|
1.1.1
by Arnau Alcázar Lleopart
Added openid library |
1 |
<?php
|
2 |
||
3 |
/**
|
|
4 |
* This module documents the main interface with the OpenID consumer
|
|
5 |
* library. The only part of the library which has to be used and
|
|
6 |
* isn't documented in full here is the store required to create an
|
|
7 |
* Auth_OpenID_Consumer instance. More on the abstract store type and
|
|
8 |
* concrete implementations of it that are provided in the
|
|
9 |
* documentation for the Auth_OpenID_Consumer constructor.
|
|
10 |
*
|
|
11 |
* OVERVIEW
|
|
12 |
*
|
|
13 |
* The OpenID identity verification process most commonly uses the
|
|
14 |
* following steps, as visible to the user of this library:
|
|
15 |
*
|
|
16 |
* 1. The user enters their OpenID into a field on the consumer's
|
|
17 |
* site, and hits a login button.
|
|
18 |
* 2. The consumer site discovers the user's OpenID server using the
|
|
19 |
* YADIS protocol.
|
|
20 |
* 3. The consumer site sends the browser a redirect to the identity
|
|
21 |
* server. This is the authentication request as described in
|
|
22 |
* the OpenID specification.
|
|
23 |
* 4. The identity server's site sends the browser a redirect back
|
|
24 |
* to the consumer site. This redirect contains the server's
|
|
25 |
* response to the authentication request.
|
|
26 |
*
|
|
27 |
* The most important part of the flow to note is the consumer's site
|
|
28 |
* must handle two separate HTTP requests in order to perform the full
|
|
29 |
* identity check.
|
|
30 |
*
|
|
31 |
* LIBRARY DESIGN
|
|
32 |
*
|
|
33 |
* This consumer library is designed with that flow in mind. The goal
|
|
34 |
* is to make it as easy as possible to perform the above steps
|
|
35 |
* securely.
|
|
36 |
*
|
|
37 |
* At a high level, there are two important parts in the consumer
|
|
38 |
* library. The first important part is this module, which contains
|
|
39 |
* the interface to actually use this library. The second is the
|
|
40 |
* Auth_OpenID_Interface class, which describes the interface to use
|
|
41 |
* if you need to create a custom method for storing the state this
|
|
42 |
* library needs to maintain between requests.
|
|
43 |
*
|
|
44 |
* In general, the second part is less important for users of the
|
|
45 |
* library to know about, as several implementations are provided
|
|
46 |
* which cover a wide variety of situations in which consumers may use
|
|
47 |
* the library.
|
|
48 |
*
|
|
49 |
* This module contains a class, Auth_OpenID_Consumer, with methods
|
|
50 |
* corresponding to the actions necessary in each of steps 2, 3, and 4
|
|
51 |
* described in the overview. Use of this library should be as easy
|
|
52 |
* as creating an Auth_OpenID_Consumer instance and calling the
|
|
53 |
* methods appropriate for the action the site wants to take.
|
|
54 |
*
|
|
55 |
* STORES AND DUMB MODE
|
|
56 |
*
|
|
57 |
* OpenID is a protocol that works best when the consumer site is able
|
|
58 |
* to store some state. This is the normal mode of operation for the
|
|
59 |
* protocol, and is sometimes referred to as smart mode. There is
|
|
60 |
* also a fallback mode, known as dumb mode, which is available when
|
|
61 |
* the consumer site is not able to store state. This mode should be
|
|
62 |
* avoided when possible, as it leaves the implementation more
|
|
63 |
* vulnerable to replay attacks.
|
|
64 |
*
|
|
65 |
* The mode the library works in for normal operation is determined by
|
|
66 |
* the store that it is given. The store is an abstraction that
|
|
67 |
* handles the data that the consumer needs to manage between http
|
|
68 |
* requests in order to operate efficiently and securely.
|
|
69 |
*
|
|
70 |
* Several store implementation are provided, and the interface is
|
|
71 |
* fully documented so that custom stores can be used as well. See
|
|
72 |
* the documentation for the Auth_OpenID_Consumer class for more
|
|
73 |
* information on the interface for stores. The implementations that
|
|
74 |
* are provided allow the consumer site to store the necessary data in
|
|
75 |
* several different ways, including several SQL databases and normal
|
|
76 |
* files on disk.
|
|
77 |
*
|
|
78 |
* There is an additional concrete store provided that puts the system
|
|
79 |
* in dumb mode. This is not recommended, as it removes the library's
|
|
80 |
* ability to stop replay attacks reliably. It still uses time-based
|
|
81 |
* checking to make replay attacks only possible within a small
|
|
82 |
* window, but they remain possible within that window. This store
|
|
83 |
* should only be used if the consumer site has no way to retain data
|
|
84 |
* between requests at all.
|
|
85 |
*
|
|
86 |
* IMMEDIATE MODE
|
|
87 |
*
|
|
88 |
* In the flow described above, the user may need to confirm to the
|
|
89 |
* lidentity server that it's ok to authorize his or her identity.
|
|
90 |
* The server may draw pages asking for information from the user
|
|
91 |
* before it redirects the browser back to the consumer's site. This
|
|
92 |
* is generally transparent to the consumer site, so it is typically
|
|
93 |
* ignored as an implementation detail.
|
|
94 |
*
|
|
95 |
* There can be times, however, where the consumer site wants to get a
|
|
96 |
* response immediately. When this is the case, the consumer can put
|
|
97 |
* the library in immediate mode. In immediate mode, there is an
|
|
98 |
* extra response possible from the server, which is essentially the
|
|
99 |
* server reporting that it doesn't have enough information to answer
|
|
100 |
* the question yet.
|
|
101 |
*
|
|
102 |
* USING THIS LIBRARY
|
|
103 |
*
|
|
104 |
* Integrating this library into an application is usually a
|
|
105 |
* relatively straightforward process. The process should basically
|
|
106 |
* follow this plan:
|
|
107 |
*
|
|
108 |
* Add an OpenID login field somewhere on your site. When an OpenID
|
|
109 |
* is entered in that field and the form is submitted, it should make
|
|
110 |
* a request to the your site which includes that OpenID URL.
|
|
111 |
*
|
|
112 |
* First, the application should instantiate the Auth_OpenID_Consumer
|
|
113 |
* class using the store of choice (Auth_OpenID_FileStore or one of
|
|
114 |
* the SQL-based stores). If the application has a custom
|
|
115 |
* session-management implementation, an object implementing the
|
|
116 |
* {@link Auth_Yadis_PHPSession} interface should be passed as the
|
|
117 |
* second parameter. Otherwise, the default uses $_SESSION.
|
|
118 |
*
|
|
119 |
* Next, the application should call the Auth_OpenID_Consumer object's
|
|
120 |
* 'begin' method. This method takes the OpenID URL. The 'begin'
|
|
121 |
* method returns an Auth_OpenID_AuthRequest object.
|
|
122 |
*
|
|
123 |
* Next, the application should call the 'redirectURL' method of the
|
|
124 |
* Auth_OpenID_AuthRequest object. The 'return_to' URL parameter is
|
|
125 |
* the URL that the OpenID server will send the user back to after
|
|
126 |
* attempting to verify his or her identity. The 'trust_root' is the
|
|
127 |
* URL (or URL pattern) that identifies your web site to the user when
|
|
128 |
* he or she is authorizing it. Send a redirect to the resulting URL
|
|
129 |
* to the user's browser.
|
|
130 |
*
|
|
131 |
* That's the first half of the authentication process. The second
|
|
132 |
* half of the process is done after the user's ID server sends the
|
|
133 |
* user's browser a redirect back to your site to complete their
|
|
134 |
* login.
|
|
135 |
*
|
|
136 |
* When that happens, the user will contact your site at the URL given
|
|
137 |
* as the 'return_to' URL to the Auth_OpenID_AuthRequest::redirectURL
|
|
138 |
* call made above. The request will have several query parameters
|
|
139 |
* added to the URL by the identity server as the information
|
|
140 |
* necessary to finish the request.
|
|
141 |
*
|
|
142 |
* Lastly, instantiate an Auth_OpenID_Consumer instance as above and
|
|
143 |
* call its 'complete' method, passing in all the received query
|
|
144 |
* arguments.
|
|
145 |
*
|
|
146 |
* There are multiple possible return types possible from that
|
|
147 |
* method. These indicate the whether or not the login was successful,
|
|
148 |
* and include any additional information appropriate for their type.
|
|
149 |
*
|
|
150 |
* PHP versions 4 and 5
|
|
151 |
*
|
|
152 |
* LICENSE: See the COPYING file included in this distribution.
|
|
153 |
*
|
|
154 |
* @package OpenID
|
|
155 |
* @author JanRain, Inc. <openid@janrain.com>
|
|
156 |
* @copyright 2005-2008 Janrain, Inc.
|
|
157 |
* @license http://www.apache.org/licenses/LICENSE-2.0 Apache
|
|
158 |
*/
|
|
159 |
||
160 |
/**
|
|
161 |
* Require utility classes and functions for the consumer.
|
|
162 |
*/
|
|
163 |
require_once "Auth/OpenID.php"; |
|
164 |
require_once "Auth/OpenID/Message.php"; |
|
165 |
require_once "Auth/OpenID/HMAC.php"; |
|
166 |
require_once "Auth/OpenID/Association.php"; |
|
167 |
require_once "Auth/OpenID/CryptUtil.php"; |
|
168 |
require_once "Auth/OpenID/DiffieHellman.php"; |
|
169 |
require_once "Auth/OpenID/KVForm.php"; |
|
170 |
require_once "Auth/OpenID/Nonce.php"; |
|
171 |
require_once "Auth/OpenID/Discover.php"; |
|
172 |
require_once "Auth/OpenID/URINorm.php"; |
|
173 |
require_once "Auth/Yadis/Manager.php"; |
|
174 |
require_once "Auth/Yadis/XRI.php"; |
|
175 |
||
176 |
/**
|
|
177 |
* This is the status code returned when the complete method returns
|
|
178 |
* successfully.
|
|
179 |
*/
|
|
180 |
define('Auth_OpenID_SUCCESS', 'success'); |
|
181 |
||
182 |
/**
|
|
183 |
* Status to indicate cancellation of OpenID authentication.
|
|
184 |
*/
|
|
185 |
define('Auth_OpenID_CANCEL', 'cancel'); |
|
186 |
||
187 |
/**
|
|
188 |
* This is the status code completeAuth returns when the value it
|
|
189 |
* received indicated an invalid login.
|
|
190 |
*/
|
|
191 |
define('Auth_OpenID_FAILURE', 'failure'); |
|
192 |
||
193 |
/**
|
|
194 |
* This is the status code completeAuth returns when the
|
|
195 |
* {@link Auth_OpenID_Consumer} instance is in immediate mode, and the
|
|
196 |
* identity server sends back a URL to send the user to to complete his
|
|
197 |
* or her login.
|
|
198 |
*/
|
|
199 |
define('Auth_OpenID_SETUP_NEEDED', 'setup needed'); |
|
200 |
||
201 |
/**
|
|
202 |
* This is the status code beginAuth returns when the page fetched
|
|
203 |
* from the entered OpenID URL doesn't contain the necessary link tags
|
|
204 |
* to function as an identity page.
|
|
205 |
*/
|
|
206 |
define('Auth_OpenID_PARSE_ERROR', 'parse error'); |
|
207 |
||
208 |
/**
|
|
209 |
* An OpenID consumer implementation that performs discovery and does
|
|
210 |
* session management. See the Consumer.php file documentation for
|
|
211 |
* more information.
|
|
212 |
*
|
|
213 |
* @package OpenID
|
|
214 |
*/
|
|
215 |
class Auth_OpenID_Consumer { |
|
216 |
||
217 |
/**
|
|
218 |
* @access private
|
|
219 |
*/
|
|
220 |
var $discoverMethod = 'Auth_OpenID_discover'; |
|
221 |
||
222 |
/**
|
|
223 |
* @access private
|
|
224 |
*/
|
|
225 |
var $session_key_prefix = "_openid_consumer_"; |
|
226 |
||
227 |
/**
|
|
228 |
* @access private
|
|
229 |
*/
|
|
230 |
var $_token_suffix = "last_token"; |
|
231 |
||
232 |
/**
|
|
233 |
* Initialize a Consumer instance.
|
|
234 |
*
|
|
235 |
* You should create a new instance of the Consumer object with
|
|
236 |
* every HTTP request that handles OpenID transactions.
|
|
237 |
*
|
|
238 |
* @param Auth_OpenID_OpenIDStore $store This must be an object
|
|
239 |
* that implements the interface in {@link
|
|
240 |
* Auth_OpenID_OpenIDStore}. Several concrete implementations are
|
|
241 |
* provided, to cover most common use cases. For stores backed by
|
|
242 |
* MySQL, PostgreSQL, or SQLite, see the {@link
|
|
243 |
* Auth_OpenID_SQLStore} class and its sublcasses. For a
|
|
244 |
* filesystem-backed store, see the {@link Auth_OpenID_FileStore}
|
|
245 |
* module. As a last resort, if it isn't possible for the server
|
|
246 |
* to store state at all, an instance of {@link
|
|
247 |
* Auth_OpenID_DumbStore} can be used.
|
|
248 |
*
|
|
249 |
* @param mixed $session An object which implements the interface
|
|
250 |
* of the {@link Auth_Yadis_PHPSession} class. Particularly, this
|
|
251 |
* object is expected to have these methods: get($key), set($key),
|
|
252 |
* $value), and del($key). This defaults to a session object
|
|
253 |
* which wraps PHP's native session machinery. You should only
|
|
254 |
* need to pass something here if you have your own sessioning
|
|
255 |
* implementation.
|
|
256 |
*
|
|
257 |
* @param str $consumer_cls The name of the class to instantiate
|
|
258 |
* when creating the internal consumer object. This is used for
|
|
259 |
* testing.
|
|
260 |
*/
|
|
261 |
function Auth_OpenID_Consumer(&$store, $session = null, |
|
262 |
$consumer_cls = null) |
|
263 |
{
|
|
264 |
if ($session === null) { |
|
265 |
$session = new Auth_Yadis_PHPSession(); |
|
266 |
}
|
|
267 |
||
268 |
$this->session =& $session; |
|
269 |
||
270 |
if ($consumer_cls !== null) { |
|
271 |
$this->consumer =& new $consumer_cls($store); |
|
272 |
} else { |
|
273 |
$this->consumer =& new Auth_OpenID_GenericConsumer($store); |
|
274 |
}
|
|
275 |
||
276 |
$this->_token_key = $this->session_key_prefix . $this->_token_suffix; |
|
277 |
}
|
|
278 |
||
279 |
/**
|
|
280 |
* Used in testing to define the discovery mechanism.
|
|
281 |
*
|
|
282 |
* @access private
|
|
283 |
*/
|
|
284 |
function getDiscoveryObject(&$session, $openid_url, |
|
285 |
$session_key_prefix) |
|
286 |
{
|
|
287 |
return new Auth_Yadis_Discovery($session, $openid_url, |
|
288 |
$session_key_prefix); |
|
289 |
}
|
|
290 |
||
291 |
/**
|
|
292 |
* Start the OpenID authentication process. See steps 1-2 in the
|
|
293 |
* overview at the top of this file.
|
|
294 |
*
|
|
295 |
* @param string $user_url Identity URL given by the user. This
|
|
296 |
* method performs a textual transformation of the URL to try and
|
|
297 |
* make sure it is normalized. For example, a user_url of
|
|
298 |
* example.com will be normalized to http://example.com/
|
|
299 |
* normalizing and resolving any redirects the server might issue.
|
|
300 |
*
|
|
301 |
* @param bool $anonymous True if the OpenID request is to be sent
|
|
302 |
* to the server without any identifier information. Use this
|
|
303 |
* when you want to transport data but don't want to do OpenID
|
|
304 |
* authentication with identifiers.
|
|
305 |
*
|
|
306 |
* @return Auth_OpenID_AuthRequest $auth_request An object
|
|
307 |
* containing the discovered information will be returned, with a
|
|
308 |
* method for building a redirect URL to the server, as described
|
|
309 |
* in step 3 of the overview. This object may also be used to add
|
|
310 |
* extension arguments to the request, using its 'addExtensionArg'
|
|
311 |
* method.
|
|
312 |
*/
|
|
313 |
function begin($user_url, $anonymous=false) |
|
314 |
{
|
|
315 |
$openid_url = $user_url; |
|
316 |
||
317 |
$disco = $this->getDiscoveryObject($this->session, |
|
318 |
$openid_url, |
|
319 |
$this->session_key_prefix); |
|
320 |
||
321 |
// Set the 'stale' attribute of the manager. If discovery
|
|
322 |
// fails in a fatal way, the stale flag will cause the manager
|
|
323 |
// to be cleaned up next time discovery is attempted.
|
|
324 |
||
325 |
$m = $disco->getManager(); |
|
326 |
$loader = new Auth_Yadis_ManagerLoader(); |
|
327 |
||
328 |
if ($m) { |
|
329 |
if ($m->stale) { |
|
330 |
$disco->destroyManager(); |
|
331 |
} else { |
|
332 |
$m->stale = true; |
|
333 |
$disco->session->set($disco->session_key, |
|
334 |
serialize($loader->toSession($m))); |
|
335 |
}
|
|
336 |
}
|
|
337 |
||
338 |
$endpoint = $disco->getNextService($this->discoverMethod, |
|
339 |
$this->consumer->fetcher); |
|
340 |
||
341 |
// Reset the 'stale' attribute of the manager.
|
|
342 |
$m =& $disco->getManager(); |
|
343 |
if ($m) { |
|
344 |
$m->stale = false; |
|
345 |
$disco->session->set($disco->session_key, |
|
346 |
serialize($loader->toSession($m))); |
|
347 |
}
|
|
348 |
||
349 |
if ($endpoint === null) { |
|
350 |
return null; |
|
351 |
} else { |
|
352 |
return $this->beginWithoutDiscovery($endpoint, |
|
353 |
$anonymous); |
|
354 |
}
|
|
355 |
}
|
|
356 |
||
357 |
/**
|
|
358 |
* Start OpenID verification without doing OpenID server
|
|
359 |
* discovery. This method is used internally by Consumer.begin
|
|
360 |
* after discovery is performed, and exists to provide an
|
|
361 |
* interface for library users needing to perform their own
|
|
362 |
* discovery.
|
|
363 |
*
|
|
364 |
* @param Auth_OpenID_ServiceEndpoint $endpoint an OpenID service
|
|
365 |
* endpoint descriptor.
|
|
366 |
*
|
|
367 |
* @param bool anonymous Set to true if you want to perform OpenID
|
|
368 |
* without identifiers.
|
|
369 |
*
|
|
370 |
* @return Auth_OpenID_AuthRequest $auth_request An OpenID
|
|
371 |
* authentication request object.
|
|
372 |
*/
|
|
373 |
function &beginWithoutDiscovery($endpoint, $anonymous=false) |
|
374 |
{
|
|
375 |
$loader = new Auth_OpenID_ServiceEndpointLoader(); |
|
376 |
$auth_req = $this->consumer->begin($endpoint); |
|
377 |
$this->session->set($this->_token_key, |
|
378 |
$loader->toSession($auth_req->endpoint)); |
|
379 |
if (!$auth_req->setAnonymous($anonymous)) { |
|
380 |
return new Auth_OpenID_FailureResponse(null, |
|
381 |
"OpenID 1 requests MUST include the identifier " . |
|
382 |
"in the request."); |
|
383 |
}
|
|
384 |
return $auth_req; |
|
385 |
}
|
|
386 |
||
387 |
/**
|
|
388 |
* Called to interpret the server's response to an OpenID
|
|
389 |
* request. It is called in step 4 of the flow described in the
|
|
390 |
* consumer overview.
|
|
391 |
*
|
|
392 |
* @param string $current_url The URL used to invoke the application.
|
|
393 |
* Extract the URL from your application's web
|
|
394 |
* request framework and specify it here to have it checked
|
|
395 |
* against the openid.current_url value in the response. If
|
|
396 |
* the current_url URL check fails, the status of the
|
|
397 |
* completion will be FAILURE.
|
|
398 |
*
|
|
399 |
* @param array $query An array of the query parameters (key =>
|
|
400 |
* value pairs) for this HTTP request. Defaults to null. If
|
|
401 |
* null, the GET or POST data are automatically gotten from the
|
|
402 |
* PHP environment. It is only useful to override $query for
|
|
403 |
* testing.
|
|
404 |
*
|
|
405 |
* @return Auth_OpenID_ConsumerResponse $response A instance of an
|
|
406 |
* Auth_OpenID_ConsumerResponse subclass. The type of response is
|
|
407 |
* indicated by the status attribute, which will be one of
|
|
408 |
* SUCCESS, CANCEL, FAILURE, or SETUP_NEEDED.
|
|
409 |
*/
|
|
410 |
function complete($current_url, $query=null) |
|
411 |
{
|
|
412 |
if ($current_url && !is_string($current_url)) { |
|
413 |
// This is ugly, but we need to complain loudly when
|
|
414 |
// someone uses the API incorrectly.
|
|
415 |
trigger_error("current_url must be a string; see NEWS file " . |
|
416 |
"for upgrading notes.", |
|
417 |
E_USER_ERROR); |
|
418 |
}
|
|
419 |
||
420 |
if ($query === null) { |
|
421 |
$query = Auth_OpenID::getQuery(); |
|
422 |
}
|
|
423 |
||
424 |
$loader = new Auth_OpenID_ServiceEndpointLoader(); |
|
425 |
$endpoint_data = $this->session->get($this->_token_key); |
|
426 |
$endpoint = |
|
427 |
$loader->fromSession($endpoint_data); |
|
428 |
||
429 |
$message = Auth_OpenID_Message::fromPostArgs($query); |
|
430 |
$response = $this->consumer->complete($message, $endpoint, |
|
431 |
$current_url); |
|
432 |
$this->session->del($this->_token_key); |
|
433 |
||
434 |
if (in_array($response->status, array(Auth_OpenID_SUCCESS, |
|
435 |
Auth_OpenID_CANCEL))) { |
|
436 |
if ($response->identity_url !== null) { |
|
437 |
$disco = $this->getDiscoveryObject($this->session, |
|
438 |
$response->identity_url, |
|
439 |
$this->session_key_prefix); |
|
440 |
$disco->cleanup(true); |
|
441 |
}
|
|
442 |
}
|
|
443 |
||
444 |
return $response; |
|
445 |
}
|
|
446 |
}
|
|
447 |
||
448 |
/**
|
|
449 |
* A class implementing HMAC/DH-SHA1 consumer sessions.
|
|
450 |
*
|
|
451 |
* @package OpenID
|
|
452 |
*/
|
|
453 |
class Auth_OpenID_DiffieHellmanSHA1ConsumerSession { |
|
454 |
var $session_type = 'DH-SHA1'; |
|
455 |
var $hash_func = 'Auth_OpenID_SHA1'; |
|
456 |
var $secret_size = 20; |
|
457 |
var $allowed_assoc_types = array('HMAC-SHA1'); |
|
458 |
||
459 |
function Auth_OpenID_DiffieHellmanSHA1ConsumerSession($dh = null) |
|
460 |
{
|
|
461 |
if ($dh === null) { |
|
462 |
$dh = new Auth_OpenID_DiffieHellman(); |
|
463 |
}
|
|
464 |
||
465 |
$this->dh = $dh; |
|
466 |
}
|
|
467 |
||
468 |
function getRequest() |
|
469 |
{
|
|
470 |
$math =& Auth_OpenID_getMathLib(); |
|
471 |
||
472 |
$cpub = $math->longToBase64($this->dh->public); |
|
473 |
||
474 |
$args = array('dh_consumer_public' => $cpub); |
|
475 |
||
476 |
if (!$this->dh->usingDefaultValues()) { |
|
477 |
$args = array_merge($args, array( |
|
478 |
'dh_modulus' => |
|
479 |
$math->longToBase64($this->dh->mod), |
|
480 |
'dh_gen' => |
|
481 |
$math->longToBase64($this->dh->gen))); |
|
482 |
}
|
|
483 |
||
484 |
return $args; |
|
485 |
}
|
|
486 |
||
487 |
function extractSecret($response) |
|
488 |
{
|
|
489 |
if (!$response->hasKey(Auth_OpenID_OPENID_NS, |
|
490 |
'dh_server_public')) { |
|
491 |
return null; |
|
492 |
}
|
|
493 |
||
494 |
if (!$response->hasKey(Auth_OpenID_OPENID_NS, |
|
495 |
'enc_mac_key')) { |
|
496 |
return null; |
|
497 |
}
|
|
498 |
||
499 |
$math =& Auth_OpenID_getMathLib(); |
|
500 |
||
501 |
$spub = $math->base64ToLong($response->getArg(Auth_OpenID_OPENID_NS, |
|
502 |
'dh_server_public')); |
|
503 |
$enc_mac_key = base64_decode($response->getArg(Auth_OpenID_OPENID_NS, |
|
504 |
'enc_mac_key')); |
|
505 |
||
506 |
return $this->dh->xorSecret($spub, $enc_mac_key, $this->hash_func); |
|
507 |
}
|
|
508 |
}
|
|
509 |
||
510 |
/**
|
|
511 |
* A class implementing HMAC/DH-SHA256 consumer sessions.
|
|
512 |
*
|
|
513 |
* @package OpenID
|
|
514 |
*/
|
|
515 |
class Auth_OpenID_DiffieHellmanSHA256ConsumerSession extends |
|
516 |
Auth_OpenID_DiffieHellmanSHA1ConsumerSession { |
|
517 |
var $session_type = 'DH-SHA256'; |
|
518 |
var $hash_func = 'Auth_OpenID_SHA256'; |
|
519 |
var $secret_size = 32; |
|
520 |
var $allowed_assoc_types = array('HMAC-SHA256'); |
|
521 |
}
|
|
522 |
||
523 |
/**
|
|
524 |
* A class implementing plaintext consumer sessions.
|
|
525 |
*
|
|
526 |
* @package OpenID
|
|
527 |
*/
|
|
528 |
class Auth_OpenID_PlainTextConsumerSession { |
|
529 |
var $session_type = 'no-encryption'; |
|
530 |
var $allowed_assoc_types = array('HMAC-SHA1', 'HMAC-SHA256'); |
|
531 |
||
532 |
function getRequest() |
|
533 |
{
|
|
534 |
return array(); |
|
535 |
}
|
|
536 |
||
537 |
function extractSecret($response) |
|
538 |
{
|
|
539 |
if (!$response->hasKey(Auth_OpenID_OPENID_NS, 'mac_key')) { |
|
540 |
return null; |
|
541 |
}
|
|
542 |
||
543 |
return base64_decode($response->getArg(Auth_OpenID_OPENID_NS, |
|
544 |
'mac_key')); |
|
545 |
}
|
|
546 |
}
|
|
547 |
||
548 |
/**
|
|
549 |
* Returns available session types.
|
|
550 |
*/
|
|
551 |
function Auth_OpenID_getAvailableSessionTypes() |
|
552 |
{
|
|
553 |
$types = array( |
|
554 |
'no-encryption' => 'Auth_OpenID_PlainTextConsumerSession', |
|
555 |
'DH-SHA1' => 'Auth_OpenID_DiffieHellmanSHA1ConsumerSession', |
|
556 |
'DH-SHA256' => 'Auth_OpenID_DiffieHellmanSHA256ConsumerSession'); |
|
557 |
||
558 |
return $types; |
|
559 |
}
|
|
560 |
||
561 |
/**
|
|
562 |
* This class is the interface to the OpenID consumer logic.
|
|
563 |
* Instances of it maintain no per-request state, so they can be
|
|
564 |
* reused (or even used by multiple threads concurrently) as needed.
|
|
565 |
*
|
|
566 |
* @package OpenID
|
|
567 |
*/
|
|
568 |
class Auth_OpenID_GenericConsumer { |
|
569 |
/**
|
|
570 |
* @access private
|
|
571 |
*/
|
|
572 |
var $discoverMethod = 'Auth_OpenID_discover'; |
|
573 |
||
574 |
/**
|
|
575 |
* This consumer's store object.
|
|
576 |
*/
|
|
577 |
var $store; |
|
578 |
||
579 |
/**
|
|
580 |
* @access private
|
|
581 |
*/
|
|
582 |
var $_use_assocs; |
|
583 |
||
584 |
/**
|
|
585 |
* @access private
|
|
586 |
*/
|
|
587 |
var $openid1_nonce_query_arg_name = 'janrain_nonce'; |
|
588 |
||
589 |
/**
|
|
590 |
* Another query parameter that gets added to the return_to for
|
|
591 |
* OpenID 1; if the user's session state is lost, use this claimed
|
|
592 |
* identifier to do discovery when verifying the response.
|
|
593 |
*/
|
|
594 |
var $openid1_return_to_identifier_name = 'openid1_claimed_id'; |
|
595 |
||
596 |
/**
|
|
597 |
* This method initializes a new {@link Auth_OpenID_Consumer}
|
|
598 |
* instance to access the library.
|
|
599 |
*
|
|
600 |
* @param Auth_OpenID_OpenIDStore $store This must be an object
|
|
601 |
* that implements the interface in {@link Auth_OpenID_OpenIDStore}.
|
|
602 |
* Several concrete implementations are provided, to cover most common use
|
|
603 |
* cases. For stores backed by MySQL, PostgreSQL, or SQLite, see
|
|
604 |
* the {@link Auth_OpenID_SQLStore} class and its sublcasses. For a
|
|
605 |
* filesystem-backed store, see the {@link Auth_OpenID_FileStore} module.
|
|
606 |
* As a last resort, if it isn't possible for the server to store
|
|
607 |
* state at all, an instance of {@link Auth_OpenID_DumbStore} can be used.
|
|
608 |
*
|
|
609 |
* @param bool $immediate This is an optional boolean value. It
|
|
610 |
* controls whether the library uses immediate mode, as explained
|
|
611 |
* in the module description. The default value is False, which
|
|
612 |
* disables immediate mode.
|
|
613 |
*/
|
|
614 |
function Auth_OpenID_GenericConsumer(&$store) |
|
615 |
{
|
|
616 |
$this->store =& $store; |
|
617 |
$this->negotiator =& Auth_OpenID_getDefaultNegotiator(); |
|
618 |
$this->_use_assocs = ($this->store ? true : false); |
|
619 |
||
620 |
$this->fetcher = Auth_Yadis_Yadis::getHTTPFetcher(); |
|
621 |
||
622 |
$this->session_types = Auth_OpenID_getAvailableSessionTypes(); |
|
623 |
}
|
|
624 |
||
625 |
/**
|
|
626 |
* Called to begin OpenID authentication using the specified
|
|
627 |
* {@link Auth_OpenID_ServiceEndpoint}.
|
|
628 |
*
|
|
629 |
* @access private
|
|
630 |
*/
|
|
631 |
function begin($service_endpoint) |
|
632 |
{
|
|
633 |
$assoc = $this->_getAssociation($service_endpoint); |
|
634 |
$r = new Auth_OpenID_AuthRequest($service_endpoint, $assoc); |
|
635 |
$r->return_to_args[$this->openid1_nonce_query_arg_name] = |
|
636 |
Auth_OpenID_mkNonce(); |
|
637 |
||
638 |
if ($r->message->isOpenID1()) { |
|
639 |
$r->return_to_args[$this->openid1_return_to_identifier_name] = |
|
640 |
$r->endpoint->claimed_id; |
|
641 |
}
|
|
642 |
||
643 |
return $r; |
|
644 |
}
|
|
645 |
||
646 |
/**
|
|
647 |
* Given an {@link Auth_OpenID_Message}, {@link
|
|
648 |
* Auth_OpenID_ServiceEndpoint} and optional return_to URL,
|
|
649 |
* complete OpenID authentication.
|
|
650 |
*
|
|
651 |
* @access private
|
|
652 |
*/
|
|
653 |
function complete($message, $endpoint, $return_to) |
|
654 |
{
|
|
655 |
$mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode', |
|
656 |
'<no mode set>'); |
|
657 |
||
658 |
$mode_methods = array( |
|
659 |
'cancel' => '_complete_cancel', |
|
660 |
'error' => '_complete_error', |
|
661 |
'setup_needed' => '_complete_setup_needed', |
|
662 |
'id_res' => '_complete_id_res', |
|
663 |
);
|
|
664 |
||
665 |
$method = Auth_OpenID::arrayGet($mode_methods, $mode, |
|
666 |
'_completeInvalid'); |
|
667 |
||
668 |
return call_user_func_array(array(&$this, $method), |
|
669 |
array($message, $endpoint, $return_to)); |
|
670 |
}
|
|
671 |
||
672 |
/**
|
|
673 |
* @access private
|
|
674 |
*/
|
|
675 |
function _completeInvalid($message, &$endpoint, $unused) |
|
676 |
{
|
|
677 |
$mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode', |
|
678 |
'<No mode set>'); |
|
679 |
||
680 |
return new Auth_OpenID_FailureResponse($endpoint, |
|
681 |
sprintf("Invalid openid.mode '%s'", $mode)); |
|
682 |
}
|
|
683 |
||
684 |
/**
|
|
685 |
* @access private
|
|
686 |
*/
|
|
687 |
function _complete_cancel($message, &$endpoint, $unused) |
|
688 |
{
|
|
689 |
return new Auth_OpenID_CancelResponse($endpoint); |
|
690 |
}
|
|
691 |
||
692 |
/**
|
|
693 |
* @access private
|
|
694 |
*/
|
|
695 |
function _complete_error($message, &$endpoint, $unused) |
|
696 |
{
|
|
697 |
$error = $message->getArg(Auth_OpenID_OPENID_NS, 'error'); |
|
698 |
$contact = $message->getArg(Auth_OpenID_OPENID_NS, 'contact'); |
|
699 |
$reference = $message->getArg(Auth_OpenID_OPENID_NS, 'reference'); |
|
700 |
||
701 |
return new Auth_OpenID_FailureResponse($endpoint, $error, |
|
702 |
$contact, $reference); |
|
703 |
}
|
|
704 |
||
705 |
/**
|
|
706 |
* @access private
|
|
707 |
*/
|
|
708 |
function _complete_setup_needed($message, &$endpoint, $unused) |
|
709 |
{
|
|
710 |
if (!$message->isOpenID2()) { |
|
711 |
return $this->_completeInvalid($message, $endpoint); |
|
712 |
}
|
|
713 |
||
|
12
by Arnau Alcázar Lleopart
Upgraded OpenID lib from version 2.1.1 to 2.1.2 |
714 |
$user_setup_url = $message->getArg(Auth_OpenID_OPENID2_NS, |
715 |
'user_setup_url'); |
|
716 |
return new Auth_OpenID_SetupNeededResponse($endpoint, $user_setup_url); |
|
|
1.1.1
by Arnau Alcázar Lleopart
Added openid library |
717 |
}
|
718 |
||
719 |
/**
|
|
720 |
* @access private
|
|
721 |
*/
|
|
722 |
function _complete_id_res($message, &$endpoint, $return_to) |
|
723 |
{
|
|
724 |
$user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS, |
|
725 |
'user_setup_url'); |
|
726 |
||
727 |
if ($this->_checkSetupNeeded($message)) { |
|
728 |
return new Auth_OpenID_SetupNeededResponse( |
|
729 |
$endpoint, $user_setup_url); |
|
730 |
} else { |
|
731 |
return $this->_doIdRes($message, $endpoint, $return_to); |
|
732 |
}
|
|
733 |
}
|
|
734 |
||
735 |
/**
|
|
736 |
* @access private
|
|
737 |
*/
|
|
738 |
function _checkSetupNeeded($message) |
|
739 |
{
|
|
740 |
// In OpenID 1, we check to see if this is a cancel from
|
|
741 |
// immediate mode by the presence of the user_setup_url
|
|
742 |
// parameter.
|
|
743 |
if ($message->isOpenID1()) { |
|
744 |
$user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS, |
|
745 |
'user_setup_url'); |
|
746 |
if ($user_setup_url !== null) { |
|
747 |
return true; |
|
748 |
}
|
|
749 |
}
|
|
750 |
||
751 |
return false; |
|
752 |
}
|
|
753 |
||
754 |
/**
|
|
755 |
* @access private
|
|
756 |
*/
|
|
757 |
function _doIdRes($message, $endpoint, $return_to) |
|
758 |
{
|
|
759 |
// Checks for presence of appropriate fields (and checks
|
|
760 |
// signed list fields)
|
|
761 |
$result = $this->_idResCheckForFields($message); |
|
762 |
||
763 |
if (Auth_OpenID::isFailure($result)) { |
|
764 |
return $result; |
|
765 |
}
|
|
766 |
||
767 |
if (!$this->_checkReturnTo($message, $return_to)) { |
|
768 |
return new Auth_OpenID_FailureResponse(null, |
|
769 |
sprintf("return_to does not match return URL. Expected %s, got %s", |
|
770 |
$return_to, |
|
771 |
$message->getArg(Auth_OpenID_OPENID_NS, 'return_to'))); |
|
772 |
}
|
|
773 |
||
774 |
// Verify discovery information:
|
|
775 |
$result = $this->_verifyDiscoveryResults($message, $endpoint); |
|
776 |
||
777 |
if (Auth_OpenID::isFailure($result)) { |
|
778 |
return $result; |
|
779 |
}
|
|
780 |
||
781 |
$endpoint = $result; |
|
782 |
||
783 |
$result = $this->_idResCheckSignature($message, |
|
784 |
$endpoint->server_url); |
|
785 |
||
786 |
if (Auth_OpenID::isFailure($result)) { |
|
787 |
return $result; |
|
788 |
}
|
|
789 |
||
790 |
$result = $this->_idResCheckNonce($message, $endpoint); |
|
791 |
||
792 |
if (Auth_OpenID::isFailure($result)) { |
|
793 |
return $result; |
|
794 |
}
|
|
795 |
||
796 |
$signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS, 'signed', |
|
797 |
Auth_OpenID_NO_DEFAULT); |
|
798 |
if (Auth_OpenID::isFailure($signed_list_str)) { |
|
799 |
return $signed_list_str; |
|
800 |
}
|
|
801 |
$signed_list = explode(',', $signed_list_str); |
|
802 |
||
803 |
$signed_fields = Auth_OpenID::addPrefix($signed_list, "openid."); |
|
804 |
||
805 |
return new Auth_OpenID_SuccessResponse($endpoint, $message, |
|
806 |
$signed_fields); |
|
807 |
||
808 |
}
|
|
809 |
||
810 |
/**
|
|
811 |
* @access private
|
|
812 |
*/
|
|
813 |
function _checkReturnTo($message, $return_to) |
|
814 |
{
|
|
815 |
// Check an OpenID message and its openid.return_to value
|
|
816 |
// against a return_to URL from an application. Return True
|
|
817 |
// on success, False on failure.
|
|
818 |
||
819 |
// Check the openid.return_to args against args in the
|
|
820 |
// original message.
|
|
821 |
$result = Auth_OpenID_GenericConsumer::_verifyReturnToArgs( |
|
822 |
$message->toPostArgs()); |
|
823 |
if (Auth_OpenID::isFailure($result)) { |
|
824 |
return false; |
|
825 |
}
|
|
826 |
||
827 |
// Check the return_to base URL against the one in the
|
|
828 |
// message.
|
|
829 |
$msg_return_to = $message->getArg(Auth_OpenID_OPENID_NS, |
|
830 |
'return_to'); |
|
831 |
if (Auth_OpenID::isFailure($return_to)) { |
|
832 |
// XXX log me
|
|
833 |
return false; |
|
834 |
}
|
|
835 |
||
836 |
$return_to_parts = parse_url(Auth_OpenID_urinorm($return_to)); |
|
837 |
$msg_return_to_parts = parse_url(Auth_OpenID_urinorm($msg_return_to)); |
|
838 |
||
839 |
// If port is absent from both, add it so it's equal in the
|
|
840 |
// check below.
|
|
841 |
if ((!array_key_exists('port', $return_to_parts)) && |
|
842 |
(!array_key_exists('port', $msg_return_to_parts))) { |
|
843 |
$return_to_parts['port'] = null; |
|
844 |
$msg_return_to_parts['port'] = null; |
|
845 |
}
|
|
846 |
||
847 |
// If path is absent from both, add it so it's equal in the
|
|
848 |
// check below.
|
|
849 |
if ((!array_key_exists('path', $return_to_parts)) && |
|
850 |
(!array_key_exists('path', $msg_return_to_parts))) { |
|
851 |
$return_to_parts['path'] = null; |
|
852 |
$msg_return_to_parts['path'] = null; |
|
853 |
}
|
|
854 |
||
855 |
// The URL scheme, authority, and path MUST be the same
|
|
856 |
// between the two URLs.
|
|
857 |
foreach (array('scheme', 'host', 'port', 'path') as $component) { |
|
858 |
// If the url component is absent in either URL, fail.
|
|
859 |
// There should always be a scheme, host, port, and path.
|
|
860 |
if (!array_key_exists($component, $return_to_parts)) { |
|
861 |
return false; |
|
862 |
}
|
|
863 |
||
864 |
if (!array_key_exists($component, $msg_return_to_parts)) { |
|
865 |
return false; |
|
866 |
}
|
|
867 |
||
868 |
if (Auth_OpenID::arrayGet($return_to_parts, $component) !== |
|
869 |
Auth_OpenID::arrayGet($msg_return_to_parts, $component)) { |
|
870 |
return false; |
|
871 |
}
|
|
872 |
}
|
|
873 |
||
874 |
return true; |
|
875 |
}
|
|
876 |
||
877 |
/**
|
|
878 |
* @access private
|
|
879 |
*/
|
|
880 |
function _verifyReturnToArgs($query) |
|
881 |
{
|
|
882 |
// Verify that the arguments in the return_to URL are present in this
|
|
883 |
// response.
|
|
884 |
||
885 |
$message = Auth_OpenID_Message::fromPostArgs($query); |
|
886 |
$return_to = $message->getArg(Auth_OpenID_OPENID_NS, 'return_to'); |
|
887 |
||
888 |
if (Auth_OpenID::isFailure($return_to)) { |
|
889 |
return $return_to; |
|
890 |
}
|
|
891 |
// XXX: this should be checked by _idResCheckForFields
|
|
892 |
if (!$return_to) { |
|
893 |
return new Auth_OpenID_FailureResponse(null, |
|
894 |
"Response has no return_to"); |
|
895 |
}
|
|
896 |
||
897 |
$parsed_url = parse_url($return_to); |
|
898 |
||
899 |
$q = array(); |
|
900 |
if (array_key_exists('query', $parsed_url)) { |
|
901 |
$rt_query = $parsed_url['query']; |
|
902 |
$q = Auth_OpenID::parse_str($rt_query); |
|
903 |
}
|
|
904 |
||
905 |
foreach ($q as $rt_key => $rt_value) { |
|
906 |
if (!array_key_exists($rt_key, $query)) { |
|
907 |
return new Auth_OpenID_FailureResponse(null, |
|
908 |
sprintf("return_to parameter %s absent from query", $rt_key)); |
|
909 |
} else { |
|
910 |
$value = $query[$rt_key]; |
|
911 |
if ($rt_value != $value) { |
|
912 |
return new Auth_OpenID_FailureResponse(null, |
|
913 |
sprintf("parameter %s value %s does not match " . |
|
914 |
"return_to value %s", $rt_key, |
|
915 |
$value, $rt_value)); |
|
916 |
}
|
|
917 |
}
|
|
918 |
}
|
|
919 |
||
920 |
// Make sure all non-OpenID arguments in the response are also
|
|
921 |
// in the signed return_to.
|
|
922 |
$bare_args = $message->getArgs(Auth_OpenID_BARE_NS); |
|
923 |
foreach ($bare_args as $key => $value) { |
|
924 |
if (Auth_OpenID::arrayGet($q, $key) != $value) { |
|
925 |
return new Auth_OpenID_FailureResponse(null, |
|
926 |
sprintf("Parameter %s = %s not in return_to URL", |
|
927 |
$key, $value)); |
|
928 |
}
|
|
929 |
}
|
|
930 |
||
931 |
return true; |
|
932 |
}
|
|
933 |
||
934 |
/**
|
|
935 |
* @access private
|
|
936 |
*/
|
|
937 |
function _idResCheckSignature($message, $server_url) |
|
938 |
{
|
|
939 |
$assoc_handle = $message->getArg(Auth_OpenID_OPENID_NS, |
|
940 |
'assoc_handle'); |
|
941 |
if (Auth_OpenID::isFailure($assoc_handle)) { |
|
942 |
return $assoc_handle; |
|
943 |
}
|
|
944 |
||
945 |
$assoc = $this->store->getAssociation($server_url, $assoc_handle); |
|
946 |
||
947 |
if ($assoc) { |
|
948 |
if ($assoc->getExpiresIn() <= 0) { |
|
949 |
// XXX: It might be a good idea sometimes to re-start
|
|
950 |
// the authentication with a new association. Doing it
|
|
951 |
// automatically opens the possibility for
|
|
952 |
// denial-of-service by a server that just returns
|
|
953 |
// expired associations (or really short-lived
|
|
954 |
// associations)
|
|
955 |
return new Auth_OpenID_FailureResponse(null, |
|
956 |
'Association with ' . $server_url . ' expired'); |
|
957 |
}
|
|
958 |
||
959 |
if (!$assoc->checkMessageSignature($message)) { |
|
960 |
return new Auth_OpenID_FailureResponse(null, |
|
961 |
"Bad signature"); |
|
962 |
}
|
|
963 |
} else { |
|
964 |
// It's not an association we know about. Stateless mode
|
|
965 |
// is our only possible path for recovery. XXX - async
|
|
966 |
// framework will not want to block on this call to
|
|
967 |
// _checkAuth.
|
|
968 |
if (!$this->_checkAuth($message, $server_url)) { |
|
969 |
return new Auth_OpenID_FailureResponse(null, |
|
970 |
"Server denied check_authentication"); |
|
971 |
}
|
|
972 |
}
|
|
973 |
||
974 |
return null; |
|
975 |
}
|
|
976 |
||
977 |
/**
|
|
978 |
* @access private
|
|
979 |
*/
|
|
980 |
function _verifyDiscoveryResults($message, $endpoint=null) |
|
981 |
{
|
|
982 |
if ($message->getOpenIDNamespace() == Auth_OpenID_OPENID2_NS) { |
|
983 |
return $this->_verifyDiscoveryResultsOpenID2($message, |
|
984 |
$endpoint); |
|
985 |
} else { |
|
986 |
return $this->_verifyDiscoveryResultsOpenID1($message, |
|
987 |
$endpoint); |
|
988 |
}
|
|
989 |
}
|
|
990 |
||
991 |
/**
|
|
992 |
* @access private
|
|
993 |
*/
|
|
994 |
function _verifyDiscoveryResultsOpenID1($message, $endpoint) |
|
995 |
{
|
|
996 |
$claimed_id = $message->getArg(Auth_OpenID_BARE_NS, |
|
997 |
$this->openid1_return_to_identifier_name); |
|
998 |
||
999 |
if (($endpoint === null) && ($claimed_id === null)) { |
|
1000 |
return new Auth_OpenID_FailureResponse($endpoint, |
|
1001 |
'When using OpenID 1, the claimed ID must be supplied, ' . |
|
1002 |
'either by passing it through as a return_to parameter ' . |
|
1003 |
'or by using a session, and supplied to the GenericConsumer ' . |
|
1004 |
'as the argument to complete()'); |
|
1005 |
} else if (($endpoint !== null) && ($claimed_id === null)) { |
|
1006 |
$claimed_id = $endpoint->claimed_id; |
|
1007 |
}
|
|
1008 |
||
1009 |
$to_match = new Auth_OpenID_ServiceEndpoint(); |
|
1010 |
$to_match->type_uris = array(Auth_OpenID_TYPE_1_1); |
|
1011 |
$to_match->local_id = $message->getArg(Auth_OpenID_OPENID1_NS, |
|
1012 |
'identity'); |
|
1013 |
||
1014 |
// Restore delegate information from the initiation phase
|
|
1015 |
$to_match->claimed_id = $claimed_id; |
|
1016 |
||
1017 |
if ($to_match->local_id === null) { |
|
1018 |
return new Auth_OpenID_FailureResponse($endpoint, |
|
1019 |
"Missing required field openid.identity"); |
|
1020 |
}
|
|
1021 |
||
1022 |
$to_match_1_0 = $to_match->copy(); |
|
1023 |
$to_match_1_0->type_uris = array(Auth_OpenID_TYPE_1_0); |
|
1024 |
||
1025 |
if ($endpoint !== null) { |
|
1026 |
$result = $this->_verifyDiscoverySingle($endpoint, $to_match); |
|
1027 |
||
1028 |
if (is_a($result, 'Auth_OpenID_TypeURIMismatch')) { |
|
1029 |
$result = $this->_verifyDiscoverySingle($endpoint, |
|
1030 |
$to_match_1_0); |
|
1031 |
}
|
|
1032 |
||
1033 |
if (Auth_OpenID::isFailure($result)) { |
|
1034 |
// oidutil.log("Error attempting to use stored
|
|
1035 |
// discovery information: " + str(e))
|
|
1036 |
// oidutil.log("Attempting discovery to
|
|
1037 |
// verify endpoint")
|
|
1038 |
} else { |
|
1039 |
return $endpoint; |
|
1040 |
}
|
|
1041 |
}
|
|
1042 |
||
1043 |
// Endpoint is either bad (failed verification) or None
|
|
1044 |
return $this->_discoverAndVerify($to_match->claimed_id, |
|
1045 |
array($to_match, $to_match_1_0)); |
|
1046 |
}
|
|
1047 |
||
1048 |
/**
|
|
1049 |
* @access private
|
|
1050 |
*/
|
|
1051 |
function _verifyDiscoverySingle($endpoint, $to_match) |
|
1052 |
{
|
|
1053 |
// Every type URI that's in the to_match endpoint has to be
|
|
1054 |
// present in the discovered endpoint.
|
|
1055 |
foreach ($to_match->type_uris as $type_uri) { |
|
1056 |
if (!$endpoint->usesExtension($type_uri)) { |
|
1057 |
return new Auth_OpenID_TypeURIMismatch($endpoint, |
|
1058 |
"Required type ".$type_uri." not present"); |
|
1059 |
}
|
|
1060 |
}
|
|
1061 |
||
1062 |
// Fragments do not influence discovery, so we can't compare a
|
|
1063 |
// claimed identifier with a fragment to discovered
|
|
1064 |
// information.
|
|
1065 |
list($defragged_claimed_id, $_) = |
|
1066 |
Auth_OpenID::urldefrag($to_match->claimed_id); |
|
1067 |
||
1068 |
if ($defragged_claimed_id != $endpoint->claimed_id) { |
|
1069 |
return new Auth_OpenID_FailureResponse($endpoint, |
|
1070 |
sprintf('Claimed ID does not match (different subjects!), ' . |
|
1071 |
'Expected %s, got %s', $defragged_claimed_id, |
|
1072 |
$endpoint->claimed_id)); |
|
1073 |
}
|
|
1074 |
||
1075 |
if ($to_match->getLocalID() != $endpoint->getLocalID()) { |
|
1076 |
return new Auth_OpenID_FailureResponse($endpoint, |
|
1077 |
sprintf('local_id mismatch. Expected %s, got %s', |
|
1078 |
$to_match->getLocalID(), $endpoint->getLocalID())); |
|
1079 |
}
|
|
1080 |
||
1081 |
// If the server URL is None, this must be an OpenID 1
|
|
1082 |
// response, because op_endpoint is a required parameter in
|
|
1083 |
// OpenID 2. In that case, we don't actually care what the
|
|
1084 |
// discovered server_url is, because signature checking or
|
|
1085 |
// check_auth should take care of that check for us.
|
|
1086 |
if ($to_match->server_url === null) { |
|
1087 |
if ($to_match->preferredNamespace() != Auth_OpenID_OPENID1_NS) { |
|
1088 |
return new Auth_OpenID_FailureResponse($endpoint, |
|
1089 |
"Preferred namespace mismatch (bug)"); |
|
1090 |
}
|
|
1091 |
} else if ($to_match->server_url != $endpoint->server_url) { |
|
1092 |
return new Auth_OpenID_FailureResponse($endpoint, |
|
1093 |
sprintf('OP Endpoint mismatch. Expected %s, got %s', |
|
1094 |
$to_match->server_url, $endpoint->server_url)); |
|
1095 |
}
|
|
1096 |
||
1097 |
return null; |
|
1098 |
}
|
|
1099 |
||
1100 |
/**
|
|
1101 |
* @access private
|
|
1102 |
*/
|
|
1103 |
function _verifyDiscoveryResultsOpenID2($message, $endpoint) |
|
1104 |
{
|
|
1105 |
$to_match = new Auth_OpenID_ServiceEndpoint(); |
|
1106 |
$to_match->type_uris = array(Auth_OpenID_TYPE_2_0); |
|
1107 |
$to_match->claimed_id = $message->getArg(Auth_OpenID_OPENID2_NS, |
|
1108 |
'claimed_id'); |
|
1109 |
||
1110 |
$to_match->local_id = $message->getArg(Auth_OpenID_OPENID2_NS, |
|
1111 |
'identity'); |
|
1112 |
||
1113 |
$to_match->server_url = $message->getArg(Auth_OpenID_OPENID2_NS, |
|
1114 |
'op_endpoint'); |
|
1115 |
||
1116 |
if ($to_match->server_url === null) { |
|
1117 |
return new Auth_OpenID_FailureResponse($endpoint, |
|
1118 |
"OP Endpoint URL missing"); |
|
1119 |
}
|
|
1120 |
||
1121 |
// claimed_id and identifier must both be present or both be
|
|
1122 |
// absent
|
|
1123 |
if (($to_match->claimed_id === null) && |
|
1124 |
($to_match->local_id !== null)) { |
|
1125 |
return new Auth_OpenID_FailureResponse($endpoint, |
|
1126 |
'openid.identity is present without openid.claimed_id'); |
|
1127 |
}
|
|
1128 |
||
1129 |
if (($to_match->claimed_id !== null) && |
|
1130 |
($to_match->local_id === null)) { |
|
1131 |
return new Auth_OpenID_FailureResponse($endpoint, |
|
1132 |
'openid.claimed_id is present without openid.identity'); |
|
1133 |
}
|
|
1134 |
||
1135 |
if ($to_match->claimed_id === null) { |
|
1136 |
// This is a response without identifiers, so there's
|
|
1137 |
// really no checking that we can do, so return an
|
|
1138 |
// endpoint that's for the specified `openid.op_endpoint'
|
|
1139 |
return Auth_OpenID_ServiceEndpoint::fromOPEndpointURL( |
|
1140 |
$to_match->server_url); |
|
1141 |
}
|
|
1142 |
||
1143 |
if (!$endpoint) { |
|
1144 |
// The claimed ID doesn't match, so we have to do
|
|
1145 |
// discovery again. This covers not using sessions, OP
|
|
1146 |
// identifier endpoints and responses that didn't match
|
|
1147 |
// the original request.
|
|
1148 |
// oidutil.log('No pre-discovered information supplied.')
|
|
1149 |
return $this->_discoverAndVerify($to_match->claimed_id, |
|
1150 |
array($to_match)); |
|
1151 |
} else { |
|
1152 |
||
1153 |
// The claimed ID matches, so we use the endpoint that we
|
|
1154 |
// discovered in initiation. This should be the most
|
|
1155 |
// common case.
|
|
1156 |
$result = $this->_verifyDiscoverySingle($endpoint, $to_match); |
|
1157 |
||
1158 |
if (Auth_OpenID::isFailure($result)) { |
|
1159 |
$endpoint = $this->_discoverAndVerify($to_match->claimed_id, |
|
1160 |
array($to_match)); |
|
1161 |
if (Auth_OpenID::isFailure($endpoint)) { |
|
1162 |
return $endpoint; |
|
1163 |
}
|
|
1164 |
}
|
|
1165 |
}
|
|
1166 |
||
1167 |
// The endpoint we return should have the claimed ID from the
|
|
1168 |
// message we just verified, fragment and all.
|
|
1169 |
if ($endpoint->claimed_id != $to_match->claimed_id) { |
|
1170 |
$endpoint->claimed_id = $to_match->claimed_id; |
|
1171 |
}
|
|
1172 |
||
1173 |
return $endpoint; |
|
1174 |
}
|
|
1175 |
||
1176 |
/**
|
|
1177 |
* @access private
|
|
1178 |
*/
|
|
1179 |
function _discoverAndVerify($claimed_id, $to_match_endpoints) |
|
1180 |
{
|
|
1181 |
// oidutil.log('Performing discovery on %s' % (claimed_id,))
|
|
1182 |
list($unused, $services) = call_user_func($this->discoverMethod, |
|
1183 |
$claimed_id, |
|
1184 |
$this->fetcher); |
|
1185 |
||
1186 |
if (!$services) { |
|
1187 |
return new Auth_OpenID_FailureResponse(null, |
|
1188 |
sprintf("No OpenID information found at %s", |
|
1189 |
$claimed_id)); |
|
1190 |
}
|
|
1191 |
||
1192 |
return $this->_verifyDiscoveryServices($claimed_id, $services, |
|
1193 |
$to_match_endpoints); |
|
1194 |
}
|
|
1195 |
||
1196 |
/**
|
|
1197 |
* @access private
|
|
1198 |
*/
|
|
1199 |
function _verifyDiscoveryServices($claimed_id, |
|
1200 |
&$services, &$to_match_endpoints) |
|
1201 |
{
|
|
1202 |
// Search the services resulting from discovery to find one
|
|
1203 |
// that matches the information from the assertion
|
|
1204 |
||
1205 |
foreach ($services as $endpoint) { |
|
1206 |
foreach ($to_match_endpoints as $to_match_endpoint) { |
|
1207 |
$result = $this->_verifyDiscoverySingle($endpoint, |
|
1208 |
$to_match_endpoint); |
|
1209 |
||
1210 |
if (!Auth_OpenID::isFailure($result)) { |
|
1211 |
// It matches, so discover verification has
|
|
1212 |
// succeeded. Return this endpoint.
|
|
1213 |
return $endpoint; |
|
1214 |
}
|
|
1215 |
}
|
|
1216 |
}
|
|
1217 |
||
1218 |
return new Auth_OpenID_FailureResponse(null, |
|
1219 |
sprintf('No matching endpoint found after discovering %s', |
|
1220 |
$claimed_id)); |
|
1221 |
}
|
|
1222 |
||
1223 |
/**
|
|
1224 |
* Extract the nonce from an OpenID 1 response. Return the nonce
|
|
1225 |
* from the BARE_NS since we independently check the return_to
|
|
1226 |
* arguments are the same as those in the response message.
|
|
1227 |
*
|
|
1228 |
* See the openid1_nonce_query_arg_name class variable
|
|
1229 |
*
|
|
1230 |
* @returns $nonce The nonce as a string or null
|
|
1231 |
*
|
|
1232 |
* @access private
|
|
1233 |
*/
|
|
1234 |
function _idResGetNonceOpenID1($message, $endpoint) |
|
1235 |
{
|
|
1236 |
return $message->getArg(Auth_OpenID_BARE_NS, |
|
1237 |
$this->openid1_nonce_query_arg_name); |
|
1238 |
}
|
|
1239 |
||
1240 |
/**
|
|
1241 |
* @access private
|
|
1242 |
*/
|
|
1243 |
function _idResCheckNonce($message, $endpoint) |
|
1244 |
{
|
|
1245 |
if ($message->isOpenID1()) { |
|
1246 |
// This indicates that the nonce was generated by the consumer
|
|
1247 |
$nonce = $this->_idResGetNonceOpenID1($message, $endpoint); |
|
1248 |
$server_url = ''; |
|
1249 |
} else { |
|
1250 |
$nonce = $message->getArg(Auth_OpenID_OPENID2_NS, |
|
1251 |
'response_nonce'); |
|
1252 |
||
1253 |
$server_url = $endpoint->server_url; |
|
1254 |
}
|
|
1255 |
||
1256 |
if ($nonce === null) { |
|
1257 |
return new Auth_OpenID_FailureResponse($endpoint, |
|
1258 |
"Nonce missing from response"); |
|
1259 |
}
|
|
1260 |
||
1261 |
$parts = Auth_OpenID_splitNonce($nonce); |
|
1262 |
||
1263 |
if ($parts === null) { |
|
1264 |
return new Auth_OpenID_FailureResponse($endpoint, |
|
1265 |
"Malformed nonce in response"); |
|
1266 |
}
|
|
1267 |
||
1268 |
list($timestamp, $salt) = $parts; |
|
1269 |
||
1270 |
if (!$this->store->useNonce($server_url, $timestamp, $salt)) { |
|
1271 |
return new Auth_OpenID_FailureResponse($endpoint, |
|
1272 |
"Nonce already used or out of range"); |
|
1273 |
}
|
|
1274 |
||
1275 |
return null; |
|
1276 |
}
|
|
1277 |
||
1278 |
/**
|
|
1279 |
* @access private
|
|
1280 |
*/
|
|
1281 |
function _idResCheckForFields($message) |
|
1282 |
{
|
|
1283 |
$basic_fields = array('return_to', 'assoc_handle', 'sig', 'signed'); |
|
1284 |
$basic_sig_fields = array('return_to', 'identity'); |
|
1285 |
||
1286 |
$require_fields = array( |
|
1287 |
Auth_OpenID_OPENID2_NS => array_merge($basic_fields, |
|
1288 |
array('op_endpoint')), |
|
1289 |
||
1290 |
Auth_OpenID_OPENID1_NS => array_merge($basic_fields, |
|
1291 |
array('identity')) |
|
1292 |
);
|
|
1293 |
||
1294 |
$require_sigs = array( |
|
1295 |
Auth_OpenID_OPENID2_NS => array_merge($basic_sig_fields, |
|
1296 |
array('response_nonce', |
|
1297 |
'claimed_id', |
|
1298 |
'assoc_handle')), |
|
1299 |
Auth_OpenID_OPENID1_NS => array_merge($basic_sig_fields, |
|
1300 |
array('nonce')) |
|
1301 |
);
|
|
1302 |
||
1303 |
foreach ($require_fields[$message->getOpenIDNamespace()] as $field) { |
|
1304 |
if (!$message->hasKey(Auth_OpenID_OPENID_NS, $field)) { |
|
1305 |
return new Auth_OpenID_FailureResponse(null, |
|
1306 |
"Missing required field '".$field."'"); |
|
1307 |
}
|
|
1308 |
}
|
|
1309 |
||
1310 |
$signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS, |
|
1311 |
'signed', |
|
1312 |
Auth_OpenID_NO_DEFAULT); |
|
1313 |
if (Auth_OpenID::isFailure($signed_list_str)) { |
|
1314 |
return $signed_list_str; |
|
1315 |
}
|
|
1316 |
$signed_list = explode(',', $signed_list_str); |
|
1317 |
||
1318 |
foreach ($require_sigs[$message->getOpenIDNamespace()] as $field) { |
|
1319 |
// Field is present and not in signed list
|
|
1320 |
if ($message->hasKey(Auth_OpenID_OPENID_NS, $field) && |
|
1321 |
(!in_array($field, $signed_list))) { |
|
1322 |
return new Auth_OpenID_FailureResponse(null, |
|
1323 |
"'".$field."' not signed"); |
|
1324 |
}
|
|
1325 |
}
|
|
1326 |
||
1327 |
return null; |
|
1328 |
}
|
|
1329 |
||
1330 |
/**
|
|
1331 |
* @access private
|
|
1332 |
*/
|
|
1333 |
function _checkAuth($message, $server_url) |
|
1334 |
{
|
|
1335 |
$request = $this->_createCheckAuthRequest($message); |
|
1336 |
if ($request === null) { |
|
1337 |
return false; |
|
1338 |
}
|
|
1339 |
||
1340 |
$resp_message = $this->_makeKVPost($request, $server_url); |
|
1341 |
if (($resp_message === null) || |
|
1342 |
(is_a($resp_message, 'Auth_OpenID_ServerErrorContainer'))) { |
|
1343 |
return false; |
|
1344 |
}
|
|
1345 |
||
1346 |
return $this->_processCheckAuthResponse($resp_message, $server_url); |
|
1347 |
}
|
|
1348 |
||
1349 |
/**
|
|
1350 |
* @access private
|
|
1351 |
*/
|
|
1352 |
function _createCheckAuthRequest($message) |
|
1353 |
{
|
|
1354 |
$signed = $message->getArg(Auth_OpenID_OPENID_NS, 'signed'); |
|
1355 |
if ($signed) { |
|
1356 |
foreach (explode(',', $signed) as $k) { |
|
1357 |
$value = $message->getAliasedArg($k); |
|
1358 |
if ($value === null) { |
|
1359 |
return null; |
|
1360 |
}
|
|
1361 |
}
|
|
1362 |
}
|
|
1363 |
$ca_message = $message->copy(); |
|
1364 |
$ca_message->setArg(Auth_OpenID_OPENID_NS, 'mode', |
|
1365 |
'check_authentication'); |
|
1366 |
return $ca_message; |
|
1367 |
}
|
|
1368 |
||
1369 |
/**
|
|
1370 |
* @access private
|
|
1371 |
*/
|
|
1372 |
function _processCheckAuthResponse($response, $server_url) |
|
1373 |
{
|
|
1374 |
$is_valid = $response->getArg(Auth_OpenID_OPENID_NS, 'is_valid', |
|
1375 |
'false'); |
|
1376 |
||
1377 |
$invalidate_handle = $response->getArg(Auth_OpenID_OPENID_NS, |
|
1378 |
'invalidate_handle'); |
|
1379 |
||
1380 |
if ($invalidate_handle !== null) { |
|
1381 |
$this->store->removeAssociation($server_url, |
|
1382 |
$invalidate_handle); |
|
1383 |
}
|
|
1384 |
||
1385 |
if ($is_valid == 'true') { |
|
1386 |
return true; |
|
1387 |
}
|
|
1388 |
||
1389 |
return false; |
|
1390 |
}
|
|
1391 |
||
1392 |
/**
|
|
1393 |
* Adapt a POST response to a Message.
|
|
1394 |
*
|
|
1395 |
* @param $response Result of a POST to an OpenID endpoint.
|
|
1396 |
*
|
|
1397 |
* @access private
|
|
1398 |
*/
|
|
1399 |
function _httpResponseToMessage($response, $server_url) |
|
1400 |
{
|
|
1401 |
// Should this function be named Message.fromHTTPResponse instead?
|
|
1402 |
$response_message = Auth_OpenID_Message::fromKVForm($response->body); |
|
1403 |
||
1404 |
if ($response->status == 400) { |
|
1405 |
return Auth_OpenID_ServerErrorContainer::fromMessage( |
|
1406 |
$response_message); |
|
1407 |
} else if ($response->status != 200 and $response->status != 206) { |
|
1408 |
return null; |
|
1409 |
}
|
|
1410 |
||
1411 |
return $response_message; |
|
1412 |
}
|
|
1413 |
||
1414 |
/**
|
|
1415 |
* @access private
|
|
1416 |
*/
|
|
1417 |
function _makeKVPost($message, $server_url) |
|
1418 |
{
|
|
1419 |
$body = $message->toURLEncoded(); |
|
1420 |
$resp = $this->fetcher->post($server_url, $body); |
|
1421 |
||
1422 |
if ($resp === null) { |
|
1423 |
return null; |
|
1424 |
}
|
|
1425 |
||
1426 |
return $this->_httpResponseToMessage($resp, $server_url); |
|
1427 |
}
|
|
1428 |
||
1429 |
/**
|
|
1430 |
* @access private
|
|
1431 |
*/
|
|
1432 |
function _getAssociation($endpoint) |
|
1433 |
{
|
|
1434 |
if (!$this->_use_assocs) { |
|
1435 |
return null; |
|
1436 |
}
|
|
1437 |
||
1438 |
$assoc = $this->store->getAssociation($endpoint->server_url); |
|
1439 |
||
1440 |
if (($assoc === null) || |
|
1441 |
($assoc->getExpiresIn() <= 0)) { |
|
1442 |
||
1443 |
$assoc = $this->_negotiateAssociation($endpoint); |
|
1444 |
||
1445 |
if ($assoc !== null) { |
|
1446 |
$this->store->storeAssociation($endpoint->server_url, |
|
1447 |
$assoc); |
|
1448 |
}
|
|
1449 |
}
|
|
1450 |
||
1451 |
return $assoc; |
|
1452 |
}
|
|
1453 |
||
1454 |
/**
|
|
1455 |
* Handle ServerErrors resulting from association requests.
|
|
1456 |
*
|
|
1457 |
* @return $result If server replied with an C{unsupported-type}
|
|
1458 |
* error, return a tuple of supported C{association_type},
|
|
1459 |
* C{session_type}. Otherwise logs the error and returns null.
|
|
1460 |
*
|
|
1461 |
* @access private
|
|
1462 |
*/
|
|
1463 |
function _extractSupportedAssociationType(&$server_error, &$endpoint, |
|
1464 |
$assoc_type) |
|
1465 |
{
|
|
1466 |
// Any error message whose code is not 'unsupported-type'
|
|
1467 |
// should be considered a total failure.
|
|
1468 |
if (($server_error->error_code != 'unsupported-type') || |
|
1469 |
($server_error->message->isOpenID1())) { |
|
1470 |
return null; |
|
1471 |
}
|
|
1472 |
||
1473 |
// The server didn't like the association/session type that we
|
|
1474 |
// sent, and it sent us back a message that might tell us how
|
|
1475 |
// to handle it.
|
|
1476 |
||
1477 |
// Extract the session_type and assoc_type from the error
|
|
1478 |
// message
|
|
1479 |
$assoc_type = $server_error->message->getArg(Auth_OpenID_OPENID_NS, |
|
1480 |
'assoc_type'); |
|
1481 |
||
1482 |
$session_type = $server_error->message->getArg(Auth_OpenID_OPENID_NS, |
|
1483 |
'session_type'); |
|
1484 |
||
1485 |
if (($assoc_type === null) || ($session_type === null)) { |
|
1486 |
return null; |
|
1487 |
} else if (!$this->negotiator->isAllowed($assoc_type, |
|
1488 |
$session_type)) { |
|
1489 |
return null; |
|
1490 |
} else { |
|
1491 |
return array($assoc_type, $session_type); |
|
1492 |
}
|
|
1493 |
}
|
|
1494 |
||
1495 |
/**
|
|
1496 |
* @access private
|
|
1497 |
*/
|
|
1498 |
function _negotiateAssociation($endpoint) |
|
1499 |
{
|
|
1500 |
// Get our preferred session/association type from the negotiatior.
|
|
1501 |
list($assoc_type, $session_type) = $this->negotiator->getAllowedType(); |
|
1502 |
||
1503 |
$assoc = $this->_requestAssociation( |
|
1504 |
$endpoint, $assoc_type, $session_type); |
|
1505 |
||
1506 |
if (Auth_OpenID::isFailure($assoc)) { |
|
1507 |
return null; |
|
1508 |
}
|
|
1509 |
||
1510 |
if (is_a($assoc, 'Auth_OpenID_ServerErrorContainer')) { |
|
1511 |
$why = $assoc; |
|
1512 |
||
1513 |
$supportedTypes = $this->_extractSupportedAssociationType( |
|
1514 |
$why, $endpoint, $assoc_type); |
|
1515 |
||
1516 |
if ($supportedTypes !== null) { |
|
1517 |
list($assoc_type, $session_type) = $supportedTypes; |
|
1518 |
||
1519 |
// Attempt to create an association from the assoc_type
|
|
1520 |
// and session_type that the server told us it
|
|
1521 |
// supported.
|
|
1522 |
$assoc = $this->_requestAssociation( |
|
1523 |
$endpoint, $assoc_type, $session_type); |
|
1524 |
||
1525 |
if (is_a($assoc, 'Auth_OpenID_ServerErrorContainer')) { |
|
1526 |
// Do not keep trying, since it rejected the
|
|
1527 |
// association type that it told us to use.
|
|
1528 |
// oidutil.log('Server %s refused its suggested association
|
|
1529 |
// 'type: session_type=%s, assoc_type=%s'
|
|
1530 |
// % (endpoint.server_url, session_type,
|
|
1531 |
// assoc_type))
|
|
1532 |
return null; |
|
1533 |
} else { |
|
1534 |
return $assoc; |
|
1535 |
}
|
|
1536 |
} else { |
|
1537 |
return null; |
|
1538 |
}
|
|
1539 |
} else { |
|
1540 |
return $assoc; |
|
1541 |
}
|
|
1542 |
}
|
|
1543 |
||
1544 |
/**
|
|
1545 |
* @access private
|
|
1546 |
*/
|
|
1547 |
function _requestAssociation($endpoint, $assoc_type, $session_type) |
|
1548 |
{
|
|
1549 |
list($assoc_session, $args) = $this->_createAssociateRequest( |
|
1550 |
$endpoint, $assoc_type, $session_type); |
|
1551 |
||
1552 |
$response_message = $this->_makeKVPost($args, $endpoint->server_url); |
|
1553 |
||
1554 |
if ($response_message === null) { |
|
1555 |
// oidutil.log('openid.associate request failed: %s' % (why[0],))
|
|
1556 |
return null; |
|
1557 |
} else if (is_a($response_message, |
|
1558 |
'Auth_OpenID_ServerErrorContainer')) { |
|
1559 |
return $response_message; |
|
1560 |
}
|
|
1561 |
||
1562 |
return $this->_extractAssociation($response_message, $assoc_session); |
|
1563 |
}
|
|
1564 |
||
1565 |
/**
|
|
1566 |
* @access private
|
|
1567 |
*/
|
|
1568 |
function _extractAssociation(&$assoc_response, &$assoc_session) |
|
1569 |
{
|
|
1570 |
// Extract the common fields from the response, raising an
|
|
1571 |
// exception if they are not found
|
|
1572 |
$assoc_type = $assoc_response->getArg( |
|
1573 |
Auth_OpenID_OPENID_NS, 'assoc_type', |
|
1574 |
Auth_OpenID_NO_DEFAULT); |
|
1575 |
||
1576 |
if (Auth_OpenID::isFailure($assoc_type)) { |
|
1577 |
return $assoc_type; |
|
1578 |
}
|
|
1579 |
||
1580 |
$assoc_handle = $assoc_response->getArg( |
|
1581 |
Auth_OpenID_OPENID_NS, 'assoc_handle', |
|
1582 |
Auth_OpenID_NO_DEFAULT); |
|
1583 |
||
1584 |
if (Auth_OpenID::isFailure($assoc_handle)) { |
|
1585 |
return $assoc_handle; |
|
1586 |
}
|
|
1587 |
||
1588 |
// expires_in is a base-10 string. The Python parsing will
|
|
1589 |
// accept literals that have whitespace around them and will
|
|
1590 |
// accept negative values. Neither of these are really in-spec,
|
|
1591 |
// but we think it's OK to accept them.
|
|
1592 |
$expires_in_str = $assoc_response->getArg( |
|
1593 |
Auth_OpenID_OPENID_NS, 'expires_in', |
|
1594 |
Auth_OpenID_NO_DEFAULT); |
|
1595 |
||
1596 |
if (Auth_OpenID::isFailure($expires_in_str)) { |
|
1597 |
return $expires_in_str; |
|
1598 |
}
|
|
1599 |
||
1600 |
$expires_in = Auth_OpenID::intval($expires_in_str); |
|
1601 |
if ($expires_in === false) { |
|
1602 |
||
1603 |
$err = sprintf("Could not parse expires_in from association ". |
|
1604 |
"response %s", print_r($assoc_response, true)); |
|
1605 |
return new Auth_OpenID_FailureResponse(null, $err); |
|
1606 |
}
|
|
1607 |
||
1608 |
// OpenID 1 has funny association session behaviour.
|
|
1609 |
if ($assoc_response->isOpenID1()) { |
|
1610 |
$session_type = $this->_getOpenID1SessionType($assoc_response); |
|
1611 |
} else { |
|
1612 |
$session_type = $assoc_response->getArg( |
|
1613 |
Auth_OpenID_OPENID2_NS, 'session_type', |
|
1614 |
Auth_OpenID_NO_DEFAULT); |
|
1615 |
||
1616 |
if (Auth_OpenID::isFailure($session_type)) { |
|
1617 |
return $session_type; |
|
1618 |
}
|
|
1619 |
}
|
|
1620 |
||
1621 |
// Session type mismatch
|
|
1622 |
if ($assoc_session->session_type != $session_type) { |
|
1623 |
if ($assoc_response->isOpenID1() && |
|
1624 |
($session_type == 'no-encryption')) { |
|
1625 |
// In OpenID 1, any association request can result in
|
|
1626 |
// a 'no-encryption' association response. Setting
|
|
1627 |
// assoc_session to a new no-encryption session should
|
|
1628 |
// make the rest of this function work properly for
|
|
1629 |
// that case.
|
|
1630 |
$assoc_session = new Auth_OpenID_PlainTextConsumerSession(); |
|
1631 |
} else { |
|
1632 |
// Any other mismatch, regardless of protocol version
|
|
1633 |
// results in the failure of the association session
|
|
1634 |
// altogether.
|
|
1635 |
return null; |
|
1636 |
}
|
|
1637 |
}
|
|
1638 |
||
1639 |
// Make sure assoc_type is valid for session_type
|
|
1640 |
if (!in_array($assoc_type, $assoc_session->allowed_assoc_types)) { |
|
1641 |
return null; |
|
1642 |
}
|
|
1643 |
||
1644 |
// Delegate to the association session to extract the secret
|
|
1645 |
// from the response, however is appropriate for that session
|
|
1646 |
// type.
|
|
1647 |
$secret = $assoc_session->extractSecret($assoc_response); |
|
1648 |
||
1649 |
if ($secret === null) { |
|
1650 |
return null; |
|
1651 |
}
|
|
1652 |
||
1653 |
return Auth_OpenID_Association::fromExpiresIn( |
|
1654 |
$expires_in, $assoc_handle, $secret, $assoc_type); |
|
1655 |
}
|
|
1656 |
||
1657 |
/**
|
|
1658 |
* @access private
|
|
1659 |
*/
|
|
1660 |
function _createAssociateRequest($endpoint, $assoc_type, $session_type) |
|
1661 |
{
|
|
1662 |
if (array_key_exists($session_type, $this->session_types)) { |
|
1663 |
$session_type_class = $this->session_types[$session_type]; |
|
1664 |
||
1665 |
if (is_callable($session_type_class)) { |
|
1666 |
$assoc_session = $session_type_class(); |
|
1667 |
} else { |
|
1668 |
$assoc_session = new $session_type_class(); |
|
1669 |
}
|
|
1670 |
} else { |
|
1671 |
return null; |
|
1672 |
}
|
|
1673 |
||
1674 |
$args = array( |
|
1675 |
'mode' => 'associate', |
|
1676 |
'assoc_type' => $assoc_type); |
|
1677 |
||
1678 |
if (!$endpoint->compatibilityMode()) { |
|
1679 |
$args['ns'] = Auth_OpenID_OPENID2_NS; |
|
1680 |
}
|
|
1681 |
||
1682 |
// Leave out the session type if we're in compatibility mode
|
|
1683 |
// *and* it's no-encryption.
|
|
1684 |
if ((!$endpoint->compatibilityMode()) || |
|
1685 |
($assoc_session->session_type != 'no-encryption')) { |
|
1686 |
$args['session_type'] = $assoc_session->session_type; |
|
1687 |
}
|
|
1688 |
||
1689 |
$args = array_merge($args, $assoc_session->getRequest()); |
|
1690 |
$message = Auth_OpenID_Message::fromOpenIDArgs($args); |
|
1691 |
return array($assoc_session, $message); |
|
1692 |
}
|
|
1693 |
||
1694 |
/**
|
|
1695 |
* Given an association response message, extract the OpenID 1.X
|
|
1696 |
* session type.
|
|
1697 |
*
|
|
1698 |
* This function mostly takes care of the 'no-encryption' default
|
|
1699 |
* behavior in OpenID 1.
|
|
1700 |
*
|
|
1701 |
* If the association type is plain-text, this function will
|
|
1702 |
* return 'no-encryption'
|
|
1703 |
*
|
|
1704 |
* @access private
|
|
1705 |
* @return $typ The association type for this message
|
|
1706 |
*/
|
|
1707 |
function _getOpenID1SessionType($assoc_response) |
|
1708 |
{
|
|
1709 |
// If it's an OpenID 1 message, allow session_type to default
|
|
1710 |
// to None (which signifies "no-encryption")
|
|
1711 |
$session_type = $assoc_response->getArg(Auth_OpenID_OPENID1_NS, |
|
1712 |
'session_type'); |
|
1713 |
||
1714 |
// Handle the differences between no-encryption association
|
|
1715 |
// respones in OpenID 1 and 2:
|
|
1716 |
||
1717 |
// no-encryption is not really a valid session type for OpenID
|
|
1718 |
// 1, but we'll accept it anyway, while issuing a warning.
|
|
1719 |
if ($session_type == 'no-encryption') { |
|
1720 |
// oidutil.log('WARNING: OpenID server sent "no-encryption"'
|
|
1721 |
// 'for OpenID 1.X')
|
|
1722 |
} else if (($session_type == '') || ($session_type === null)) { |
|
1723 |
// Missing or empty session type is the way to flag a
|
|
1724 |
// 'no-encryption' response. Change the session type to
|
|
1725 |
// 'no-encryption' so that it can be handled in the same
|
|
1726 |
// way as OpenID 2 'no-encryption' respones.
|
|
1727 |
$session_type = 'no-encryption'; |
|
1728 |
}
|
|
1729 |
||
1730 |
return $session_type; |
|
1731 |
}
|
|
1732 |
}
|
|
1733 |
||
1734 |
/**
|
|
1735 |
* This class represents an authentication request from a consumer to
|
|
1736 |
* an OpenID server.
|
|
1737 |
*
|
|
1738 |
* @package OpenID
|
|
1739 |
*/
|
|
1740 |
class Auth_OpenID_AuthRequest { |
|
1741 |
||
1742 |
/**
|
|
1743 |
* Initialize an authentication request with the specified token,
|
|
1744 |
* association, and endpoint.
|
|
1745 |
*
|
|
1746 |
* Users of this library should not create instances of this
|
|
1747 |
* class. Instances of this class are created by the library when
|
|
1748 |
* needed.
|
|
1749 |
*/
|
|
1750 |
function Auth_OpenID_AuthRequest(&$endpoint, $assoc) |
|
1751 |
{
|
|
1752 |
$this->assoc = $assoc; |
|
1753 |
$this->endpoint =& $endpoint; |
|
1754 |
$this->return_to_args = array(); |
|
1755 |
$this->message = new Auth_OpenID_Message( |
|
1756 |
$endpoint->preferredNamespace()); |
|
1757 |
$this->_anonymous = false; |
|
1758 |
}
|
|
1759 |
||
1760 |
/**
|
|
1761 |
* Add an extension to this checkid request.
|
|
1762 |
*
|
|
1763 |
* $extension_request: An object that implements the extension
|
|
1764 |
* request interface for adding arguments to an OpenID message.
|
|
1765 |
*/
|
|
1766 |
function addExtension(&$extension_request) |
|
1767 |
{
|
|
1768 |
$extension_request->toMessage($this->message); |
|
1769 |
}
|
|
1770 |
||
1771 |
/**
|
|
1772 |
* Add an extension argument to this OpenID authentication
|
|
1773 |
* request.
|
|
1774 |
*
|
|
1775 |
* Use caution when adding arguments, because they will be
|
|
1776 |
* URL-escaped and appended to the redirect URL, which can easily
|
|
1777 |
* get quite long.
|
|
1778 |
*
|
|
1779 |
* @param string $namespace The namespace for the extension. For
|
|
1780 |
* example, the simple registration extension uses the namespace
|
|
1781 |
* 'sreg'.
|
|
1782 |
*
|
|
1783 |
* @param string $key The key within the extension namespace. For
|
|
1784 |
* example, the nickname field in the simple registration
|
|
1785 |
* extension's key is 'nickname'.
|
|
1786 |
*
|
|
1787 |
* @param string $value The value to provide to the server for
|
|
1788 |
* this argument.
|
|
1789 |
*/
|
|
1790 |
function addExtensionArg($namespace, $key, $value) |
|
1791 |
{
|
|
1792 |
return $this->message->setArg($namespace, $key, $value); |
|
1793 |
}
|
|
1794 |
||
1795 |
/**
|
|
1796 |
* Set whether this request should be made anonymously. If a
|
|
1797 |
* request is anonymous, the identifier will not be sent in the
|
|
1798 |
* request. This is only useful if you are making another kind of
|
|
1799 |
* request with an extension in this request.
|
|
1800 |
*
|
|
1801 |
* Anonymous requests are not allowed when the request is made
|
|
1802 |
* with OpenID 1.
|
|
1803 |
*/
|
|
1804 |
function setAnonymous($is_anonymous) |
|
1805 |
{
|
|
1806 |
if ($is_anonymous && $this->message->isOpenID1()) { |
|
1807 |
return false; |
|
1808 |
} else { |
|
1809 |
$this->_anonymous = $is_anonymous; |
|
1810 |
return true; |
|
1811 |
}
|
|
1812 |
}
|
|
1813 |
||
1814 |
/**
|
|
1815 |
* Produce a {@link Auth_OpenID_Message} representing this
|
|
1816 |
* request.
|
|
1817 |
*
|
|
1818 |
* @param string $realm The URL (or URL pattern) that identifies
|
|
1819 |
* your web site to the user when she is authorizing it.
|
|
1820 |
*
|
|
1821 |
* @param string $return_to The URL that the OpenID provider will
|
|
1822 |
* send the user back to after attempting to verify her identity.
|
|
1823 |
*
|
|
1824 |
* Not specifying a return_to URL means that the user will not be
|
|
1825 |
* returned to the site issuing the request upon its completion.
|
|
1826 |
*
|
|
1827 |
* @param bool $immediate If true, the OpenID provider is to send
|
|
1828 |
* back a response immediately, useful for behind-the-scenes
|
|
1829 |
* authentication attempts. Otherwise the OpenID provider may
|
|
1830 |
* engage the user before providing a response. This is the
|
|
1831 |
* default case, as the user may need to provide credentials or
|
|
1832 |
* approve the request before a positive response can be sent.
|
|
1833 |
*/
|
|
1834 |
function getMessage($realm, $return_to=null, $immediate=false) |
|
1835 |
{
|
|
1836 |
if ($return_to) { |
|
1837 |
$return_to = Auth_OpenID::appendArgs($return_to, |
|
1838 |
$this->return_to_args); |
|
1839 |
} else if ($immediate) { |
|
1840 |
// raise ValueError(
|
|
1841 |
// '"return_to" is mandatory when
|
|
1842 |
//using "checkid_immediate"')
|
|
1843 |
return new Auth_OpenID_FailureResponse(null, |
|
1844 |
"'return_to' is mandatory when using checkid_immediate"); |
|
1845 |
} else if ($this->message->isOpenID1()) { |
|
1846 |
// raise ValueError('"return_to" is
|
|
1847 |
// mandatory for OpenID 1 requests')
|
|
1848 |
return new Auth_OpenID_FailureResponse(null, |
|
1849 |
"'return_to' is mandatory for OpenID 1 requests"); |
|
1850 |
} else if ($this->return_to_args) { |
|
1851 |
// raise ValueError('extra "return_to" arguments
|
|
1852 |
// were specified, but no return_to was specified')
|
|
1853 |
return new Auth_OpenID_FailureResponse(null, |
|
1854 |
"extra 'return_to' arguments where specified, " . |
|
1855 |
"but no return_to was specified"); |
|
1856 |
}
|
|
1857 |
||
1858 |
if ($immediate) { |
|
1859 |
$mode = 'checkid_immediate'; |
|
1860 |
} else { |
|
1861 |
$mode = 'checkid_setup'; |
|
1862 |
}
|
|
1863 |
||
1864 |
$message = $this->message->copy(); |
|
1865 |
if ($message->isOpenID1()) { |
|
1866 |
$realm_key = 'trust_root'; |
|
1867 |
} else { |
|
1868 |
$realm_key = 'realm'; |
|
1869 |
}
|
|
1870 |
||
1871 |
$message->updateArgs(Auth_OpenID_OPENID_NS, |
|
1872 |
array( |
|
1873 |
$realm_key => $realm, |
|
1874 |
'mode' => $mode, |
|
1875 |
'return_to' => $return_to)); |
|
1876 |
||
1877 |
if (!$this->_anonymous) { |
|
1878 |
if ($this->endpoint->isOPIdentifier()) { |
|
1879 |
// This will never happen when we're in compatibility
|
|
1880 |
// mode, as long as isOPIdentifier() returns False
|
|
1881 |
// whenever preferredNamespace() returns OPENID1_NS.
|
|
1882 |
$claimed_id = $request_identity = |
|
1883 |
Auth_OpenID_IDENTIFIER_SELECT; |
|
1884 |
} else { |
|
1885 |
$request_identity = $this->endpoint->getLocalID(); |
|
1886 |
$claimed_id = $this->endpoint->claimed_id; |
|
1887 |
}
|
|
1888 |
||
1889 |
// This is true for both OpenID 1 and 2
|
|
1890 |
$message->setArg(Auth_OpenID_OPENID_NS, 'identity', |
|
1891 |
$request_identity); |
|
1892 |
||
1893 |
if ($message->isOpenID2()) { |
|
1894 |
$message->setArg(Auth_OpenID_OPENID2_NS, 'claimed_id', |
|
1895 |
$claimed_id); |
|
1896 |
}
|
|
1897 |
}
|
|
1898 |
||
1899 |
if ($this->assoc) { |
|
1900 |
$message->setArg(Auth_OpenID_OPENID_NS, 'assoc_handle', |
|
1901 |
$this->assoc->handle); |
|
1902 |
}
|
|
1903 |
||
1904 |
return $message; |
|
1905 |
}
|
|
1906 |
||
1907 |
function redirectURL($realm, $return_to = null, |
|
1908 |
$immediate = false) |
|
1909 |
{
|
|
1910 |
$message = $this->getMessage($realm, $return_to, $immediate); |
|
1911 |
||
1912 |
if (Auth_OpenID::isFailure($message)) { |
|
1913 |
return $message; |
|
1914 |
}
|
|
1915 |
||
1916 |
return $message->toURL($this->endpoint->server_url); |
|
1917 |
}
|
|
1918 |
||
1919 |
/**
|
|
1920 |
* Get html for a form to submit this request to the IDP.
|
|
1921 |
*
|
|
1922 |
* form_tag_attrs: An array of attributes to be added to the form
|
|
1923 |
* tag. 'accept-charset' and 'enctype' have defaults that can be
|
|
1924 |
* overridden. If a value is supplied for 'action' or 'method', it
|
|
1925 |
* will be replaced.
|
|
1926 |
*/
|
|
1927 |
function formMarkup($realm, $return_to=null, $immediate=false, |
|
1928 |
$form_tag_attrs=null) |
|
1929 |
{
|
|
1930 |
$message = $this->getMessage($realm, $return_to, $immediate); |
|
1931 |
||
1932 |
if (Auth_OpenID::isFailure($message)) { |
|
1933 |
return $message; |
|
1934 |
}
|
|
1935 |
||
1936 |
return $message->toFormMarkup($this->endpoint->server_url, |
|
1937 |
$form_tag_attrs); |
|
1938 |
}
|
|
1939 |
||
1940 |
/**
|
|
1941 |
* Get a complete html document that will autosubmit the request
|
|
1942 |
* to the IDP.
|
|
1943 |
*
|
|
1944 |
* Wraps formMarkup. See the documentation for that function.
|
|
1945 |
*/
|
|
1946 |
function htmlMarkup($realm, $return_to=null, $immediate=false, |
|
1947 |
$form_tag_attrs=null) |
|
1948 |
{
|
|
1949 |
$form = $this->formMarkup($realm, $return_to, $immediate, |
|
1950 |
$form_tag_attrs); |
|
1951 |
||
1952 |
if (Auth_OpenID::isFailure($form)) { |
|
1953 |
return $form; |
|
1954 |
}
|
|
1955 |
return Auth_OpenID::autoSubmitHTML($form); |
|
1956 |
}
|
|
1957 |
||
1958 |
function shouldSendRedirect() |
|
1959 |
{
|
|
1960 |
return $this->endpoint->compatibilityMode(); |
|
1961 |
}
|
|
1962 |
}
|
|
1963 |
||
1964 |
/**
|
|
1965 |
* The base class for responses from the Auth_OpenID_Consumer.
|
|
1966 |
*
|
|
1967 |
* @package OpenID
|
|
1968 |
*/
|
|
1969 |
class Auth_OpenID_ConsumerResponse { |
|
1970 |
var $status = null; |
|
1971 |
||
1972 |
function setEndpoint($endpoint) |
|
1973 |
{
|
|
1974 |
$this->endpoint = $endpoint; |
|
1975 |
if ($endpoint === null) { |
|
1976 |
$this->identity_url = null; |
|
1977 |
} else { |
|
1978 |
$this->identity_url = $endpoint->claimed_id; |
|
1979 |
}
|
|
1980 |
}
|
|
1981 |
||
1982 |
/**
|
|
1983 |
* Return the display identifier for this response.
|
|
1984 |
*
|
|
1985 |
* The display identifier is related to the Claimed Identifier, but the
|
|
1986 |
* two are not always identical. The display identifier is something the
|
|
1987 |
* user should recognize as what they entered, whereas the response's
|
|
1988 |
* claimed identifier (in the identity_url attribute) may have extra
|
|
1989 |
* information for better persistence.
|
|
1990 |
*
|
|
1991 |
* URLs will be stripped of their fragments for display. XRIs will
|
|
1992 |
* display the human-readable identifier (i-name) instead of the
|
|
1993 |
* persistent identifier (i-number).
|
|
1994 |
*
|
|
1995 |
* Use the display identifier in your user interface. Use
|
|
1996 |
* identity_url for querying your database or authorization server.
|
|
1997 |
*
|
|
1998 |
*/
|
|
1999 |
function getDisplayIdentifier() |
|
2000 |
{
|
|
2001 |
if ($this->endpoint !== null) { |
|
2002 |
return $this->endpoint->getDisplayIdentifier(); |
|
2003 |
}
|
|
2004 |
return null; |
|
2005 |
}
|
|
2006 |
}
|
|
2007 |
||
2008 |
/**
|
|
2009 |
* A response with a status of Auth_OpenID_SUCCESS. Indicates that
|
|
2010 |
* this request is a successful acknowledgement from the OpenID server
|
|
2011 |
* that the supplied URL is, indeed controlled by the requesting
|
|
2012 |
* agent. This has three relevant attributes:
|
|
2013 |
*
|
|
2014 |
* claimed_id - The identity URL that has been authenticated
|
|
2015 |
*
|
|
2016 |
* signed_args - The arguments in the server's response that were
|
|
2017 |
* signed and verified.
|
|
2018 |
*
|
|
2019 |
* status - Auth_OpenID_SUCCESS.
|
|
2020 |
*
|
|
2021 |
* @package OpenID
|
|
2022 |
*/
|
|
2023 |
class Auth_OpenID_SuccessResponse extends Auth_OpenID_ConsumerResponse { |
|
2024 |
var $status = Auth_OpenID_SUCCESS; |
|
2025 |
||
2026 |
/**
|
|
2027 |
* @access private
|
|
2028 |
*/
|
|
2029 |
function Auth_OpenID_SuccessResponse($endpoint, $message, $signed_args=null) |
|
2030 |
{
|
|
2031 |
$this->endpoint = $endpoint; |
|
2032 |
$this->identity_url = $endpoint->claimed_id; |
|
2033 |
$this->signed_args = $signed_args; |
|
2034 |
$this->message = $message; |
|
2035 |
||
2036 |
if ($this->signed_args === null) { |
|
2037 |
$this->signed_args = array(); |
|
2038 |
}
|
|
2039 |
}
|
|
2040 |
||
2041 |
/**
|
|
2042 |
* Extract signed extension data from the server's response.
|
|
2043 |
*
|
|
2044 |
* @param string $prefix The extension namespace from which to
|
|
2045 |
* extract the extension data.
|
|
2046 |
*/
|
|
2047 |
function extensionResponse($namespace_uri, $require_signed) |
|
2048 |
{
|
|
2049 |
if ($require_signed) { |
|
2050 |
return $this->getSignedNS($namespace_uri); |
|
2051 |
} else { |
|
2052 |
return $this->message->getArgs($namespace_uri); |
|
2053 |
}
|
|
2054 |
}
|
|
2055 |
||
2056 |
function isOpenID1() |
|
2057 |
{
|
|
2058 |
return $this->message->isOpenID1(); |
|
2059 |
}
|
|
2060 |
||
2061 |
function isSigned($ns_uri, $ns_key) |
|
2062 |
{
|
|
2063 |
// Return whether a particular key is signed, regardless of
|
|
2064 |
// its namespace alias
|
|
2065 |
return in_array($this->message->getKey($ns_uri, $ns_key), |
|
2066 |
$this->signed_args); |
|
2067 |
}
|
|
2068 |
||
2069 |
function getSigned($ns_uri, $ns_key, $default = null) |
|
2070 |
{
|
|
2071 |
// Return the specified signed field if available, otherwise
|
|
2072 |
// return default
|
|
2073 |
if ($this->isSigned($ns_uri, $ns_key)) { |
|
2074 |
return $this->message->getArg($ns_uri, $ns_key, $default); |
|
2075 |
} else { |
|
2076 |
return $default; |
|
2077 |
}
|
|
2078 |
}
|
|
2079 |
||
2080 |
function getSignedNS($ns_uri) |
|
2081 |
{
|
|
2082 |
$args = array(); |
|
2083 |
||
2084 |
$msg_args = $this->message->getArgs($ns_uri); |
|
2085 |
if (Auth_OpenID::isFailure($msg_args)) { |
|
2086 |
return null; |
|
2087 |
}
|
|
2088 |
||
2089 |
foreach ($msg_args as $key => $value) { |
|
2090 |
if (!$this->isSigned($ns_uri, $key)) { |
|
2091 |
return null; |
|
2092 |
}
|
|
2093 |
}
|
|
2094 |
||
2095 |
return $msg_args; |
|
2096 |
}
|
|
2097 |
||
2098 |
/**
|
|
2099 |
* Get the openid.return_to argument from this response.
|
|
2100 |
*
|
|
2101 |
* This is useful for verifying that this request was initiated by
|
|
2102 |
* this consumer.
|
|
2103 |
*
|
|
2104 |
* @return string $return_to The return_to URL supplied to the
|
|
2105 |
* server on the initial request, or null if the response did not
|
|
2106 |
* contain an 'openid.return_to' argument.
|
|
2107 |
*/
|
|
2108 |
function getReturnTo() |
|
2109 |
{
|
|
2110 |
return $this->getSigned(Auth_OpenID_OPENID_NS, 'return_to'); |
|
2111 |
}
|
|
2112 |
}
|
|
2113 |
||
2114 |
/**
|
|
2115 |
* A response with a status of Auth_OpenID_FAILURE. Indicates that the
|
|
2116 |
* OpenID protocol has failed. This could be locally or remotely
|
|
2117 |
* triggered. This has three relevant attributes:
|
|
2118 |
*
|
|
2119 |
* claimed_id - The identity URL for which authentication was
|
|
2120 |
* attempted, if it can be determined. Otherwise, null.
|
|
2121 |
*
|
|
2122 |
* message - A message indicating why the request failed, if one is
|
|
2123 |
* supplied. Otherwise, null.
|
|
2124 |
*
|
|
2125 |
* status - Auth_OpenID_FAILURE.
|
|
2126 |
*
|
|
2127 |
* @package OpenID
|
|
2128 |
*/
|
|
2129 |
class Auth_OpenID_FailureResponse extends Auth_OpenID_ConsumerResponse { |
|
2130 |
var $status = Auth_OpenID_FAILURE; |
|
2131 |
||
2132 |
function Auth_OpenID_FailureResponse($endpoint, $message = null, |
|
2133 |
$contact = null, $reference = null) |
|
2134 |
{
|
|
2135 |
$this->setEndpoint($endpoint); |
|
2136 |
$this->message = $message; |
|
2137 |
$this->contact = $contact; |
|
2138 |
$this->reference = $reference; |
|
2139 |
}
|
|
2140 |
}
|
|
2141 |
||
2142 |
/**
|
|
2143 |
* A specific, internal failure used to detect type URI mismatch.
|
|
2144 |
*
|
|
2145 |
* @package OpenID
|
|
2146 |
*/
|
|
2147 |
class Auth_OpenID_TypeURIMismatch extends Auth_OpenID_FailureResponse { |
|
2148 |
}
|
|
2149 |
||
2150 |
/**
|
|
2151 |
* Exception that is raised when the server returns a 400 response
|
|
2152 |
* code to a direct request.
|
|
2153 |
*
|
|
2154 |
* @package OpenID
|
|
2155 |
*/
|
|
2156 |
class Auth_OpenID_ServerErrorContainer { |
|
2157 |
function Auth_OpenID_ServerErrorContainer($error_text, |
|
2158 |
$error_code, |
|
2159 |
$message) |
|
2160 |
{
|
|
2161 |
$this->error_text = $error_text; |
|
2162 |
$this->error_code = $error_code; |
|
2163 |
$this->message = $message; |
|
2164 |
}
|
|
2165 |
||
2166 |
/**
|
|
2167 |
* @access private
|
|
2168 |
*/
|
|
2169 |
function fromMessage($message) |
|
2170 |
{
|
|
2171 |
$error_text = $message->getArg( |
|
2172 |
Auth_OpenID_OPENID_NS, 'error', '<no error message supplied>'); |
|
2173 |
$error_code = $message->getArg(Auth_OpenID_OPENID_NS, 'error_code'); |
|
2174 |
return new Auth_OpenID_ServerErrorContainer($error_text, |
|
2175 |
$error_code, |
|
2176 |
$message); |
|
2177 |
}
|
|
2178 |
}
|
|
2179 |
||
2180 |
/**
|
|
2181 |
* A response with a status of Auth_OpenID_CANCEL. Indicates that the
|
|
2182 |
* user cancelled the OpenID authentication request. This has two
|
|
2183 |
* relevant attributes:
|
|
2184 |
*
|
|
2185 |
* claimed_id - The identity URL for which authentication was
|
|
2186 |
* attempted, if it can be determined. Otherwise, null.
|
|
2187 |
*
|
|
2188 |
* status - Auth_OpenID_SUCCESS.
|
|
2189 |
*
|
|
2190 |
* @package OpenID
|
|
2191 |
*/
|
|
2192 |
class Auth_OpenID_CancelResponse extends Auth_OpenID_ConsumerResponse { |
|
2193 |
var $status = Auth_OpenID_CANCEL; |
|
2194 |
||
2195 |
function Auth_OpenID_CancelResponse($endpoint) |
|
2196 |
{
|
|
2197 |
$this->setEndpoint($endpoint); |
|
2198 |
}
|
|
2199 |
}
|
|
2200 |
||
2201 |
/**
|
|
2202 |
* A response with a status of Auth_OpenID_SETUP_NEEDED. Indicates
|
|
2203 |
* that the request was in immediate mode, and the server is unable to
|
|
2204 |
* authenticate the user without further interaction.
|
|
2205 |
*
|
|
2206 |
* claimed_id - The identity URL for which authentication was
|
|
2207 |
* attempted.
|
|
2208 |
*
|
|
2209 |
* setup_url - A URL that can be used to send the user to the server
|
|
2210 |
* to set up for authentication. The user should be redirected in to
|
|
2211 |
* the setup_url, either in the current window or in a new browser
|
|
2212 |
* window. Null in OpenID 2.
|
|
2213 |
*
|
|
2214 |
* status - Auth_OpenID_SETUP_NEEDED.
|
|
2215 |
*
|
|
2216 |
* @package OpenID
|
|
2217 |
*/
|
|
2218 |
class Auth_OpenID_SetupNeededResponse extends Auth_OpenID_ConsumerResponse { |
|
2219 |
var $status = Auth_OpenID_SETUP_NEEDED; |
|
2220 |
||
2221 |
function Auth_OpenID_SetupNeededResponse($endpoint, |
|
2222 |
$setup_url = null) |
|
2223 |
{
|
|
2224 |
$this->setEndpoint($endpoint); |
|
2225 |
$this->setup_url = $setup_url; |
|
2226 |
}
|
|
2227 |
}
|
|
2228 |
||
2229 |
?>
|