Example implementation of the LightOpenID library in Kohana

database.sql

--
-- Table structure for table `user_identities`
--

CREATE TABLE IF NOT EXISTS `user_identities` (
  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
  `provider` varchar(32) NOT NULL COMMENT 'Name of the provider (Google, FB)',
  `provider_id` varchar(255) NOT NULL COMMENT 'UID provided by the identity provider',
  `user_id` int(10) unsigned NOT NULL,
  `created` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
  PRIMARY KEY (`id`),
  UNIQUE KEY `fk_openids_unique` (`provider_id`),
  KEY `fk_openids_users1_idx` (`user_id`)
) ENGINE=InnoDB  DEFAULT CHARSET=utf8 COMMENT='Holds user''s OpenID URL-s' AUTO_INCREMENT=2 ;

Identity.php

<?php defined('SYSPATH') or die('No direct script access.');
/**
 * Represents an OpenID identity
 *
 * @since 0.1
 */
class Model_User_Identity extends ORM {

  protected $_updated_column = FALSE;

	protected $_belongs_to = array(
		'user'=> array()
	);

	public function rules()
	{
		return array(
			'provider_id'=> array(
				array('not_empty')
			)
		);
	}
}

Public.php

<?php defined('SYSPATH') or die('No direct script access.');
/**
 * Handles user authentication
 *
 * @since 0.1
 */
class Controller_Public extends Commoneer_Controller_Auth
{

  /**
	 * Path to the LightOpenID library, relative to DOCROOT
	 */
	const OPENID_LIB_PATH = 'vendor/fp/lightopenid/openid.php';

	/**
	 * The OpenID provider to use for OpenID auth
	 *
	 * @since 0.1
	 */
	const OPENID_URL = 'https://www.google.com/accounts/o8/id';

	/**
	 * @var LightOpenID The OpenID library object
	 * @since 0.1
	 */
	private $_openid;

	/**
	 * @var array Keys to request from the OpenID provider
	 * @link http://code.google.com/p/lightopenid/wiki/GettingMoreInformation
	 */
	public static $provider_keys = array('contact/email', 'namePerson/first', 'namePerson/last');

	/**
	 * @throws Kohana_Exception
	 * @since 0.1
	 */
	public function before()
	{
		parent::before();

		// Include the OpenID library
		if (! file_exists(DOCROOT.self::OPENID_LIB_PATH)) {
			throw new Kohana_Exception('OpenID library not found!');
		}

		require DOCROOT.self::OPENID_LIB_PATH;

		$this->_openid = new LightOpenID($_SERVER['HTTP_HOST']);
	}

	/**
	 * Redirect main site if already logged in
	 *
	 * @since 0.1.0
	 */
	public function action_index()
	{
		if (Auth::instance()->logged_in()) {
			$this->redirect('');
		}
	}

	/**
	 * Handles login
	 *
	 * @since 0.1.0
	 */
	public function action_login()
	{
		// Already logged in?
		if (Auth::instance()->logged_in()) {
			$this->redirect('');
		}

		try {

			// Provider URL
			$this->_openid->identity = self::OPENID_URL;

			// Return URL
			$this->_openid->returnUrl = URL::base('http').'public/finish_google_login';

			// Requested info
			$this->_openid->required = self::$provider_keys;

			// Redirect to provider
			$this->redirect($this->_openid->authUrl());
		} catch (ErrorException $e) {
			Notify::msg($e->getMessage(), Notify::ERROR);
		}
		$this->redirect('public');
	}

	/**
	 * Finish OpenID authentication.
	 * Second step of the two-step auth process.
	 * User is redirected here from the provider page.
	 *
	 * @since 0.1
	 */
	public function action_finish_google_login()
	{

		if ($this->_openid->mode == 'cancel') { // Auth cancelled
			Notify::msg('public.login.openid.cancel', Notify::ERROR);
		} elseif ($this->_openid->validate()) { // Auth success

			// Try to find the ID from the database
			$identity = ORM::factory(
				'User_Identity',
				array(
					'provider_id' => $this->_openid->identity,
				)
			);

			if ($identity->loaded()) { // Identity exists, login

				if ($identity->user->has('roles', Role::LOGIN)) {
					Auth::instance()->force_login($identity->user);
					$this->redirect('admin');
				} else {
					Notify::msg('public.login.openid.denied', Notify::ERROR);
				}
			} else { // This is a new user
				Notify::msg('public.login.signup_disabled', Notify::ERROR);
			}
		}

		$this->redirect('');
	}
}