" ");for(var d=0;d<a.length;d++){if(a[d]){F[a[d]]=true}}}}).call(this);function r(b,c){if(undefined===c){throw new Error("BAD");}if("number"!=typeof b){throw new Error("BAD");}this.end=b;this.style=c}r.prototype.toString=function(){return"[PR_TokenEnd "+this.end+(this.style?":"+this.style:"")+"]"};function q(b,c){if(undefined===c){throw new Error("BAD");}this.token=
+b;this.style=c}q.prototype.toString=function(){return"[PR_Token "+this.token+(this.style?":"+this.style:"")+"]"};function u(){this.next=0;this.ch="\u0000"}var J={lt:"<",gt:">",quot:'"',apos:"'",amp:"&"};u.prototype.decode=function(b,c){var a=c+1,d=b.charAt(c);if("&"===d){var f=b.indexOf(";",a);if(f>=0&&f<a+4){var h=b.substring(a,f),i=null;if(h.charAt(0)==="#"){var e=h.charAt(1),g;if(e==="x"||e==="X"){g=parseInt(h.substring(2),16)}else{g=parseInt(h.substring(1),10)}if(!isNaN(g)){i=String.fromCharCode(g)}}if(!i){i=
+J[h.toLowerCase()]}if(i){d=i;a=f+1}else{a=c+1;d="\u0000"}}}this.next=a;this.ch=d;return this.ch};function x(b){return b>="a"&&b<="z"||b>="A"&&b<="Z"}function z(b){return x(b)||b=="_"||b=="$"||b=="@"}function s(b){return"\t \r\n".indexOf(b)>=0}function w(b){return b>="0"&&b<="9"}function I(b){var c=0,a=b.length-1;while(c<=a&&s(b.charAt(c))){++c}while(a>c&&s(b.charAt(a))){--a}return b.substring(c,a+1)}function y(b,c){return b.length>=c.length&&c==b.substring(0,c.length)}function L(b,c){return b.length>=
+c.length&&c==b.substring(b.length-c.length,b.length)}function A(b,c,a){if(c<a.length){return false}for(var d=0,f=a.length;d<f;++d){if(a.charAt(d)!=b[d]){return false}}return true}function H(b){return b.replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;").replace(/\xa0/g,"&nbsp;")}function E(b){return"XMP"==b.tagName}var B=null;function N(b){if(null==B){var c=document.createElement("PRE");c.appendChild(document.createTextNode('<!DOCTYPE foo PUBLIC "foo bar">\n<foo />'));B=!/</.test(c.innerHTML)}if(B){var a=
+b.innerHTML;if(E(b)){a=H(a)}return a}var d=[];for(var f=b.firstChild;f;f=f.nextSibling){D(f,d)}return d.join("")}function D(b,c){switch(b.nodeType){case 1:var a=b.tagName.toLowerCase();c.push("<",a);for(var d=0;d<b.attributes.length;++d){var f=b.attributes[d];if(!f.specified){continue}c.push(" ");D(f,c)}c.push(">");for(var h=b.firstChild;h;h=h.nextSibling){D(h,c)}if(b.firstChild||!/^(?:br|link|img)$/.test(a)){c.push("</",a,">")}break;case 2:c.push(b.name.toLowerCase(),'="',b.value.replace(/&/g,"&amp;").replace(/</g,
+"&lt;").replace(/>/g,"&gt;").replace(/\"/g,"&quot;").replace(/\xa0/,"&nbsp;"),'"');break;case 3:case 4:c.push(H(b.nodeValue));break}}function M(b,c){var a=0,d=new u,f=[];for(var h=0;h<b.length;++h){var i=b[h];if(i.style==null){f.push(i);continue}var e=i.token,g=0,k=[];for(var l=0,j=e.length;l<j;l=d.next){d.decode(e,l);var o=d.ch;switch(o){case "\t":k.push(e.substring(g,l));var m=c-a%c;a+=m;for(;m>=0;m-="                ".length){k.push("                ".substring(0,m))}g=d.next;break;case "\n":case "\r":a=
+0;break;default:++a}}k.push(e.substring(g));f.push(new q(k.join(""),i.style))}return f}function K(b){var c=/(?:[^<]+|<\/?[a-zA-Z][^>]*>|<)/g,a=b.match(c),d=[];if(a){var f=null;for(var h=0,i=a.length;h<i;++h){var e=a[h],g;if(e.length<2||e.charAt(0)!=="<"){if(f&&f.style==="pln"){f.token+=e;continue}g="pln"}else{g=null}f=new q(e,g);d.push(f)}}return d}function G(b,c){var a=[],d=0,f=0,h=0,i=new q("",null);for(var e=0,g=c.length,k=0;e<g;++e){var l=c[e],j=l.end;if(j===k){continue}var o=j-f,m=i.token.length-
+h;while(m<=o){if(m>0){a.push(new q(i.token.substring(h,i.token.length),null==i.style?null:l.style))}f+=m;h=0;if(d<b.length){i=b[d++]}o=j-f;m=i.token.length-h}if(o){a.push(new q(i.token.substring(h,h+o),l.style));f+=o;h+=o}}return a}function R(b){var c=[],a=0,d=0,f=-1,h=new Array(12),i=0,e=null,g=new u;for(var k=0,l=b.length;k<l;++k){var j=b[k];if("pln"!=j.style){d+=j.token.length;continue}var o=j.token;for(var m=0,n=o.length;m<n;){g.decode(o,m);var p=g.ch,v=g.next,t=null;switch(a){case 0:if("<"==
+p){a=1}break;case 1:i=0;if("/"==p){a=7}else if(null==e){if("!"==p){a=2}else if(x(p)){a=8}else if("?"==p){a=9}else if("%"==p){a=11}else if("<"!=p){a=0}}else if("<"!=p){a=0}break;case 2:if("-"==p){a=4}else if(x(p)){a=3}else if("<"==p){a=1}else{a=0}break;case 3:if(">"==p){a=0;t="dec"}break;case 4:if("-"==p){a=5}break;case 5:if("-"==p){a=6}break;case 6:if(">"==p){a=0;t="com"}else if("-"==p){a=6}else{a=4}break;case 7:if(x(p)){a=8}else if("<"==p){a=1}else{a=0}break;case 8:if(">"==p){a=0;t="tag"}break;case 9:if("?"==
+p){a=10}break;case 10:if(">"==p){a=0;t="src"}else if("?"!=p){a=9}break;case 11:if("%"==p){a=12}break;case 12:if(">"==p){a=0;t="src"}else if("%"!=p){a=11}break}if(i<h.length){h[i++]=p.toLowerCase()}if(1==a){f=d+m}m=v;if(t!=null){if(null!=t){if(e){if(A(h,i,e)){e=null}}else{if(A(h,i,"script")){e="/script"}else if(A(h,i,"style")){e="/style"}else if(A(h,i,"xmp")){e="/xmp"}}if(e&&i&&"/"==h[0]){t=null}}if(null!=t){c.push(new r(f,"pln"));c.push(new r(d+v,t))}}}d+=j.token.length}c.push(new r(d,"pln"));return c}
+function V(b){var c=[],a=0,d=-1,f=0;for(var h=0,i=b.length;h<i;++h){var e=b[h],g=e.token;if("pln"==e.style){var k=new u,l=-1,j;for(var o=0,m=g.length;o<m;l=o,o=j){k.decode(g,o);var n=k.ch;j=k.next;if(0==a){if(n=='"'||n=="'"||n=="`"){c.push(new r(f+o,"pln"));a=1;d=n}else if(n=="/"){a=3}else if(n=="#"){c.push(new r(f+o,"pln"));a=4}}else if(1==a){if(n==d){a=0;c.push(new r(f+j,"str"))}else if(n=="\\"){a=2}}else if(2==a){a=1}else if(3==a){if(n=="/"){a=4;c.push(new r(f+l,"pln"))}else if(n=="*"){a=5;c.push(new r(f+
+l,"pln"))}else{a=0;j=o}}else if(4==a){if(n=="\r"||n=="\n"){a=0;c.push(new r(f+o,"com"))}}else if(5==a){if(n=="*"){a=6}}else if(6==a){if(n=="/"){a=0;c.push(new r(f+j,"com"))}else if(n!="*"){a=5}}}}f+=g.length}var p;switch(a){case 1:case 2:p="str";break;case 4:case 5:case 6:p="com";break;default:p="pln";break}c.push(new r(f,p));return G(b,c)}function S(b,c){var a=0,d=0,f=new u,h;for(var i=0;i<=b.length;i=h){if(i==b.length){g=-2;h=i+1}else{f.decode(b,i);h=f.next;var e=f.ch,g=d;switch(d){case 0:if(z(e)){g=
+1}else if(w(e)){g=2}else if(!s(e)){g=3}if(g&&a<i){var k=b.substring(a,i);c.push(new q(k,"pln"));a=i}break;case 1:if(!(z(e)||w(e))){g=-1}break;case 2:if(!(w(e)||x(e)||e=="_")){g=-1}break;case 3:if(z(e)||w(e)||s(e)){g=-1}break}}if(g!=d){if(g<0){if(i>a){var k=b.substring(a,i),l=new u;l.decode(k,0);var j=l.ch,o=l.next==k.length,m;if(z(j)){if(F[k]){m="kwd"}else if(j==="@"){m="lit"}else{var n=false;if(j>="A"&&j<="Z"){for(var p=l.next;p<k.length;p=l.next){l.decode(k,p);var v=l.ch;if(v>="a"&&v<="z"){n=true;
+break}}if(!n&&!o&&k.substring(k.length-2)=="_t"){n=true}}m=n?"typ":"pln"}}else if(w(j)){m="lit"}else if(!s(j)){m="pun"}else{m="pln"}a=i;c.push(new q(k,m))}d=0;if(g==-1){h=i;continue}}d=g}}}function X(b){if(!(b&&b.length)){return b}var c=R(b);return G(b,c)}function W(b){var c=[],a=0,d="tag",f=null,h=new u;for(var i=0;i<b.length;++i){var e=b[i];if("tag"==e.style){var g=e.token,k=0;for(var l=0;l<g.length;){h.decode(g,l);var j=h.ch,o=h.next,m=null,n=null;if(j==">"){if("tag"!=d){m=l;n="tag"}}else{switch(a){case 0:if("<"==
+j){a=1}break;case 1:if(s(j)){a=2}break;case 2:if(!s(j)){n="atn";m=l;a=3}break;case 3:if("="==j){m=l;n="tag";a=5}else if(s(j)){m=l;n="tag";a=4}break;case 4:if("="==j){a=5}else if(!s(j)){m=l;n="atn";a=3}break;case 5:if('"'==j||"'"==j){m=l;n="atv";a=6;f=j}else if(!s(j)){m=l;n="atv";a=7}break;case 6:if(j==f){m=o;n="tag";a=2}break;case 7:if(s(j)){m=l;n="tag";a=2}break}}if(m){if(m>k){c.push(new q(g.substring(k,m),d));k=m}d=n}l=o}if(g.length>k){c.push(new q(g.substring(k,g.length),d))}}else{if(e.style){a=
+0;d="tag"}c.push(e)}}return c}function U(b){var c=[],a=null,d=new u,f=null;for(var h=0,i=b.length;;++h){var e;if(h<i){e=b[h];if(null==e.style){b.push(e);continue}}else if(!a){break}else{e=new q("",null)}var g=e.token;if(null==a){if("src"==e.style){if("<"==d.decode(g,0)){d.decode(g,d.next);if("%"==d.ch||"?"==d.ch){a=d.ch;c.push(new q(g.substring(0,d.next),"tag"));g=g.substring(d.next,g.length)}}}else if("tag"==e.style){if("<"==d.decode(g,0)&&"/"!=g.charAt(d.next)){var k=g.substring(d.next).toLowerCase();
+if(y(k,"script")||y(k,"style")||y(k,"xmp")){a="/"}}}}if(null!=a){var l=null;if("src"==e.style){if(a=="%"||a=="?"){var j=g.lastIndexOf(a);if(j>=0&&">"==d.decode(g,j+1)&&g.length==d.next){l=new q(g.substring(j,g.length),"tag");g=g.substring(0,j)}}if(null==f){f=[]}f.push(new q(g,"pln"))}else if("pln"==e.style){if(null==f){f=[]}f.push(e)}else if("tag"==e.style){if("<"==d.decode(e.token,0)&&e.token.length>d.next&&"/"==d.decode(e.token,d.next)){l=e}else{c.push(e)}}else if(h>=i){l=e}else{if(f){f.push(e)}else{c.push(e)}}if(l){if(f){var o=
+C(f);c.push(new q("<span class=embsrc>",null));for(var m=0,n=o.length;m<n;++m){c.push(o[m])}c.push(new q("</span>",null));f=null}if(l.token){c.push(l)}a=null}}else{c.push(e)}}return c}function Q(b){var c=null,a=null;for(var d=0;d<b.length;++d){if("pln"==b[d].style){c=d;break}}for(var d=b.length;--d>=0;){if("pln"==b[d].style){a=d;break}}if(null==c){return b}var f=new u,h=b[c].token,i=f.decode(h,0);if('"'!=i&&"'"!=i){return b}var e=f.next,g=b[a].token,k=g.lastIndexOf("&");if(k<0){k=g.length-1}var l=
+f.decode(g,k);if(l!=i||f.next!=g.length){l=null;k=g.length}var j=[];for(var d=0;d<c;++d){j.push(b[d])}j.push(new q(h.substring(0,e),"atv"));if(a==c){j.push(new q(h.substring(e,k),"pln"))}else{j.push(new q(h.substring(e,h.length),"pln"));for(var d=c+1;d<a;++d){j.push(b[d])}if(l){b.push(new q(g.substring(0,k),"pln"))}else{b.push(b[a])}}if(l){j.push(new q(g.substring(k,g.length),"pln"))}for(var d=a+1;d<b.length;++d){j.push(b[d])}return j}function T(b){var c=[],a=null,d=false,f="";for(var h=0,i=b.length;h<
+i;++h){var e=b[h],g=c;if("tag"==e.style){if(d){d=false;f="";if(a){c.push(new q("<span class=embsrc>",null));var k=C(Q(a));for(var l=0,j=k.length;l<j;++l){c.push(k[l])}c.push(new q("</span>",null));a=null}}else if(f&&e.token.indexOf("=")>=0){var o=f.toLowerCase();if(y(o,"on")||"style"==o){d=true}}else{f=""}}else if("atn"==e.style){f+=e.token}else if("atv"==e.style){if(d){if(null==a){a=[]}g=a;e=new q(e.token,"pln")}}else{if(a){g=a}}g.push(e)}return c}function C(b){var c=V(b),a=[];for(var d=0;d<c.length;++d){var f=
+c[d];if("pln"===f.style){S(f.token,a);continue}a.push(f)}return a}function O(b){var c=X(b);c=W(c);c=U(c);c=T(c);return c}function P(b){var c=M(K(b),8),a=false;for(var d=0;d<c.length;++d){if("pln"==c[d].style){if(y(I(c[d].token),"&lt;")){for(var f=c.length;--f>=0;){if("pln"==c[f].style){a=L(I(c[f].token),"&gt;");break}}}break}}return a?O(c):C(c)}function Z(b){try{var c=P(b),a=[],d=null;for(var f=0;f<c.length;f++){var h=c[f];if(h.style!=d){if(d!=null){a.push("</span>")}if(h.style!=null){a.push("<span class=",
+h.style,">")}d=h.style}var i=h.token;if(null!=h.style){i=i.replace(/(\r\n?|\n| ) /g,"$1&nbsp;").replace(/\r\n?|\n/g,"<br>")}a.push(i)}if(d!=null){a.push("</span>")}return a.join("")}catch(e){if("console"in window){console.log(e);console.trace()}return b}}function Y(){var b=[document.getElementsByTagName("pre"),document.getElementsByTagName("code"),document.getElementsByTagName("xmp")],c=[];for(var a=0;a<b.length;++a){for(var d=0;d<b[a].length;++d){c.push(b[a][d])}}b=null;var f=0;function h(){var i=
+(new Date).getTime()+250;for(;f<c.length&&(new Date).getTime()<i;f++){var e=c[f];if(e.className&&e.className.indexOf("prettyprint")>=0){var g=false;for(var k=e.parentNode;k!=null;k=k.parentNode){if((k.tagName=="pre"||k.tagName=="code"||k.tagName=="xmp")&&k.className&&k.className.indexOf("prettyprint")>=0){g=true;break}}if(!g){var l=N(e);l=l.replace(/(?:\r\n?|\n)$/,"");var j=Z(l);if(!E(e)){e.innerHTML=j}else{var o=document.createElement("PRE");for(var m=0;m<e.attributes.length;++m){var n=e.attributes[m];
+if(n.specified){o.setAttribute(n.name,n.value)}}o.innerHTML=j;e.parentNode.replaceChild(o,e)}}}}if(f<c.length){setTimeout(h,250)}}h()};this.prettyPrint=Y;
+; })();

style.css

@@ -0,0 +1,127 @@
+body {
+ margin: 90px 30px;
+ font-size: large;
+}
+
+h1 {
+ position: absolute;
+ top: 0px;
+ left: 0px;
+ width: 100%;
+ background-color: #eee;
+ color: #666;
+ margin: 0px;
+ padding: 10px 0px;
+ border-bottom: 1px solid black;
+}
+
+h1 img {
+ margin: 0px 5px 0px 10px;
+}
+
+h2 {
+ border-bottom: 5px solid #ccc;
+}
+
+h3 {
+ border-bottom: 3px solid #ccc;
+}
+
+input#openid_url {
+ background: url('demo/openid.gif') no-repeat;
+ padding-left: 20px;
+}
+
+div.left {
+ float: left;
+ width: 65%;
+ margin: 0px;
+ padding: 0px 20px 0px 0px;
+ border-right: 2px solid #ccc;
+}
+
+div.right {
+ margin-left: 65%; padding-left: 40px;
+}
+
+h2.first {
+ margin-top: 0px;
+}
+
+small {
+ font-size: 0.3em;
+}
+
+#footnote {
+ border-top: 1px solid #ccc;
+ padding: 5px;
+ font-size: small;
+}
+
+.left li {
+ margin-bottom: 10px;
+}
+
+.left li ul {
+ margin-top: 10px;
+}
+
+ul#menu {
+ position: absolute; top: 0px; right: 0px;
+ list-style-type: none; margin: 0px; padding: 0px 5px;
+}
+
+ul#menu li {
+ display: inline;
+ font-size: small;
+}
+
+dd {
+ margin-top: 5px;
+ margin-bottom: 20px;
+}
+
+dt {
+ font-family: monospace;
+}
+
+p.asof {
+ text-align: center;
+ font-size: small;
+ text-transform: uppercase;
+}
+
+table.providers {
+ width: 100%;
+ border-collapse: collapse;
+}
+
+table.providers td {
+ border: 1px solid #ccc;
+}
+
+table.providers th {
+ background-color: #ccc;
+ border: 1px solid #999;
+}
+
+td.good {
+ background-color: green;
+}
+
+td.bad {
+ background-color: red;
+}
+
+td.warn {
+ background-color: orange;
+}
+
+td.good, td.bad, td.warn {
+ text-align: center;
+ color: white;
+}
+
+ul.key strong {
+ font-family: monospace;
+}