OpenID Consumer Authentication

User account access is now possible by OpenID 2.0 and Yadis Authentication Service functions.

Once a user is verified by their OpenID trust provider, the account sign-up and log-in forms are pre-filled with default values.  OpenID users who sign-up are only required to enter the Captcha security code.

KitCADi3 _i3user.htm Passwords are less secure for OpenID generated KitCADi3 accounts because the password and user name is generated from the OpenID uri entered.

*KitCADi3 at does not record infomation from the OpenID responce (such as contact address, age, etc). The term of ‘OpenID Consumer’ refers to the requesting server/computer, that in this case should ALWAYS default to to check only for valid account log-in.  (If the URL is different then the responce XML may be recorded in cache/logs)

The PHP scripts used to access OpenID / Yadis can be found at :-

pre 2009 was

More information about OpenID can be found at:


19 Responses to “OpenID Consumer Authentication”

  1. Admin Says:

    Bug: Opera 9.0 has noticed the self.opener is null..

    Other coding attempts will be made, like using window.opener, tracking, cgi, etc…

    If the bug can not be corrected then Opera 9.0 support may be disabled 🙁

    Other browsers may also reject the OpenID support that is enabled by KitCAD i3 _user.htm because script proxy crosses two or more domains, or another page is generated by form post/get. The result is that the value for ‘opener’ is deleted (or over-secured).

  2. Admin Says:

    Bug: Trust

    The trust of a 3rd party site/service used for validation or its user accounts can not be validated. A 3rd party script can be setup to provide the header responces and trick the consumer (aka KitCADi3)..

    This is not something which can be corrected unless major restrictions are placed on validation URI

    There are trusted discovery service/s which can avoid these issues, and by using: pre-configured filter lists (URI restrictions), hardware dongles, or usb keys. However this level of OpenID support is not enabled at this time from KitCADi3.

  3. Admin Says:

    It is assumed that SSL certificates, InfoCards, CardSpaces, or other Identity methods should be provided by the user to the OpenID URI resolver to re-aquire trust.

    If the PHP code is updated then support may be extended to other methods at a later date. (OpenID is the default option for KitCADi3 users who do not wish to maintain an email account as identity)

  4. Admin Says:

    Updated php scripts to use common.php for file path info, config, etc..
    The php scripts now require ZEND ENGINE 1 or above with the global function enabled.

    Added a section to delete the time encripted session keys (set to a 1 hour ttl)

  5. Admin Says:

    Planned upgrades to the OpenID auth for KitCAD.
    The upgrades will be to alter email+pass to match the KitCAD i3 mediawiki (which, with email validation authorises new accounts, and allows password changes).
    The OpenID login has been remarked out of the HTML until ready again for release (no point creating bad accounts)


  6. Admin Says:

    Upgraded, and updated the PHP files from 2.0.0 to version 2.0.1.

  7. Admin Says:

    Removed OpenID from Mediawiki 1.12.0 KitCAD i3 option. However OpenID was still being used in two files and causing KitCAD i3 user ID to become an error. (See bug fix)

  8. Admin Says:

    Upgraded, and updated the PHP files from 2.0.1( to 2.1.1


  9. Admin Says: PHP 2.1.1 -> 2.1.2

  10. Admin Says:

    Have checked release, and already updated to version 2.1.3 (just forgot to post a note here).

    2.1.2 -> 2.1.3

  11. Admin Says: -> is now

    Downloaded version 2.2.2 (pending work for July KitCAD i3 releases – see post below) from

  12. Admin Says:

    2.1.3 -> 2.2.2

    KitCAD and XAMPP/WAMPP servers
    Updating from 2.1.3 to 2.2.2 required one change for KitCAD i3 XAMPP try_auth.php file; text of :-

    require_once “common.php”;

    to be :-

    //next line was added for version 2.2.2
    define(‘Auth_OpenID_RAND_SOURCE’, null);

    require_once “common.php”;

    Notes:- if you define Auth_OpenID_RAND_SOURCE, simply use the path and filename to a random number generators output

    EG: define(‘Auth_OpenID_RAND_SOURCE’, ‘/root/htdocs/ping.txt’);

  13. Admin Says:

    Updated XAMPP and WAMPP2 versions of KitCAD i3 KGC with OpenIDEnabled PHP 2.2.2.

    Did not change the release date, currently at 15th June, 2010

  14. Admin Says:

    Re-Updated KitCAD i3 KGC XAMPP, WAMPP2, and WWW versions to support OpenID reply without ‘user’, ‘nic’, or ‘ID’ data strings.

    A work-around was added to allow the users entered OpenID host to be used in both the ‘user’, and ‘password’ values. The work-around code fix has been consumer tested using a 3rd party OpenID provider.

    Re-uploaded KitCAD i3 KGC (and 2.2.2 support) with un-changed current release date of 27th August, 2010.

  15. Admin Says:

    Added site whitelist for OpenID Providers; OpenID Providers * 22 sites (many untested)

  16. Admin Says:

    Fixed OpenID password auth security issues. Added a /htdocs/login/*.openid file to record password (online and xampp/wampp2 versions).

    Remarked ’email’ as auth user, instead using the URI supplied by user as ’email’ address (online and xampp/wampp2 versions).

    Added support for kitcad_secure.cgi to capture bad logins on all requests for data writes at servers backends (online version only).

  17. Admin Says:

    Added FaceBook and Twitter AUTH support for a consumer.

    Auth Keys are required by both Facebook and Twitter websites. By default these consumers are Disabled in all verisons except the Online versions hosted by

    FaceBook supported using the package included example for RPCL in RadPHP 3.0 (or past vcl_for_php_2_1.tar.gz)
    Twitter supports using the TwitterOAuth PHP script by Abraham Williams.

    See FaceBook RPCL support fix/notes for more information.

    Google support exists without a AUTH key if using the google-api-php-client example that is included with OpenID for PHP. A revised version for the +google sign-in service may be developed/depolyed at a later date.

  18. Admin Says:

    2.2.2 (2013) -> 2.2.2 (2014 – Test build/update)

    Added to | Open ID authentication system the Google developers cloud API for Google+ sign-ins and updated white-list setting for single the url of

    See server maintenance notice for more information.

    Updates to off-line versions will be applied during the next available upgrade (as yet unknown).

  19. Admin Says:

    Updated KitCAD i3 KGC XAMPP, WAMPP2, and WWW versions:

    Added sign-in method to OpenID consumer authentication – Server side using Google APIs Client Library for PHP (

    See KitCAD i3 KGC 2014 maintenance upgrade release notice for more information.

    End user Instruction :

    1 – Enter into the OpenID sign-in dialog, and click the Verify button (as image above)

    Start Kitchen Pages signin
    Click to view image

    2 – Users not already logged into Google or Users who have NOT allowed permission will be asked to confirm sign-in. (The sign-out or no permission dialog will be displayed, see image above)

    Google account
    Click to view image

    3 – Set Google account permission. (see image above)

    Completed permission
    Click to view image

    4 – Users will be directed to the permission setting notice page. Users are NOT signed in. (see image above)

    Validate account
    Click to view image

    5 – Clicking the Verify button for a second time will up date the sign-in permission or remove permission/sign-out and complete the sign-in/out process. (The sign-in AND permission allowed dialog will be displayed, see image above)

Leave a Reply

You must be logged in to post a comment.