PHP, Zend Framework and Other Crazy Stuff
Archive for June, 2007
OpenID 2.0 Library – to PEAR, Zend or both?
Jun 22nd
As a follow on from my previous entry about OpenID in the Zend Framework, I’ve been in brief contact with Dmitry Stogov across a scattering of emails. Dmitry posted his OpenID proposal for the framework over at the Proposals Wiki earlier in the week. I’ll be passing comments on this whenever possible (i.e. whenever the phone stops ringing this weekend 
).
The main differences between Dmitry’s code and my own are hard to really explain. Dmitry’s sample code is very brief, to the point, and gets OpenID 1.1 done. There is no OpenID 2.0 compatible consumer since the code omits Yadis, but it should catch most HTML based discovery elements from an OpenID alias. It doesn’t capture everything perfectly however, and there’s still a ton of coding and test work required to get it working robustly. The difference to my library is pretty big as a result. I do a lot of abstraction in my coding so I don’t have a single Consumer class – I have about 5 classes working in unison handling various authentication stages. I also have the cryptographic and math logic split into free standing components (see the PEAR proposals below for example). It’s a heavier set of code which evolved over a much longer time and so naturally covers a lot more of the specification and it’s edge cases.
It’s actually very hard to comment constructively rather than simply handing over my code which probably says a lot more all by itself. I really really need to get my code refactored fully at the weekend so I can slap a New BSD License on it and hand it over – I can’t keep referring to empty air .
Now what’s this about PEAR?
After my weekend blog entry I took onboard Greg Beaver’s prompting in the comments. Greg noted that PEAR was looking for an OpenID implementation. One of the reasons I had for not going to PEAR before was that JanRain (the maintainers of PHP OpenID – a PHP4 library) had a proposal over there. It looks like that proposal has now stalled and JanRain are no longer interested in persuing a PEAR route. Among the listed reasons are the PEAR Coding Standards and the difficulty of migrating the library to PHP5. I think their reasons are a bit odd, but their choice. The PEAR conditions make a lot of sense if you intend setting a high quality standard for code.
Anyway, I’ve agreed to port my OpenID library to PEAR as a PHP5 package. I checked with the mailing list, and the approach I’ve taken in splitting the library across a number of freestanding components hasn’t seen any objections. On the flipside, it does help by providing upgrades to existing PEAR Encryption packages which are not yet migrated to PHP5 versions.
To get the process rolling I have proposed two packages so far: Crypt_HMAC2 and Crypt_DiffieHellman. These are the two cryptographic areas an OpenID Consumer must implement. The code is fairly intact from what would have been the Zend Framework Zend_Crypt_* proposals.
The next PEAR proposal will likely be the heavyweight Services_Yadis, a reflection of a similar proposal for the Zend Framework. Yadis is an XML based service discovery protocol – required for OpenID 2.0 Consumers. In my OpenID implementation it’s also the component solely responsible for managing and validating XRI identities and finding their OpenID required CanonicalID values.
In using PEAR for years, I’ve never proposed a package before. It was quite a pleasant surprise to find out how easy it was. Following the PEAR Coding Standard is already a habit and building example installable packages for a proposal just requires minimal reading of the PEAR_PackageFileManager documentation, which is useful in generating those package.xml files which tells PEAR about the package and install locations of files. I also seem to have joined up to PEAR just in time for a future announcement regarding PEAR2. Travis Swicegood already blogged about this earlier.
Zend_Service_Openid Is dead; But It’s Reincarnation Is Coming
Jun 18th
Back in February of this year I started the process of proposing a PHP5 OpenID and Yadis library for the Zend Framework. This was to be based on a proprietary implementation (IP clean, I hold the copyright) I had started working on. After posting some questions to the mailing list before adding any additional formal proposals, I have learned another OpenID library for the Zend Framework is also in progress within Zend.
The upshot of this, given it’s a Zend sponsored library, is that I feel like there’s little choice but to abandon my own version of a proposal for the framework. So it’s status is “withdrawn” at this moment as is Zend_Service_Yadis, being a linked proposal. The library itself is not being abandoned, far from it as it has always been my intention to release it under a New BSD License and that plan is not wavering.
Now it’s been a few days since I learned this. So I’ve calmed down a little , and look forward to a review of the Zend code which Andi kindly asked Dmitri Stogov to supply. I can’t help but pass some comments however (not as “rant and rave” as I might have posted on Saturday though ). The first is that it is frustrating to have a second Zend Framework OpenID library start and for the team behind it to miss the existing effort totally. I had posted to the mailing list back in February, put a formal Zend_Service_Yadis Proposal on the Wiki in plain sight (a significant piece of supporting OpenID 2.0), and blogged about it a few times. The simplest of research tactics (Google for “zend openid” and guess who owns the first page of results 
) could have avoided this. Secondly, this second project has never been notified to the Zend Framework mailing lists, something I had thought was part of the Proposals Process before writing a formal proposal. This entire scenario only ever cropped up because a decision was made away from the public eye. If it had been announced, I could have joined the team and contributed my ideas and code at that time.
It’s very disappointing this has occurred and I urge Zend to publicise their future Zend Framework proposals rather than developing them in the dark and springing a last second surprise. It could save some other poor soul from a shock in the future .
However what remains to be seen is how the Zend proposal plays out. My own proposal took a particular approach to OpenID. OpenID is a complex set of specifications, something the JanRain library makes abundantly clear. But in isolation, its parts are relatively simple. My proposal would have advocated the separation of concerns to a large extent – something I feel has been amiss with the framework in many places. The core of this proposal has been to pick apart OpenID 2.0 and split it into many components which are completely decoupled from an OpenID specific class, and therefore are completely reusable Framework-wide and also add far more value than highly coupled methods.
If the Zend OpenID library does not take this approach, then it still leaves the field open for a fair proportion of my library to end up being proposed for the Framework (e.g. Zend_Crypt, Zend_Math_BigInteger) so that components have a central reserve of reusable code. For example, Simon Mundy seems very supportive of a standalone HMAC implementation for Zend_Mail (something a Zend_Crypt proposal would include). How many others would like to see RSA, XTEA, Diffie-Hellman (with Wez Furlongs awesome incoming openssl support included!), and company standing alone and begging for reuse?
Going by very recent information from Dmitry Stogov at Zend, it’s even possible the original Zend_Service_Yadis proposal I initiated can still make it through the proposal process. So I may yet publish my non-OpenID proposals to the framework wiki.
In the meantime however, I’m left with an OpenID library in PHP5 that’s nearing completion (OpenID 1.1 is just about there, and 2.0 a short distance beyond that) and appears bereft of a framework route. This, fortunately, was not the only distribution path I had considered so there’s still a few possibilities to explore.
If you’re one of those following this saga since February, stay tuned . A PHP5 OpenID library (sorry, two ) are incoming. Yep, silver lining and all that…
