Sunday 9 December 2012

regex ( regular expression ) for email, phone, number, time, postcodes, age, month, currency, text, swiss price, score, word count, profanity filter validation

SPECIAL NOTE: Regular Expressions in Conditions

Note - when using regular expressions in the condition editor, do NOT include the beginning and ending slash.

Email Validation:
                        
/(\w[-._\w]*\w@\w[-._\w]*\w\.\w{2,3})/

The above regex will not validate email adresses with "+" - which is valid, and e.g. promoted by gmail. The below regex is slightly modified and allows "+":
/^(\w[-._+\w]*\w@\w[-._\w]*\w\.\w{2,3})$/

It is still far from perfect - but I think its better then the original (also because start-of-string and end-of-string anchors are added). Mind. This will allow e.g. abc+++defg@somemail.office.com. Ideally the regex should be modified to only allow one "+" charachter.

Postcodes:

Australian Postcodes: /^[0-9]{4}/

 Brazilian Postcodes:   /^[0-9]{2}\.[0-9]{3}-[0-9]{3}$/

Canadian Postcodes:  /^[a-zA-Z]\d{1}[a-zA-Z](\-| |)\d{1}[a-zA-Z]\d{1}$/

US Postal Codes:         /^[0-9]{5}([- /]?[0-9]{4})?$/

Phone Numbers:

US Phone Number:

 /^(?:\([2-9]\d{2}\)\ ?|[2-9]\d{2}(?:\-?|\ ?))[2-9]\d{2}[- ]?\d{4}$/

or

/^[\(\)\.\- ]{0,}[0-9]{3}[\(\)\.\- ]{0,}[0-9]{3}[\(\)\.\- ]{0,}[0-9]{4}[\(\)\.\- ]{0,}$/

This second option will match all phone Canadian and US phone numbers that include non-digit symbols including
. ( ) - (space)

This will allow you to match phone numbers which resemble below.

(555)555 5555
555.555.5555
555 555 5555
(555)-555-5555
555-555-5555
555555555

 Australian Phone Number:

The following patterns match all various Australian mobile and landline phone numbers including with "+61" country prefix eg:

(02) 9123 6535
03 1234-5345
0412 345 678
+61 2 3456 789

But not:

234 3450 234
a234 534 3432
134567
123456789013

 Brackets, white space and hypens are ignored.

NOTE: The 'PRECICE' versions listed here match against the first four or five didgets in a number to ensure that they are valid Australian numbers. The 'NOT VERY PRECISE' only match against the first and second didgit so may allow invaid numbers

All Australian phone numbers (mobile and landline - area code required) :

VERY PRECISE
/^\(?(?:\+?61|0)(?:(?:2\)?[ -]?(?:3[ -]?[38]|[46-9][ -]?[0-9]|5[ -]?[0-35-9])|3\)?(?:4[ -]?[0-57-9]|[57-9][ -]?[0-9]|6[ -]?[1-67])|7\)?[ -]?(?:[2-4][ -]?[0-9]|5[ -]?[2-7]|7[ -]?6)|8\)?[ -]?(?:5[ -]?[1-4]|6[ -]?[0-8]|[7-9][ -]?[0-9]))(?:[ -]?[0-9]){6}|4\)?[ -]?(?:(?:[01][ -]?[0-9]|2[ -]?[0-57-9]|3[ -]?[1-9]|4[ -]?[7-9]|5[ -]?[018])[ -]?[0-9]|3[ -]?0[ -]?[0-5])(?:[ -]?[0-9]){5})$/ 

NOT VERY PRECISE 
/^(?:\+?61|0)[2-478](?:[ -]?[0-9]){8}$/

All Australian phone numbers (landlines only - area code required):

VERY PRECISE 
/^\(?(?:\+?61|0)(?:2\)?[ -]?(?:3[ -]?[38]|[46-9][ -]?[0-9]|5[ -]?[0-35-9])|3\)?(?:4[ -]?[0-57-9]|[57-9][ -]?[0-9]|6[ -]?[1-67])|7\)?[ -]?(?:[2-4][ -]?[0-9]|5[ -]?[2-7]|7[ -]?6)|8\)?[ -]?(?:5[ -]?[1-4]|6[ -]?[0-8]|[7-9][ -]?[0-9]))(?:[ -]?[0-9]){6}$/ 

NOT VERY PRECISE 
/^(?:\+?61|\(?0)[2378]\)?(?:[ -]?[0-9]){8}$/

New South Wales landline phone numbers (area code optional):

VERY PRECISE 
/^(?:\(?(?:\+?61|0)2\)?[ -]?)?(?:3[ -]?[38]|[46-9][ -]?[0-9]|5[ -]?[0-35-9])(?:[ -]?[0-9]){6}$/ 

NOT VERY PRECISE 
/^(?:\(?(?:\+?61|0)2\)?(?:[ -]?[0-9]){7}[0-9]$/

Victorian and Tasmanian landline phone numbers (area code optional):

VERY PRECISE 
/^(?:\(?(?:\+?61|0)3\)?[ -]?)?(?:4[ -]?[0-57-9]|[57-9][ -]?[0-9]|6[ -]?[1-67])(?:[ -]?[0-9]){6}$/ 

NOT VERY PRECISE 
/^(?:\(?(?:\+?61|0)3\)?(?:[ -]?[0-9]){7}[0-9]$/

Queensland landline phone numbers (area code optional):

VERY PRECISE 
/^(?:\(?(?:\+?61|0)7\)?[ -]?)?(?:[2-4][ -]?[0-9]|5[ -]?[2-7]|7[ -]?6)(?:[ -]?[0-9]){6}$/ 

NOT VERY PRECISE 
/^(?:\(?(?:\+?61|0)7\)?(?:[ -]?[0-9]){7}[0-9]$/

South Australia, Northern Territory, Western Australia landline phone numbers (area code optional):

VERY PRECISE 
/^(?:\(?(?:\+?61|0)8\)?[ -]?)?(?:5[1-4]|6[0-8]|[7-9][0-9])$/ 

NOT VERY PRECISE 
/^(?:\(?(?:\+?61|0)8\)?(?:[ -]?[0-9]){7}[0-9]$/

Australian Mobile phone numbers only

VERY PRECISE 
/^(?:\+?61|0)4 ?(?:(?:[01] ?[0-9]|2 ?[0-57-9]|3 ?[1-9]|4 ?[7-9]|5 ?[018]) ?[0-9]|3 ?0 ?[0-5])(?: ?[0-9]){5}$/ 

NOT VERY PRECISE 
/^(?:\(?(?:\+?61|0)4\)?(?:[ -]?[0-9]){7}[0-9]$/

Belgian phone number

 /^((\+|00)32\s?|0)(\d\s?\d{3}|\d{2}\s?\d{2})(\s?\d{2}){2}$/

 Belgian mobile phone number

 /^((\+|00)32\s?|0)4(60|[789]\d)(\s?\d{2}){3}$/


French phone number

 /^((\+|00)33\s?|0)[1-5](\s?\d{2}){4}$/


French mobile phone number

 /^((\+|00)33\s?|0)[679](\s?\d{2}){4}$/


Luxemburg phone number

 /^((\+|00\s?)352)?(\s?\d{2}){3,4}$/


Luxemburg mobile phone number

 /^((\+|00\s?)352)?\s?6[269]1(\s?\d{3}){2}$/


German marks (with optional plus or minus)

 /^[1-6]{1}[\+|\-]?$/


Age Validation:

Example: Age 20-99

 /([2-9][0-9])/Example: Age 18-35
/(1[8-9]|2[0-9]|3[0-5])/

Example: Age 19-65

 ^(1[8-9]|[2-5][0-9]|6[0-5])$

Number validation:

Numbers from 1 to 99999

/^([1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9])$/
/^[1-9][0-9]{0,4}$/ does the same as above but should run a little faster

Numbers from 1 to 999, 1.000 to 999.999 to 999.999.999

/^[1-9][0-9]{0,2}(?:\.[0-9]{3}){0,2}$/ accepts numbers from 1 to 999, 1.000 to 999.999 to 999.999.999 but rejects numbers like 999.1.1 , 94.22.22, 999.1.22, 999.11.1, 999.1.333

Number validation with optionnal decimal (for price)

/^([1][0-9][0-9]|[1-9][0-9]|[0-9])((\.)[0-9][0-9])?$/ accepts numbers from 0 to 199, with 2 decimal optionnal

/^[1-9][0-9]{0,2}(?:,?[0-9]{3}){0,3}\.[0-9]{2}$/ forces two decimal points accepts numbers from 1.00 to 999,999,999.00 with an optional comma delimiting thousands/millions including all of the following: 1.00, 1,000.00 , 12,345.67 , 12345,02 , 123,456,468.00 , 1234566.00 , 123456789.00 but not 1,23.00 , 12,3.4 or 1234,43.04
/^[1-9][0-9]{0,2}(?:,?[0-9]{3}){0,3}(?:\.[0-9]{2})?$/ same as above but the two decimal points are optional

 Month (1-12)

If you want to ask for the month a person was born you can validate the input as follows:
/^[0]*[1-9]$|^[0]*1[0-2]$/

 Minimum width (set to 3 in this example)

/^.{3,}$/


Currency

US currency (dollar sign and cents optional)

/^\$?\d+(\.(\d{2}))?$/

 Swiss price

A number with two decimal numbers after the decimal point of which the last one is either a 5 or a 0:
/^(\d+)(\.\d(05)?)?$/

 Validate score

1-10

/^[1-9]{1}$|^10$/

 1-100

/^[1-9]?[0-9]{1}$|^100$/


Text validation

currently multiple short text doesn't support minimum or maximum answers. One way around this is to use a long free text type question with a regular expression.
The following test for at least one word per line for at least 3 lines and no more than 10 lines.

/(?:[^,.;:?!& \n\r]+(?: [^,.;:?!& \n\r]+)*)(?:[,.;:?!& \n\r]?(?:\n|\r|\n\r|\r\n)(?:[^,.;:?!& \n\r]+(?: [^,.;:?!& \n\r]+)*)){2,10}/is
If you wanted, say five words per line you could change the first and last star/asterisk to {4,} e.g.

/(?:[^,.;:?!& \n\r]+(?: [^,.;:?!& \n\r]+){4,})(?:[,.;:?!& \n\r]?(?:\n|\r|\n\r|\r\n)(?:[^,.;:?!& \n\r]+(?: [^,.;:?!& \n\r]+){4,})){2,10}/is
If you wanted one or more words per line on between 1 and 5 lines, you can change the content of the last curley braces to {0,4} (note you use 0 because you're already matching the first line.

/(?:[^,.;:?!& \n\r]+(?: [^,.;:?!& \n\r]+)*)(?:[,.;:?!& \n\r]?(?:\n|\r|\n\r|\r\n)(?:[^,.;:?!& \n\r]+(?: [^,.;:?!& \n\r]+)*)){0,4}/is

 Word count

The following restricts the number of words allowed to a minimum of 1 and a maximum of 200 

/^[-\w]+(?:\W+[-\w]+){0,199}\W*$/

To increase the minimum change the zero part of {0,199} 
To increase or decrease the maximum change the "199" part of {0,199}

Time validation

There are a number of ways of writing time formats. Some of the possible options are 12 hour or 24 hour, with seconds or without. regular expressions below:

The following three validation strings test for 24 hour time (in order of appearences) without seconds, with optional seconds lastly with seconds required. 

/^(?:[01][0-9]|2[0-3]):[0-5][0-9]$/ /^(?:[01][0-9]|2[0-3]):[0-5][0-9](?::[0-5][0-9])?$/ /^(?:[01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]$/

 The following three match 12 hour time, as above with seconds, optional seconds and with seconds required 

/^(?:00:[0-5][0-9] (?:am|AM)|(?:0[1-9]|1[01]):[0-5][0-9] (?:[ap]m|[AP]M)|12:[0-5][0-9] (?:pm|PM))$/ /^(?:00:[0-5][0-9](?::[0-5][0-9])? (?:am|AM)|(?:0[1-9]|1[01]):[0-5][0-9](?::[0-5][0-9])? (?:[ap]m|[AP]M)|12:[0-5][0-9](?::[0-5][0-9])? (?:pm|PM))$/ /^(?:00:[0-5][0-9]:[0-5][0-9] (?:am|AM)|(?:0[1-9]|1[01]):[0-5][0-9]:[0-5][0-9] (?:[ap]m|[AP]M)|12:[0-5][0-9]:[0-5][0-9] (?:pm|PM))$/
The following three match either 12 or 24 hour time as above with seconds, optional seconds and with seconds required 

/^(?:(?:00:[0-5][0-9] (?:am|AM)|(?:0[1-9]|1[01]):[0-5][0-9] (?:[ap]m|[AP]M)|12:[0-5][0-9] (?:pm|PM))|(?:[01][0-9]|2[0-3]):[0-5][0-9])$/ /^(?:(?:00:[0-5][0-9](?::[0-5][0-9])? (?:am|AM)|(?:0[1-9]|1[01]):[0-5][0-9](?::[0-5][0-9])? (?:[ap]m|[AP]M)|12:[0-5][0-9](?::[0-5][0-9])? (?:pm|PM))|(?:[01][0-9]|2[0-3]):[0-5][0-9](?::[0-5][0-9])?)$/ /^(?:(?:00:[0-5][0-9]:[0-5][0-9] (?:am|AM)|(?:0[1-9]|1[01]):[0-5][0-9]:[0-5][0-9] (?:[ap]m|[AP]M)|12:[0-5][0-9]:[0-5][0-9] (?:pm|PM))|(?:[01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9])$/

 US States

To validate for one state use the following (example is Texas):

TX uppercase only = /^(TX)$/
tx lowercase only = /^(tx)$/
TX upper or lowercase = /^([T|t][X|x])$/

Profanity Filter

To filter profanity words from an answer:
/^(?i)((?!\bENTERPROFANITYHERE\b).)*$(?-i)/

Replace "ENTERPROFANITYHERE" with your bad word.

The \b will allow passing of words such as "assassination" & "hello" if you enter "ass" or "hell" as your profanity word. This also works if you are trying to omit other words, names etc. from answers.
Posted by at No comments:

Thursday 6 December 2012

sort json array

  • ascending descending order easy way to sort javascript array simple steps to sort json array in ascending descending order
Lets consider following example for sorting

 var arr = [
{ "ID": 135, "Name": "Fargo Chan", "Address": "34, Baker Street " },
{ "ID": 432, "Name": "Aaron Luke", "Address": "BLDG 1, J Street" },
{ "ID": 252, "Name": "Dilip Singh", "Address": "Hotel J, SE" }
];


 code to sort json array


 <script type="text/javascript">

     var arr = [
        { "ID": 135, "Name": "FGH", "Address": "34, Baker Street" },
        { "ID": 432, "Name": "ABC", "Address": "BLDG 1, J Street" },
        { "ID": 252, "Name": "DEF", "Address": "Hotel J, SE" }
    ];

     // Before Sorting

     document.write("<b>Before Sorting </b><br/>"); 
    for (var n = 0; n < arr.length; n++) {
        document.write(arr[n].ID + ' ' + arr[n].Name + '<br>');
    }

     // ascending order

     function SortByID(x,y) {
        return x.ID - y.ID; 
    }

     function SortByName(x,y) {
        return ((x.Name == y.Name) ? 0 : ((x.Name > y.Name) ? 1 : -1 ));
    }

     // Call Sort By Name

     arr.sort(SortByName);

     document.write("<br/><b>After Sorting </b> <br/>"); 

     for(var n=0;n<arr.length;n++){
        document.write(arr[n].ID + ' ' + arr[n].Name + '<br>');
    }

 </script>

Output

         Before Sorting
         135 FGH
         432 ABC
         252 DEF

         After Sorting
         432 ABC
         252 DEF
         153 FGH
Posted by at No comments:

Wednesday 28 November 2012

configure phpunit with xampp, netbean

step 1
Download the latest version of XAMPP (zip) and extract it to C:\xampp.

step 2
Download and install the free version of NetBeans for PHP development.

step 3
Add C:\xampp\php\ to your environment PATH.

step 4
Fire up a windows command prompt as an administrator and run the command “pear -V” to see the version of PEAR installed with XAMPP and to verify that step 3 worked. If all is successful, you will see a pear version 1.8.1 or higher and php 5.3.0 or higher.

C:\xampp\php>pear -V
PEAR Version: 1.8.1
PHP Version: 5.3.0
Zend Engine Version: 2.3.0
Running on: Windows NT VAIO 6.1 build 7100 ((null)) i586

If you see a message stating unknown command, repeat [step 3] and reboot your system, than try this step again.

step 5
Fire up a windows command prompt as an administrator and install PHPUnit via the following commands:

pear channel-discover pear.phpunit.de
pear install --alldeps phpunit/PHPUnit

If you get an error during this installation it is likely that your PEAR version was less than 1.8.1 and you’ll need to upgrade it before proceeding. The PEAR upgrade can be tricky on windows, and I found installing the latest version of XAMPP to be easier. In theory though, this is how to upgrade an existing PEAR installation:

pear upgrade pear 

if you get error like 

ERROR: failed to mkdir C:\php\pear\docs\Archive_Tar\docs
ERROR: unable to unpack C:\Users\Home539\AppData\Local\Temp\pear\download\Structures_Graph-1.0.4.tgz
ERROR: failed to mkdir C:\php\pear\docs\PEAR

then fire  command

mkdir c:\php
pear upgrade pear

 or alternative

 Try installing pear freshly. Download and save this as go-pear.php under c:\xampp\php and run 'php go-pear.php' from there. This should work.
To verify that PHPUnit is installed, run the command “phpunit –version”. You should see version 3.4.3 or higher installed.

step 6
Now let’s make some changes to the php.ini file in c:\xampp\php\. These are the lines you’ll need to un-comment in php.ini (by removing the semicolon).

zend_extension = "\xampp\php\ext\php_xdebug.dll"
xdebug.remote_enable = 0
xdebug.remote_handler = "dbgp"
xdebug.remote_host = "localhost"
xdebug.remote_port = 9000

step 7
Start or re-start Apache and verify that xdebug is turned on by visiting the XAMPP home page at http://localhost and clicking on the phpinfo() link. Xdebug status will be further down on the phpinfo page and it should read version 2.0.5 or higher.

step 8
Now, with Apache running, fire up NetBeans 6.7. Click Tools->Options and ensure that the path to your phpunit.bat (created during the PHPUnit installation) in the PHPUnit Script field is valid. Also verify that your the Session ID is set tonetbeans-xdebug and the Debugger Port is 9000. Then click OK.

Step 9
(Optional) Create a test project and a class named “Calculator” with the contents below:

<?php
class Calculator
{
    /**
     * @assert (0, 0) == 0
     * @assert (0, 1) == 1
     * @assert (1, 0) == 1
     * @assert (1, 1) == 2
     * @assert (1, 2) == 4
     */
    public function add($a, $b)
    {
        return $a + $b;
    }
}
?>

Save the class file as Calculator.php, right-click it in your project browser and choose Tools->Create PHPUnit tests. You’ll be asked to specify a directory for said unit tests.

Notice that a new CalculatorTest.php file has been generated with a unit test for each @assert annotation in the Calculator.php test class.

step 10
You can now right-click the Calculator.php class file and choose Test to perform the generated unit tests on the class. Notice how the last test failed since we asserted that 1 + 2 = 4 (which is not true).
Posted by at No comments:

Monday 26 November 2012

oauth authorization server - php


Resource



This project aims at providing a stand-alone OAuth v2 Authorization Server that is easy to integrate with your existing REST services, written in any language, without requiring extensive changes.

Features

  • PDO (database abstraction layer for various databases) storage backend for OAuth tokens
  • OAuth v2 (authorization code and implicit grant) support
  • SAML authentication support (simpleSAMLphp)
  • BrowserID authentication support using (php-browserid)

Screenshots

Below are some screenshots of the OAuth consent dialog, the first one is the default view, the second is the view when one clicks the "Details" button.
oauth_consent_simple
oauth_consent_advanced

Requirements

The installation requirements on Fedora/CentOS can be installed like this:
$ su -c 'yum install git php-pdo php httpd'
On Debian/Ubuntu:
$ sudo apt-get install git sqlite3 php5 php5-sqlite

Installation

NOTE: in the chown line you need to use your own user account name!
$ cd /var/www/html
$ su -c 'mkdir php-oauth'
$ su -c 'chown fkooman:fkooman php-oauth'
$ git clone git://github.com/fkooman/php-oauth.git
$ cd php-oauth
Install the external dependencies:
$ sh docs/install_dependencies.sh
Now you can create the default configuration files, the paths will be automatically set, permissions set and a sample Apache configuration file will be generated and shown on the screen (see below for more information on Apache configuration).
$ docs/configure.sh
Next make sure to configure the database settings in config/oauth.ini, and possibly other settings. If you want to keep using SQlite you are good to go without fiddling with the database settings. Now to initialize the database, i.e. to install the tables, run:
$ php docs/initOAuthDatabase.php
It is also possible to already preregister some clients which makes sense if you want to use the management clients mentioned below. The sample registrations are listed in docs/registration.json. By default they point to http://localhost, but if you run this software on a "real" domain you need to modify the docs/registration.json file to point to your domain name and full path where the management clients will be installed.
To modify the domain of where the clients will be located in one go, you can run the following command:
$ sed 's|http://localhost|https://www.example.org|g' docs/registration.json > docs/myregistration.json
You can still modify the docs/myregistration.json by hand if you desire, and then load them in the database:
$ php docs/registerClients.php docs/myregistration.json
This should take care of the initial setup and you can now move to installing the management clients, see below.
NOTE: On Ubuntu (Debian) you would typically install in /var/www/php-oauth and not in /var/www/html/php-oauth and you usesudo instead of su -c.

Management Clients

There are two reference management clients available:
These clients are written in HTML, CSS and JavaScript only and can be hosted on any (static) web server. See the accompanying READMEs for more information. If you followed the client registration in the previous section they should start working immediately if you install the applications at the correct URL. Do not forget to enable the management API in config/oauth.ini.

SELinux

The install script already takes care of setting the file permissions of the data/ directory to allow Apache to write to the directory. If you want to use the BrowserID authentication plugin you also need to give Apache permission to access the network. These permissions can be given by using setsebool as root:
$ sudo setsebool -P httpd_can_network_connect=on
If you want the logger to send out email, you need the following as well:
$ sudo setsebool -P httpd_can_sendmail=on
This is only for Red Hat based Linux distributions like RHEL, CentOS and Fedora.
If you want the labeling of the data/ directory to survive file system relabeling you have to update the policy as well.
FIXME: add how to update the policy...

Apache

There is an example configuration file in docs/apache.conf.
On Red Hat based distributions the file can be placed in /etc/httpd/conf.d/php-oauth.conf. On Debian based distributions the file can be placed in /etc/apache2/conf.d/php-oauth. Be sure to modify it to suit your environment and do not forget to restart Apache.
The docs/configure.sh script from the previous section outputs a config for your system which replaces the /PATH/TO/APP with the actual install directory.

Authentication

There are thee plugins provided to authenticate users:
  • DummyResourceOwner - one static account configured in config/oauth.ini
  • SspResourceOwner - simpleSAMLphp plugin for SAML authentication
  • BrowserIDResourceOwner - BrowserID / Mozilla Persona plugin
You can configure which plugin to use by modifying the authenticationMechanism setting in config/oauth.ini.

Entitlements

A more complex part of the authentication and authorization is the use of entitlements. This is a bit similar to scope in OAuth, only entitlements are for a specific resource owner, while scope is only for an OAuth client.
The entitlements are for example used by the php-oauth API. It is possible to write a client application that uses the php-oauth API to manage OAuth client registrations. The problem now is how to decide who is allowed to manage OAuth client registrations. Clearly not all users who can successfully authenticate, but only a subset. The way now to determine who gets to do what is accomplished through entitlements.
In the [Api] section the management API can be enabled:
[Api]
enableApi = TRUE
In particular, the authenticated user (resource owner) needs to have the urn:vnd:oauth2:applications entitlement in order to be able to modify application registrations. The entitlements are part of the resource owner's attributes. This maps perfectly to SAML attributes obtained through the simpleSAMLphp integration.

DummyResourceOwner

For instance in the DummyResourceOwner section, the user has this entitlement as shown in the snippet below:
; Dummy Configuration
[DummyResourceOwner]
resourceOwnerId = "1234-5678-9999"

[DummyResourceOwnerAttributes]
uid[]         = "fkooman"
displayName[] = "François Kooman"
eduPersonEntitlement[] = "urn:vnd:oauth2:applications"
eduPersonEntitlement[] = "foo"
eduPersonEntitlement[] = "bar"
Here you can see that the resource owner will be granted the urn:vnd:oauth2:applicationsfoo and bar entitlements. As there is only one account in the DummyResourceOwner configuration it is quite boring.

SspResourceOwner

Now, for the SspResourceOwner configuration it is a little bit more complex. Dealing with this is left to the simpleSAMLphp configuration and we just expect a certain configuration.
In the configuration file config/oauth.ini only a few aspects can be configured. To configure the SAML integration, make sure the following settings are at least correct.
authenticationMechanism = "SspResourceOwner"

; simpleSAMLphp configuration
[SspResourceOwner]
sspPath = "/var/simplesamlphp"
authSource = "default-sp"
Now on to the simpleSAMLphp configuration. You configure simpleSAMLphp according to the manual. The snippets below will help you with the configuration to get the entitlements right.
First the metadata/saml20-idp-remote.php to configure the IdP that is used by the simpleSAMLphp as SP:
$metadata['http://localhost/simplesaml/saml2/idp/metadata.php'] = array(
    'SingleSignOnService' => 'http://localhost/simplesaml/saml2/idp/SSOService.php',
    'SingleLogoutService' => 'http://localhost/simplesaml/saml2/idp/SingleLogoutService.php',
    'certFingerprint' => '4bff319a0fa4903e4f6ed52956fb02e1ebec5166',

    // clean up the attributes received from the IdP and modify them to use
    // our naming convention
    'authproc' => array(
        50 => array(
            'class' => 'core:AttributeMap',
            'urn2name',
        ),
    ),

);
You need to modify this (the URLs and the certificate fingerprint) to work with your IdP and possibly the attribute mapping rules.
Rule 50 changes the attributes to their base name. For example, if your IdP provides theurn:mace:dir:attribute-def:eduPersonEntitlement attribute, this is now reduced to just eduPersonEntitlement, the same for all the other urn:mace prefixed attributes.

Resource Servers

If you are writing a resource server (RS) an API is available to verify the Bearer token you receive from the client. It is the same API as used by Google.
An example, the RS gets the following Authorization header from the client:
Authorization: Bearer eeae9c3366af8cb7acb74dd5635c44e6
Now in order to verify it, the RS can send a request to the OAuth service:
$ curl http://localhost/php-oauth/tokeninfo.php?access_token=eeae9c3366af8cb7acb74dd5635c44e6
If the token is valid, a response (formatted here for display purposes) will be given back to the RS:
{
    "attributes": {
        "displayName": [
            "Margie Korn"
        ], 
        "eduPersonEntitlement": [
            "urn:vnd:grades:administration"
        ], 
        "uid": [
            "teacher"
        ]
    }, 
    "audience": "html-view-grades", 
    "client_id": "html-view-grades", 
    "expires_in": 3567, 
    "resource_owner_id": "6b976124bc1747b3e8b249fe3bd6edff16d546ac", 
    "scope": "grades", 
    "user_id": "6b976124bc1747b3e8b249fe3bd6edff16d546ac"
}
The RS can now figure out more about the resource owner. If you provide an invalid access token, an error is returned:
HTTP/1.1 400 Bad Request

{"error":"invalid_token","error_description":"the token was not found"}
If your service needs to provision a user, the field resource_owner_id or its alias user_id SHOULD to be used for that. Thescope field can be used to determine the scope the client was granted by the resource owner.
An example RS that uses this protocol written in PHP is available here. As this is so simple, it should be straightforward to implement this token verification in any language.

Clients

Clients can also verify the access token and retrieve more information about the resource owner. It is the same API as used by Google. However, this endpoint is no replacement for proper authentication at the service. One SHOULD NOT use the OAuth authorization server to authenticate users! The only clients that SHOULD ever use this endpoint are "user-agent-based-applications" as defined in the OAuth specification, i.e.: applications written in HTML, JavaScript and CSS where the endpoint is used to retrieve information from the authenticated user to customize the application view.
If clients use the access token verification endpoint they should make sure that the client_id field or its alias audience matches the OAuth client ID they registered at the service.

Resource Owner Data

Whenever a resource owner successfully authenticates, the attributes belonging to that user are stored in the database. This is done to give the information to registered clients and to resource servers that have a valid access token.
Care should be taken in making sure that only the attributes that are needed for a correct service operation are provided as attributes. Also, this data, which may be privacy sensitive SHOULD be removed from the database after a certain amount of time expired when the user did not login to the service.
Posted by at No comments:
Subscribe to: Posts (Atom)