ResourceMe is framework to build Semantic Web enabled applications. Different authentication mechanism are supported with the main focus on decentralized identities. Authorization can be granted in a fine-granular way for anything that fullfills the requirement of being a RDF triple or file. Wherever possible established standards are used. Great emphasis is placed on a modular design and PHP code that runs nearly everywhere. Only a small number of core compontents are tied to specific ontologies. Utils for well established social network ontologies are deliverd within the framework.
Overview of the ResourceMe architecture
Authentication is handled via modules which return lists of FOAF Agent URLs. These modules must implement the LoginModule interface. The AuthenticationManager controls the configured modules and also has the possibility to store verified URLs. The extended interface LoginCacheModule contains a set method that allows the module to persist URLs and bind it to any kind of session information.
Triples should be managed with an implementation of a Triplestore. Triplestores are also known as graphs. The Triplestore interface provides method to find, insert, update and delete triples. A TripleFilter is needed for the insert, update and delete method to define the set of triples the method should work with. For the update method also a TripleUpdater is needed which controls the real update after filtering the set of triples to update. A TriplestoreManager manages multiple Triplestores. This is also known as quadstore.
Access is granted based on the FOAF Agent URLs the AuthenticationManager returns. Also the AgentManager takes the URLs from the AuthenticationManager and checks on demand if the FOAF Agent is member of a group. A class that implements the AuthZTriplestore interface uses the information provided by the AgentManager to grant access to the individial triples. The AuthZTriplestore interface extends the Triplestore interface, the underlying Triplestore can be used transpancy. AuthZTriplestore and AuthZFilestore provide a hasAccess method to check whether an agent has access to a triple or file in the definied mode. The method must not provide information about the existence of the triple or file.
As RME uses namespaces PHP version 5.3 or greater is required. The WebID and SCookie authentification modules are based on PHP OpenSSL extension. For the PDOTriplesStore implementation the PDO and the corresponding database extension is required.
WebID is an open standard for decentralized identities and logins. It's based on client certificates and therefore supported by all standard browser. The profile, that represents the identity, can be stored on any HTTP server. ResourceMe has it's own library for WebID authentication. ResourceMe is also the perfect hosting software for WebID Profiles. The authorization can be used to protect parts of your profile which should not be visible to everybody.
OAuth 2.0 login modules just use the access token once to fetch the user profile. It's provider dependent where the URL for the identity can be extracted. Therefore an OAuth login module implementation must use a class that extends OAuthApplication.
The Facebook authentication module uses OAuth 2.0 to get the ID of the https://graph.facebook.com/me Open Graph object.
The Google+ authentication module uses OAuth 2.0 to get the URL of the https://www.googleapis.com/plus/v1/people/me API object. Beside the access token an API key is required to get access to the API interface.
The basic login module allows to use the http basic access authentication to login via a local account. The local account is mapped to an URL.