Class OpenID::Consumer
In: lib/openid/consumer/associationmanager.rb
Parent: Object

OpenID support for Relying Parties (aka Consumers).

This module documents the main interface with the OpenID consumer library. The only part of the library which has to be used and isn‘t documented in full here is the store required to create an Consumer instance.


The OpenID identity verification process most commonly uses the following steps, as visible to the user of this library:

  1. The user enters their OpenID into a field on the consumer‘s site, and hits a login button.
  2. The consumer site discovers the user‘s OpenID provider using the Yadis protocol.
  3. The consumer site sends the browser a redirect to the OpenID provider. This is the authentication request as described in the OpenID specification.
  4. The OpenID provider‘s site sends the browser a redirect back to the consumer site. This redirect contains the provider‘s response to the authentication request.

The most important part of the flow to note is the consumer‘s site must handle two separate HTTP requests in order to perform the full identity check.


This consumer library is designed with that flow in mind. The goal is to make it as easy as possible to perform the above steps securely.

At a high level, there are two important parts in the consumer library. The first important part is this module, which contains the interface to actually use this library. The second is openid/store/interface.rb, which describes the interface to use if you need to create a custom method for storing the state this library needs to maintain between requests.

In general, the second part is less important for users of the library to know about, as several implementations are provided which cover a wide variety of situations in which consumers may use the library.

The Consumer class has methods corresponding to the actions necessary in each of steps 2, 3, and 4 described in the overview. Use of this library should be as easy as creating an Consumer instance and calling the methods appropriate for the action the site wants to take.

This library automatically detects which version of the OpenID protocol should be used for a transaction and constructs the proper requests and responses. Users of this library do not need to worry about supporting multiple protocol versions; the library supports them implicitly. Depending on the version of the protocol in use, the OpenID transaction may be more secure. See the OpenID specifications for more information.


The Consumer object keeps track of two types of state:

  1. State of the user‘s current authentication attempt. Things like the identity URL, the list of endpoints discovered for that URL, and in case where some endpoints are unreachable, the list of endpoints already tried. This state needs to be held from Consumer.begin() to Consumer.complete(), but it is only applicable to a single session with a single user agent, and at the end of the authentication process (i.e. when an OP replies with either id_res. or cancel it may be discarded.
  2. State of relationships with servers, i.e. shared secrets (associations) with servers and nonces seen on signed messages. This information should persist from one session to the next and should not be bound to a particular user-agent.

These two types of storage are reflected in the first two arguments of Consumer‘s constructor, session and store. session is a dict-like object and we hope your web framework provides you with one of these bound to the user agent. store is an instance of Store.

Since the store does hold secrets shared between your application and the OpenID provider, you should be careful about how you use it in a shared hosting environment. If the filesystem or database permissions of your web host allow strangers to read from them, do not store your data there! If you have no safe place to store your data, construct your consumer with nil for the store, and it will operate only in stateless mode. Stateless mode may be slower, put more load on the OpenID provider, and trusts the provider to keep you safe from replay attacks.

Several store implementation are provided, and the interface is fully documented so that custom stores can be used as well. See the documentation for the Consumer class for more information on the interface for stores. The implementations that are provided allow the consumer site to store the necessary data in several different ways, including several SQL databases and normal files on disk.


In the flow described above, the user may need to confirm to the OpenID provider that it‘s ok to disclose his or her identity. The provider may draw pages asking for information from the user before it redirects the browser back to the consumer‘s site. This is generally transparent to the consumer site, so it is typically ignored as an implementation detail.

There can be times, however, where the consumer site wants to get a response immediately. When this is the case, the consumer can put the library in immediate mode. In immediate mode, there is an extra response possible from the server, which is essentially the server reporting that it doesn‘t have enough information to answer the question yet.


Integrating this library into an application is usually a relatively straightforward process. The process should basically follow this plan:

Add an OpenID login field somewhere on your site. When an OpenID is entered in that field and the form is submitted, it should make a request to the your site which includes that OpenID URL.

First, the application should instantiate a Consumer with a session for per-user state and store for shared state using the store of choice.

Next, the application should call the begin method of Consumer instance. This method takes the OpenID URL as entered by the user. The begin method returns a CheckIDRequest object.

Next, the application should call the redirect_url method on the CheckIDRequest object. The parameter return_to is the URL that the OpenID server will send the user back to after attempting to verify his or her identity. The realm parameter is the URL (or URL pattern) that identifies your web site to the user when he or she is authorizing it. Send a redirect to the resulting URL to the user‘s browser.

That‘s the first half of the authentication process. The second half of the process is done after the user‘s OpenID Provider sends the user‘s browser a redirect back to your site to complete their login.

When that happens, the user will contact your site at the URL given as the return_to URL to the redirect_url call made above. The request will have several query parameters added to the URL by the OpenID provider as the information necessary to finish the request.

Get a Consumer instance with the same session and store as before and call its complete() method, passing in all the received query arguments and URL currently being handled.

There are multiple possible return types possible from that method. These indicate the whether or not the login was successful, and include any additional information appropriate for their type.


Classes and Modules

Module OpenID::Consumer::Response
Class OpenID::Consumer::AssociationManager
Class OpenID::Consumer::CancelResponse
Class OpenID::Consumer::CheckIDRequest
Class OpenID::Consumer::DiffieHellmanSHA1Session
Class OpenID::Consumer::DiffieHellmanSHA256Session
Class OpenID::Consumer::DiffieHellmanSession
Class OpenID::Consumer::DiscoveredServices
Class OpenID::Consumer::DiscoveryManager
Class OpenID::Consumer::FailureResponse
Class OpenID::Consumer::IdResHandler
Class OpenID::Consumer::NoEncryptionSession
Class OpenID::Consumer::SetupNeededResponse
Class OpenID::Consumer::SuccessResponse


SUCCESS = :success   Code returned when either the of the OpenID::OpenIDConsumer.begin_auth or OpenID::OpenIDConsumer.complete_auth methods return successfully.
FAILURE = :failure   Code OpenID::OpenIDConsumer.complete_auth returns when the value it received indicated an invalid login.
CANCEL = :cancel   Code returned by OpenIDConsumer.complete_auth when the user cancels the operation from the server.
SETUP_NEEDED = :setup_needed   Code returned by OpenID::OpenIDConsumer.complete_auth when the OpenIDConsumer instance is in immediate mode and ther server sends back a URL for the user to login with.


session_key_prefix  [RW] 

Public Class methods

Initialize a Consumer instance.

You should create a new instance of the Consumer object with every HTTP request that handles OpenID transactions.

session: the session object to use to store request information. The session should behave like a hash.

store: an object that implements the interface in Store.

Set the name of the query parameter that this library will use to thread the requested URL through an OpenID 1 transaction (for use when verifying discovered information). It will be appended to the return_to URL.

Set the name of the query parameter that this library will use to thread a nonce through an OpenID 1 transaction. It will be appended to the return_to URL.

Public Instance methods

Start the OpenID authentication process. See steps 1-2 in the overview for the Consumer class.

user_url: Identity URL given by the user. This method performs a textual transformation of the URL to try and make sure it is normalized. For example, a user_url of will be normalized to normalizing and resolving any redirects the server might issue.

anonymous: A boolean value. Whether to make an anonymous request of the OpenID provider. Such a request does not ask for an authorization assertion for an OpenID identifier, but may be used with extensions to pass other data. e.g. "I don‘t care who you are, but I‘d like to know your time zone."

Returns a CheckIDRequest object containing the discovered information, with a method for building a redirect URL to the server, as described in step 3 of the overview. This object may also be used to add extension arguments to the request, using its add_extension_arg method.

Raises DiscoveryFailure when no OpenID server can be found for this URL.

Start OpenID verification without doing OpenID server discovery. This method is used internally by Consumer.begin() after discovery is performed, and exists to provide an interface for library users needing to perform their own discovery.

service: an OpenID service endpoint descriptor. This object and factories for it are found in the openid/consumer/discovery.rb module.

Returns an OpenID authentication request object.

Returns a subclass of Response. The type of response is indicated by the status attribute, which will be one of SUCCESS, CANCEL, FAILURE, or SETUP_NEEDED.

Protected Instance methods