Collaboration diagram for Auth_OpenID_GenericConsumer:

Public Member Functions
	Auth_OpenID_GenericConsumer ($store)
	This method initializes a new Auth_OpenID_Consumer instance to access the library. More...

	begin ($service_endpoint)
	Called to begin OpenID authentication using the specified Auth_OpenID_ServiceEndpoint. More...

	complete ($message, $endpoint, $return_to)
	Given an Auth_OpenID_Message, Auth_OpenID_ServiceEndpoint and optional return_to URL, complete OpenID authentication. More...

	_completeInvalid ($message, $endpoint, $unused)
	private More...

	_complete_cancel ($message, $endpoint, $unused)
	private More...

	_complete_error ($message, $endpoint, $unused)
	private More...

	_complete_setup_needed ($message, $endpoint, $unused)
	private More...

	_complete_id_res ($message, $endpoint, $return_to)
	private More...

	_checkSetupNeeded ($message)
	private More...

	_doIdRes ($message, $endpoint, $return_to)
	private More...

	_checkReturnTo ($message, $return_to)
	private More...

	_verifyReturnToArgs ($query)
	private More...

	_idResCheckSignature ($message, $server_url)
	private More...

	_verifyDiscoveryResults ($message, $endpoint=null)
	private More...

	_verifyDiscoveryResultsOpenID1 ($message, $endpoint)
	private More...

	_verifyDiscoverySingle ($endpoint, $to_match)
	private More...

	_verifyDiscoveryResultsOpenID2 ($message, $endpoint)
	private More...

	_discoverAndVerify ($claimed_id, $to_match_endpoints)
	private More...

	_verifyDiscoveryServices ($claimed_id, $services, $to_match_endpoints)
	private More...

	_idResGetNonceOpenID1 ($message, $endpoint)
	Extract the nonce from an OpenID 1 response. More...

	_idResCheckNonce ($message, $endpoint)
	private More...

	_idResCheckForFields ($message)
	private More...

	_checkAuth ($message, $server_url)
	private More...

	_createCheckAuthRequest ($message)
	private More...

	_processCheckAuthResponse ($response, $server_url)
	private More...

	_makeKVPost ($message, $server_url)
	private More...

	_getAssociation ($endpoint)
	private More...

	_extractSupportedAssociationType ($server_error, $endpoint, $assoc_type)
	Handle ServerErrors resulting from association requests. More...

	_negotiateAssociation ($endpoint)
	private More...

	_requestAssociation ($endpoint, $assoc_type, $session_type)
	private More...

	_extractAssociation ($assoc_response, $assoc_session)
	private More...

	_createAssociateRequest ($endpoint, $assoc_type, $session_type)
	private More...

	_getOpenID1SessionType ($assoc_response)
	Given an association response message, extract the OpenID 1.X session type. More...

Static Public Member Functions
static	_httpResponseToMessage ($response, $server_url)
	Adapt a POST response to a Message. More...

Data Fields
	$discoverMethod = 'Auth_OpenID_discover'
	private More...

	$store
	This consumer's store object. More...

	$_use_assocs
	private More...

	$openid1_nonce_query_arg_name = 'janrain_nonce'
	private More...

	$openid1_return_to_identifier_name = 'openid1_claimed_id'
	Another query parameter that gets added to the return_to for OpenID 1; if the user's session state is lost, use this claimed identifier to do discovery when verifying the response. More...

Detailed Description

Definition at line 568 of file Consumer.php.

Member Function Documentation

◆ _checkAuth()

Auth_OpenID_GenericConsumer::_checkAuth	(	$message,
		$server_url
	)

private

Definition at line 1334 of file Consumer.php.

     {
         $request = $this->_createCheckAuthRequest($message);
         if ($request === null) {
             return false;
         }
 
         $resp_message = $this->_makeKVPost($request, $server_url);
         if (($resp_message === null) ||
             (is_a($resp_message, 'Auth_OpenID_ServerErrorContainer'))) {
             return false;
         }
 
         return $this->_processCheckAuthResponse($resp_message, $server_url);
     }

◆ _checkReturnTo()

Auth_OpenID_GenericConsumer::_checkReturnTo	(	$message,
		$return_to
	)

private

Definition at line 813 of file Consumer.php.

References $result, _verifyReturnToArgs(), Auth_OpenID\arrayGet(), Auth_OpenID_OPENID_NS, Auth_OpenID_urinorm(), and Auth_OpenID\isFailure().

     {
         // Check an OpenID message and its openid.return_to value
         // against a return_to URL from an application.  Return True
         // on success, False on failure.
 
         // Check the openid.return_to args against args in the
         // original message.
         $result = Auth_OpenID_GenericConsumer::_verifyReturnToArgs(
                                            $message->toPostArgs());
         if (Auth_OpenID::isFailure($result)) {
             return false;
         }
 
         // Check the return_to base URL against the one in the
         // message.
         $msg_return_to = $message->getArg(Auth_OpenID_OPENID_NS,
                                           'return_to');
         if (Auth_OpenID::isFailure($return_to)) {
             // XXX log me
             return false;
         }
 
         $return_to_parts = parse_url(Auth_OpenID_urinorm($return_to));
         $msg_return_to_parts = parse_url(Auth_OpenID_urinorm($msg_return_to));
 
         // If port is absent from both, add it so it's equal in the
         // check below.
         if ((!array_key_exists('port', $return_to_parts)) &&
             (!array_key_exists('port', $msg_return_to_parts))) {
             $return_to_parts['port'] = null;
             $msg_return_to_parts['port'] = null;
         }
 
         // If path is absent from both, add it so it's equal in the
         // check below.
         if ((!array_key_exists('path', $return_to_parts)) &&
             (!array_key_exists('path', $msg_return_to_parts))) {
             $return_to_parts['path'] = null;
             $msg_return_to_parts['path'] = null;
         }
 
         // The URL scheme, authority, and path MUST be the same
         // between the two URLs.
         foreach (array('scheme', 'host', 'port', 'path') as $component) {
             // If the url component is absent in either URL, fail.
             // There should always be a scheme, host, port, and path.
             if (!array_key_exists($component, $return_to_parts)) {
                 return false;
             }
 
             if (!array_key_exists($component, $msg_return_to_parts)) {
                 return false;
             }
 
             if (Auth_OpenID::arrayGet($return_to_parts, $component) !==
                 Auth_OpenID::arrayGet($msg_return_to_parts, $component)) {
                 return false;
             }
         }
 
         return true;
     }

Here is the call graph for this function:

◆ _checkSetupNeeded()

Auth_OpenID_GenericConsumer::_checkSetupNeeded ( $message )

private

Definition at line 738 of file Consumer.php.

References Auth_OpenID_OPENID1_NS.

     {
         // In OpenID 1, we check to see if this is a cancel from
         // immediate mode by the presence of the user_setup_url
         // parameter.
         if ($message->isOpenID1()) {
             $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS,
                                                'user_setup_url');
             if ($user_setup_url !== null) {
                 return true;
             }
         }
 
         return false;
     }

◆ _complete_cancel()

Auth_OpenID_GenericConsumer::_complete_cancel	(	$message,
		$endpoint,
		$unused
	)

private

Definition at line 687 of file Consumer.php.

     {
         return new Auth_OpenID_CancelResponse($endpoint);
     }

◆ _complete_error()

Auth_OpenID_GenericConsumer::_complete_error	(	$message,
		$endpoint,
		$unused
	)

private

Definition at line 695 of file Consumer.php.

References Auth_OpenID_OPENID_NS.

     {
         $error = $message->getArg(Auth_OpenID_OPENID_NS, 'error');
         $contact = $message->getArg(Auth_OpenID_OPENID_NS, 'contact');
         $reference = $message->getArg(Auth_OpenID_OPENID_NS, 'reference');
 
         return new Auth_OpenID_FailureResponse($endpoint, $error,
                                                $contact, $reference);
     }

◆ _complete_id_res()

Auth_OpenID_GenericConsumer::_complete_id_res	(	$message,
		$endpoint,
		$return_to
	)

private

Definition at line 722 of file Consumer.php.

References Auth_OpenID_OPENID1_NS.

     {
         $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS,
                                            'user_setup_url');
 
         if ($this->_checkSetupNeeded($message)) {
             return new Auth_OpenID_SetupNeededResponse(
                 $endpoint, $user_setup_url);
         } else {
             return $this->_doIdRes($message, $endpoint, $return_to);
         }
     }

◆ _complete_setup_needed()

Auth_OpenID_GenericConsumer::_complete_setup_needed	(	$message,
		$endpoint,
		$unused
	)

private

Definition at line 708 of file Consumer.php.

References Auth_OpenID_OPENID2_NS.

     {
         if (!$message->isOpenID2()) {
             return $this->_completeInvalid($message, $endpoint);
         }
 
         $user_setup_url = $message->getArg(Auth_OpenID_OPENID2_NS,
                                            'user_setup_url');
         return new Auth_OpenID_SetupNeededResponse($endpoint, $user_setup_url);
     }

◆ _completeInvalid()

Auth_OpenID_GenericConsumer::_completeInvalid	(	$message,
		$endpoint,
		$unused
	)

private

Definition at line 675 of file Consumer.php.

References Auth_OpenID_OPENID_NS.

     {
         $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode',
                                  '<No mode set>');
 
         return new Auth_OpenID_FailureResponse($endpoint,
                     sprintf("Invalid openid.mode '%s'", $mode));
     }

◆ _createAssociateRequest()

Auth_OpenID_GenericConsumer::_createAssociateRequest	(	$endpoint,
		$assoc_type,
		$session_type
	)

private

Definition at line 1661 of file Consumer.php.

References Auth_OpenID_OPENID2_NS, and Auth_OpenID_Message\fromOpenIDArgs().

     {
         if (array_key_exists($session_type, $this->session_types)) {
             $session_type_class = $this->session_types[$session_type];
 
             if (is_callable($session_type_class)) {
                 $assoc_session = $session_type_class();
             } else {
                 $assoc_session = new $session_type_class();
             }
         } else {
             return null;
         }
 
         $args = array(
             'mode' => 'associate',
             'assoc_type' => $assoc_type);
 
         if (!$endpoint->compatibilityMode()) {
             $args['ns'] = Auth_OpenID_OPENID2_NS;
         }
 
         // Leave out the session type if we're in compatibility mode
         // *and* it's no-encryption.
         if ((!$endpoint->compatibilityMode()) ||
             ($assoc_session->session_type != 'no-encryption')) {
             $args['session_type'] = $assoc_session->session_type;
         }
 
         $args = array_merge($args, $assoc_session->getRequest());
         $message = Auth_OpenID_Message::fromOpenIDArgs($args);
         return array($assoc_session, $message);
     }

Here is the call graph for this function:

◆ _createCheckAuthRequest()

Auth_OpenID_GenericConsumer::_createCheckAuthRequest ( $message )

private

Definition at line 1353 of file Consumer.php.

References Auth_OpenID_OPENID_NS.

     {
         $signed = $message->getArg(Auth_OpenID_OPENID_NS, 'signed');
         if ($signed) {
             foreach (explode(',', $signed) as $k) {
                 $value = $message->getAliasedArg($k);
                 if ($value === null) {
                     return null;
                 }
             }
         }
         $ca_message = $message->copy();
         $ca_message->setArg(Auth_OpenID_OPENID_NS, 'mode', 
                             'check_authentication');
         return $ca_message;
     }

◆ _discoverAndVerify()

Auth_OpenID_GenericConsumer::_discoverAndVerify	(	$claimed_id,
		$to_match_endpoints
	)

private

Definition at line 1179 of file Consumer.php.

     {
         // oidutil.log('Performing discovery on %s' % (claimed_id,))
         list($unused, $services) = call_user_func($this->discoverMethod,
                                                   $claimed_id,
                                                                                                   $this->fetcher); // fixed php 5.4 compatability
 
         if (!$services) {
             return new Auth_OpenID_FailureResponse(null,
               sprintf("No OpenID information found at %s",
                       $claimed_id));
         }
 
         return $this->_verifyDiscoveryServices($claimed_id, $services,
                                                $to_match_endpoints);
     }

◆ _doIdRes()

Auth_OpenID_GenericConsumer::_doIdRes	(	$message,
		$endpoint,
		$return_to
	)

private

Definition at line 757 of file Consumer.php.

References $result, Auth_OpenID\addPrefix(), Auth_OpenID_NO_DEFAULT, Auth_OpenID_OPENID_NS, and Auth_OpenID\isFailure().

     {
         // Checks for presence of appropriate fields (and checks
         // signed list fields)
         $result = $this->_idResCheckForFields($message);
 
         if (Auth_OpenID::isFailure($result)) {
             return $result;
         }
 
         if (!$this->_checkReturnTo($message, $return_to)) {
             return new Auth_OpenID_FailureResponse(null,
             sprintf("return_to does not match return URL. Expected %s, got %s",
                     $return_to,
                     $message->getArg(Auth_OpenID_OPENID_NS, 'return_to')));
         }
 
         // Verify discovery information:
         $result = $this->_verifyDiscoveryResults($message, $endpoint);
 
         if (Auth_OpenID::isFailure($result)) {
             return $result;
         }
 
         $endpoint = $result;
 
         $result = $this->_idResCheckSignature($message,
                                               $endpoint->server_url);
 
         if (Auth_OpenID::isFailure($result)) {
             return $result;
         }
 
         $result = $this->_idResCheckNonce($message, $endpoint);
 
         if (Auth_OpenID::isFailure($result)) {
             return $result;
         }
 
         $signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS, 'signed',
                                             Auth_OpenID_NO_DEFAULT);
         if (Auth_OpenID::isFailure($signed_list_str)) {
             return $signed_list_str;
         }
         $signed_list = explode(',', $signed_list_str);
 
         $signed_fields = Auth_OpenID::addPrefix($signed_list, "openid.");
 
         return new Auth_OpenID_SuccessResponse($endpoint, $message,
                                                $signed_fields);
 
     }

Here is the call graph for this function:

◆ _extractAssociation()

Auth_OpenID_GenericConsumer::_extractAssociation	(	$assoc_response,
		$assoc_session
	)

private

Definition at line 1569 of file Consumer.php.

References Auth_OpenID_NO_DEFAULT, Auth_OpenID_OPENID2_NS, Auth_OpenID_OPENID_NS, Auth_OpenID_Association\fromExpiresIn(), Auth_OpenID\intval(), and Auth_OpenID\isFailure().

     {
         // Extract the common fields from the response, raising an
         // exception if they are not found
         $assoc_type = $assoc_response->getArg(
                          Auth_OpenID_OPENID_NS, 'assoc_type',
                          Auth_OpenID_NO_DEFAULT);
 
         if (Auth_OpenID::isFailure($assoc_type)) {
             return $assoc_type;
         }
 
         $assoc_handle = $assoc_response->getArg(
                            Auth_OpenID_OPENID_NS, 'assoc_handle',
                            Auth_OpenID_NO_DEFAULT);
 
         if (Auth_OpenID::isFailure($assoc_handle)) {
             return $assoc_handle;
         }
 
         // expires_in is a base-10 string. The Python parsing will
         // accept literals that have whitespace around them and will
         // accept negative values. Neither of these are really in-spec,
         // but we think it's OK to accept them.
         $expires_in_str = $assoc_response->getArg(
                              Auth_OpenID_OPENID_NS, 'expires_in',
                              Auth_OpenID_NO_DEFAULT);
 
         if (Auth_OpenID::isFailure($expires_in_str)) {
             return $expires_in_str;
         }
 
         $expires_in = Auth_OpenID::intval($expires_in_str);
         if ($expires_in === false) {
             
             $err = sprintf("Could not parse expires_in from association ".
                            "response %s", print_r($assoc_response, true));
             return new Auth_OpenID_FailureResponse(null, $err);
         }
 
         // OpenID 1 has funny association session behaviour.
         if ($assoc_response->isOpenID1()) {
             $session_type = $this->_getOpenID1SessionType($assoc_response);
         } else {
             $session_type = $assoc_response->getArg(
                                Auth_OpenID_OPENID2_NS, 'session_type',
                                Auth_OpenID_NO_DEFAULT);
 
             if (Auth_OpenID::isFailure($session_type)) {
                 return $session_type;
             }
         }
 
         // Session type mismatch
         if ($assoc_session->session_type != $session_type) {
             if ($assoc_response->isOpenID1() &&
                 ($session_type == 'no-encryption')) {
                 // In OpenID 1, any association request can result in
                 // a 'no-encryption' association response. Setting
                 // assoc_session to a new no-encryption session should
                 // make the rest of this function work properly for
                 // that case.
                 $assoc_session = new Auth_OpenID_PlainTextConsumerSession();
             } else {
                 // Any other mismatch, regardless of protocol version
                 // results in the failure of the association session
                 // altogether.
                 return null;
             }
         }
 
         // Make sure assoc_type is valid for session_type
         if (!in_array($assoc_type, $assoc_session->allowed_assoc_types)) {
             return null;
         }
 
         // Delegate to the association session to extract the secret
         // from the response, however is appropriate for that session
         // type.
         $secret = $assoc_session->extractSecret($assoc_response);
 
         if ($secret === null) {
             return null;
         }
 
         return Auth_OpenID_Association::fromExpiresIn(
                  $expires_in, $assoc_handle, $secret, $assoc_type);
     }

Here is the call graph for this function:

◆ _extractSupportedAssociationType()

Auth_OpenID_GenericConsumer::_extractSupportedAssociationType	(	$server_error,
		$endpoint,
		$assoc_type
	)

Handle ServerErrors resulting from association requests.

Returns: $result If server replied with an C{unsupported-type} error, return a tuple of supported C{association_type}, C{session_type}. Otherwise logs the error and returns null.

private

Definition at line 1464 of file Consumer.php.

References Auth_OpenID_OPENID_NS.

     {
         // Any error message whose code is not 'unsupported-type'
         // should be considered a total failure.
         if (($server_error->error_code != 'unsupported-type') ||
             ($server_error->message->isOpenID1())) {
             return null;
         }
 
         // The server didn't like the association/session type that we
         // sent, and it sent us back a message that might tell us how
         // to handle it.
 
         // Extract the session_type and assoc_type from the error
         // message
         $assoc_type = $server_error->message->getArg(Auth_OpenID_OPENID_NS,
                                                      'assoc_type');
 
         $session_type = $server_error->message->getArg(Auth_OpenID_OPENID_NS,
                                                        'session_type');
 
         if (($assoc_type === null) || ($session_type === null)) {
             return null;
         } else if (!$this->negotiator->isAllowed($assoc_type,
                                                  $session_type)) {
             return null;
         } else {
           return array($assoc_type, $session_type);
         }
     }

◆ _getAssociation()

Auth_OpenID_GenericConsumer::_getAssociation ( $endpoint )

private

Definition at line 1433 of file Consumer.php.

     {
         if (!$this->_use_assocs) {
             return null;
         }
 
         $assoc = $this->store->getAssociation($endpoint->server_url);
 
         if (($assoc === null) ||
             ($assoc->getExpiresIn() <= 0)) {
 
             $assoc = $this->_negotiateAssociation($endpoint);
 
             if ($assoc !== null) {
                 $this->store->storeAssociation($endpoint->server_url,
                                                $assoc);
             }
         }
 
         return $assoc;
     }

◆ _getOpenID1SessionType()

Auth_OpenID_GenericConsumer::_getOpenID1SessionType ( $assoc_response )

Given an association response message, extract the OpenID 1.X session type.

This function mostly takes care of the 'no-encryption' default behavior in OpenID 1.

If the association type is plain-text, this function will return 'no-encryption'

private

Returns: $typ The association type for this message

Definition at line 1708 of file Consumer.php.

References Auth_OpenID_OPENID1_NS.

     {
         // If it's an OpenID 1 message, allow session_type to default
         // to None (which signifies "no-encryption")
         $session_type = $assoc_response->getArg(Auth_OpenID_OPENID1_NS,
                                                 'session_type');
 
         // Handle the differences between no-encryption association
         // respones in OpenID 1 and 2:
 
         // no-encryption is not really a valid session type for OpenID
         // 1, but we'll accept it anyway, while issuing a warning.
         if ($session_type == 'no-encryption') {
             // oidutil.log('WARNING: OpenID server sent "no-encryption"'
             //             'for OpenID 1.X')
         } else if (($session_type == '') || ($session_type === null)) {
             // Missing or empty session type is the way to flag a
             // 'no-encryption' response. Change the session type to
             // 'no-encryption' so that it can be handled in the same
             // way as OpenID 2 'no-encryption' respones.
             $session_type = 'no-encryption';
         }
 
         return $session_type;
     }

◆ _httpResponseToMessage()

static Auth_OpenID_GenericConsumer::_httpResponseToMessage	(	$response,
		$server_url
	)

static

Adapt a POST response to a Message.

Parameters

$response Result of a POST to an OpenID endpoint.

private

Definition at line 1400 of file Consumer.php.

References Auth_OpenID_Message\fromKVForm(), and Auth_OpenID_ServerErrorContainer\fromMessage().

     {
         // Should this function be named Message.fromHTTPResponse instead?
         $response_message = Auth_OpenID_Message::fromKVForm($response->body);
 
         if ($response->status == 400) {
             return Auth_OpenID_ServerErrorContainer::fromMessage(
                         $response_message);
         } else if ($response->status != 200 and $response->status != 206) {
             return null;
         }
 
         return $response_message;
     }

Here is the call graph for this function:

◆ _idResCheckForFields()

Auth_OpenID_GenericConsumer::_idResCheckForFields ( $message )

private

Definition at line 1281 of file Consumer.php.

References Auth_OpenID_NO_DEFAULT, Auth_OpenID_OPENID1_NS, Auth_OpenID_OPENID2_NS, Auth_OpenID_OPENID_NS, and Auth_OpenID\isFailure().

     {
         $basic_fields = array('return_to', 'assoc_handle', 'sig', 'signed');
         $basic_sig_fields = array('return_to', 'identity');
 
         $require_fields = array(
             Auth_OpenID_OPENID2_NS => array_merge($basic_fields,
                                                   array('op_endpoint')),
 
             Auth_OpenID_OPENID1_NS => array_merge($basic_fields,
                                                   array('identity'))
             );
 
         $require_sigs = array(
             Auth_OpenID_OPENID2_NS => array_merge($basic_sig_fields,
                                                   array('response_nonce',
                                                         'claimed_id',
                                                         'assoc_handle',
                                                         'op_endpoint')),
             Auth_OpenID_OPENID1_NS => array_merge($basic_sig_fields,
                                                   array('nonce'))
             );
 
         foreach ($require_fields[$message->getOpenIDNamespace()] as $field) {
             if (!$message->hasKey(Auth_OpenID_OPENID_NS, $field)) {
                 return new Auth_OpenID_FailureResponse(null,
                              "Missing required field '".$field."'");
             }
         }
 
         $signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS,
                                             'signed',
                                             Auth_OpenID_NO_DEFAULT);
         if (Auth_OpenID::isFailure($signed_list_str)) {
             return $signed_list_str;
         }
         $signed_list = explode(',', $signed_list_str);
 
         foreach ($require_sigs[$message->getOpenIDNamespace()] as $field) {
             // Field is present and not in signed list
             if ($message->hasKey(Auth_OpenID_OPENID_NS, $field) &&
                 (!in_array($field, $signed_list))) {
                 return new Auth_OpenID_FailureResponse(null,
                              "'".$field."' not signed");
             }
         }
 
         return null;
     }

Here is the call graph for this function:

◆ _idResCheckNonce()

Auth_OpenID_GenericConsumer::_idResCheckNonce	(	$message,
		$endpoint
	)

private

Definition at line 1243 of file Consumer.php.

References $timestamp, Auth_OpenID_OPENID2_NS, and Auth_OpenID_splitNonce().

     {
         if ($message->isOpenID1()) {
             // This indicates that the nonce was generated by the consumer
             $nonce = $this->_idResGetNonceOpenID1($message, $endpoint);
             $server_url = '';
         } else {
             $nonce = $message->getArg(Auth_OpenID_OPENID2_NS,
                                       'response_nonce');
 
             $server_url = $endpoint->server_url;
         }
 
         if ($nonce === null) {
             return new Auth_OpenID_FailureResponse($endpoint,
                                      "Nonce missing from response");
         }
 
         $parts = Auth_OpenID_splitNonce($nonce);
 
         if ($parts === null) {
             return new Auth_OpenID_FailureResponse($endpoint,
                                      "Malformed nonce in response");
         }
 
         list($timestamp, $salt) = $parts;
 
         if (!$this->store->useNonce($server_url, $timestamp, $salt)) {
             return new Auth_OpenID_FailureResponse($endpoint,
                          "Nonce already used or out of range");
         }
 
         return null;
     }

Here is the call graph for this function:

◆ _idResCheckSignature()

Auth_OpenID_GenericConsumer::_idResCheckSignature	(	$message,
		$server_url
	)

private

Definition at line 937 of file Consumer.php.

References Auth_OpenID_OPENID_NS, and Auth_OpenID\isFailure().

     {
         $assoc_handle = $message->getArg(Auth_OpenID_OPENID_NS,
                                          'assoc_handle');
         if (Auth_OpenID::isFailure($assoc_handle)) {
             return $assoc_handle;
         }
 
         $assoc = $this->store->getAssociation($server_url, $assoc_handle);
 
         if ($assoc) {
             if ($assoc->getExpiresIn() <= 0) {
                 // XXX: It might be a good idea sometimes to re-start
                 // the authentication with a new association. Doing it
                 // automatically opens the possibility for
                 // denial-of-service by a server that just returns
                 // expired associations (or really short-lived
                 // associations)
                 return new Auth_OpenID_FailureResponse(null,
                              'Association with ' . $server_url . ' expired');
             }
 
             if (!$assoc->checkMessageSignature($message)) {
                 return new Auth_OpenID_FailureResponse(null,
                                                        "Bad signature");
             }
         } else {
             // It's not an association we know about.  Stateless mode
             // is our only possible path for recovery.  XXX - async
             // framework will not want to block on this call to
             // _checkAuth.
             if (!$this->_checkAuth($message, $server_url)) {
                 return new Auth_OpenID_FailureResponse(null,
                              "Server denied check_authentication");
             }
         }
 
         return null;
     }

Here is the call graph for this function:

◆ _idResGetNonceOpenID1()

Auth_OpenID_GenericConsumer::_idResGetNonceOpenID1	(	$message,
		$endpoint
	)

Extract the nonce from an OpenID 1 response.

Return the nonce from the BARE_NS since we independently check the return_to arguments are the same as those in the response message.

See the openid1_nonce_query_arg_name class variable

Returns: $nonce The nonce as a string or null

private

Definition at line 1234 of file Consumer.php.

References Auth_OpenID_BARE_NS.

     {
         return $message->getArg(Auth_OpenID_BARE_NS,
                                 $this->openid1_nonce_query_arg_name);
     }

◆ _makeKVPost()

Auth_OpenID_GenericConsumer::_makeKVPost	(	$message,
		$server_url
	)

private

Definition at line 1418 of file Consumer.php.

     {
         $body = $message->toURLEncoded();
         $resp = $this->fetcher->post($server_url, $body);
 
         if ($resp === null) {
             return null;
         }
 
         return $this->_httpResponseToMessage($resp, $server_url);
     }

◆ _negotiateAssociation()

Auth_OpenID_GenericConsumer::_negotiateAssociation ( $endpoint )

private

Definition at line 1499 of file Consumer.php.

References Auth_OpenID\isFailure().

     {
         // Get our preferred session/association type from the negotiatior.
         list($assoc_type, $session_type) = $this->negotiator->getAllowedType();
 
         $assoc = $this->_requestAssociation(
                            $endpoint, $assoc_type, $session_type);
 
         if (Auth_OpenID::isFailure($assoc)) {
             return null;
         }
 
         if (is_a($assoc, 'Auth_OpenID_ServerErrorContainer')) {
             $why = $assoc;
 
             $supportedTypes = $this->_extractSupportedAssociationType(
                                      $why, $endpoint, $assoc_type);
 
             if ($supportedTypes !== null) {
                 list($assoc_type, $session_type) = $supportedTypes;
 
                 // Attempt to create an association from the assoc_type
                 // and session_type that the server told us it
                 // supported.
                 $assoc = $this->_requestAssociation(
                                    $endpoint, $assoc_type, $session_type);
 
                 if (is_a($assoc, 'Auth_OpenID_ServerErrorContainer')) {
                     // Do not keep trying, since it rejected the
                     // association type that it told us to use.
                     // oidutil.log('Server %s refused its suggested association
                     //             'type: session_type=%s, assoc_type=%s'
                     //             % (endpoint.server_url, session_type,
                     //                assoc_type))
                     return null;
                 } else {
                     return $assoc;
                 }
             } else {
                 return null;
             }
         } else {
             return $assoc;
         }
     }

Here is the call graph for this function:

◆ _processCheckAuthResponse()

Auth_OpenID_GenericConsumer::_processCheckAuthResponse	(	$response,
		$server_url
	)

private

Definition at line 1373 of file Consumer.php.

References Auth_OpenID_OPENID_NS.

     {
         $is_valid = $response->getArg(Auth_OpenID_OPENID_NS, 'is_valid',
                                       'false');
 
         $invalidate_handle = $response->getArg(Auth_OpenID_OPENID_NS,
                                                'invalidate_handle');
 
         if ($invalidate_handle !== null) {
             $this->store->removeAssociation($server_url,
                                             $invalidate_handle);
         }
 
         if ($is_valid == 'true') {
             return true;
         }
 
         return false;
     }

◆ _requestAssociation()

Auth_OpenID_GenericConsumer::_requestAssociation	(	$endpoint,
		$assoc_type,
		$session_type
	)

private

Definition at line 1548 of file Consumer.php.

     {
         list($assoc_session, $args) = $this->_createAssociateRequest(
                                       $endpoint, $assoc_type, $session_type);
 
         $response_message = $this->_makeKVPost($args, $endpoint->server_url);
 
         if ($response_message === null) {
             // oidutil.log('openid.associate request failed: %s' % (why[0],))
             return null;
         } else if (is_a($response_message,
                         'Auth_OpenID_ServerErrorContainer')) {
             return $response_message;
         }
 
         return $this->_extractAssociation($response_message, $assoc_session);
     }

◆ _verifyDiscoveryResults()

Auth_OpenID_GenericConsumer::_verifyDiscoveryResults	(	$message,
		$endpoint = `null`
	)

private

Definition at line 980 of file Consumer.php.

References Auth_OpenID_OPENID2_NS.

     {
         if ($message->getOpenIDNamespace() == Auth_OpenID_OPENID2_NS) {
             return $this->_verifyDiscoveryResultsOpenID2($message,
                                                          $endpoint);
         } else {
             return $this->_verifyDiscoveryResultsOpenID1($message,
                                                          $endpoint);
         }
     }

◆ _verifyDiscoveryResultsOpenID1()

Auth_OpenID_GenericConsumer::_verifyDiscoveryResultsOpenID1	(	$message,
		$endpoint
	)

private

Definition at line 994 of file Consumer.php.

References $result, Auth_OpenID_BARE_NS, Auth_OpenID_OPENID1_NS, Auth_OpenID_TYPE_1_0, Auth_OpenID_TYPE_1_1, and Auth_OpenID\isFailure().

     {
         $claimed_id = $message->getArg(Auth_OpenID_BARE_NS,
                                 $this->openid1_return_to_identifier_name);
 
         if (($endpoint === null) && ($claimed_id === null)) {
             return new Auth_OpenID_FailureResponse($endpoint,
               'When using OpenID 1, the claimed ID must be supplied, ' .
               'either by passing it through as a return_to parameter ' .
               'or by using a session, and supplied to the GenericConsumer ' .
               'as the argument to complete()');
         } else if (($endpoint !== null) && ($claimed_id === null)) {
             $claimed_id = $endpoint->claimed_id;
         }
 
         $to_match = new Auth_OpenID_ServiceEndpoint();
         $to_match->type_uris = array(Auth_OpenID_TYPE_1_1);
         $to_match->local_id = $message->getArg(Auth_OpenID_OPENID1_NS,
                                                'identity');
 
         // Restore delegate information from the initiation phase
         $to_match->claimed_id = $claimed_id;
 
         if ($to_match->local_id === null) {
             return new Auth_OpenID_FailureResponse($endpoint,
                          "Missing required field openid.identity");
         }
 
         $to_match_1_0 = $to_match->copy();
         $to_match_1_0->type_uris = array(Auth_OpenID_TYPE_1_0);
 
         if ($endpoint !== null) {
             $result = $this->_verifyDiscoverySingle($endpoint, $to_match);
 
             if (is_a($result, 'Auth_OpenID_TypeURIMismatch')) {
                 $result = $this->_verifyDiscoverySingle($endpoint,
                                                         $to_match_1_0);
             }
 
             if (Auth_OpenID::isFailure($result)) {
                 // oidutil.log("Error attempting to use stored
                 //             discovery information: " + str(e))
                 //             oidutil.log("Attempting discovery to
                 //             verify endpoint")
             } else {
                 return $endpoint;
             }
         }
 
         // Endpoint is either bad (failed verification) or None
         return $this->_discoverAndVerify($to_match->claimed_id,
                                          array($to_match, $to_match_1_0));
     }

Here is the call graph for this function:

◆ _verifyDiscoveryResultsOpenID2()

Auth_OpenID_GenericConsumer::_verifyDiscoveryResultsOpenID2	(	$message,
		$endpoint
	)

private

Definition at line 1103 of file Consumer.php.

References $result, Auth_OpenID_OPENID2_NS, Auth_OpenID_TYPE_2_0, Auth_OpenID_ServiceEndpoint\fromOPEndpointURL(), and Auth_OpenID\isFailure().

     {
         $to_match = new Auth_OpenID_ServiceEndpoint();
         $to_match->type_uris = array(Auth_OpenID_TYPE_2_0);
         $to_match->claimed_id = $message->getArg(Auth_OpenID_OPENID2_NS,
                                                  'claimed_id');
 
         $to_match->local_id = $message->getArg(Auth_OpenID_OPENID2_NS,
                                                 'identity');
 
         $to_match->server_url = $message->getArg(Auth_OpenID_OPENID2_NS,
                                                  'op_endpoint');
 
         if ($to_match->server_url === null) {
             return new Auth_OpenID_FailureResponse($endpoint,
                          "OP Endpoint URL missing");
         }
 
         // claimed_id and identifier must both be present or both be
         // absent
         if (($to_match->claimed_id === null) &&
             ($to_match->local_id !== null)) {
             return new Auth_OpenID_FailureResponse($endpoint,
               'openid.identity is present without openid.claimed_id');
         }
 
         if (($to_match->claimed_id !== null) &&
             ($to_match->local_id === null)) {
             return new Auth_OpenID_FailureResponse($endpoint,
               'openid.claimed_id is present without openid.identity');
         }
 
         if ($to_match->claimed_id === null) {
             // This is a response without identifiers, so there's
             // really no checking that we can do, so return an
             // endpoint that's for the specified `openid.op_endpoint'
             return Auth_OpenID_ServiceEndpoint::fromOPEndpointURL(
                                                 $to_match->server_url);
         }
 
         if (!$endpoint) {
             // The claimed ID doesn't match, so we have to do
             // discovery again. This covers not using sessions, OP
             // identifier endpoints and responses that didn't match
             // the original request.
             // oidutil.log('No pre-discovered information supplied.')
             return $this->_discoverAndVerify($to_match->claimed_id,
                                              array($to_match));
         } else {
 
             // The claimed ID matches, so we use the endpoint that we
             // discovered in initiation. This should be the most
             // common case.
             $result = $this->_verifyDiscoverySingle($endpoint, $to_match);
 
             if (Auth_OpenID::isFailure($result)) {
                 $endpoint = $this->_discoverAndVerify($to_match->claimed_id,
                                                       array($to_match));
                 if (Auth_OpenID::isFailure($endpoint)) {
                     return $endpoint;
                 }
             }
         }
 
         // The endpoint we return should have the claimed ID from the
         // message we just verified, fragment and all.
         if ($endpoint->claimed_id != $to_match->claimed_id) {
             $endpoint->claimed_id = $to_match->claimed_id;
         }
 
         return $endpoint;
     }

Here is the call graph for this function:

◆ _verifyDiscoveryServices()

Auth_OpenID_GenericConsumer::_verifyDiscoveryServices	(	$claimed_id,
		$services,
		$to_match_endpoints
	)

private

Definition at line 1199 of file Consumer.php.

References $result, and Auth_OpenID\isFailure().

     {
         // Search the services resulting from discovery to find one
         // that matches the information from the assertion
 
         foreach ($services as $endpoint) {
             foreach ($to_match_endpoints as $to_match_endpoint) {
                 $result = $this->_verifyDiscoverySingle($endpoint, 
                                                         $to_match_endpoint);
 
                 if (!Auth_OpenID::isFailure($result)) {
                     // It matches, so discover verification has
                     // succeeded. Return this endpoint.
                     return $endpoint;
                 }
             }
         }
 
         return new Auth_OpenID_FailureResponse(null,
           sprintf('No matching endpoint found after discovering %s: %s',
                   $claimed_id, $result->message));
     }

Here is the call graph for this function:

◆ _verifyDiscoverySingle()

Auth_OpenID_GenericConsumer::_verifyDiscoverySingle	(	$endpoint,
		$to_match
	)

private

Definition at line 1051 of file Consumer.php.

References Auth_OpenID_OPENID1_NS, and Auth_OpenID\urldefrag().

     {
         // Every type URI that's in the to_match endpoint has to be
         // present in the discovered endpoint.
         foreach ($to_match->type_uris as $type_uri) {
             if (!$endpoint->usesExtension($type_uri)) {
                 return new Auth_OpenID_TypeURIMismatch($endpoint,
                              "Required type ".$type_uri." not present");
             }
         }
 
         // Fragments do not influence discovery, so we can't compare a
         // claimed identifier with a fragment to discovered
         // information.
         list($defragged_claimed_id, $_) =
             Auth_OpenID::urldefrag($to_match->claimed_id);
 
         if ($defragged_claimed_id != $endpoint->claimed_id) {
             return new Auth_OpenID_FailureResponse($endpoint,
               sprintf('Claimed ID does not match (different subjects!), ' .
                       'Expected %s, got %s', $defragged_claimed_id,
                       $endpoint->claimed_id));
         }
 
         if ($to_match->getLocalID() != $endpoint->getLocalID()) {
             return new Auth_OpenID_FailureResponse($endpoint,
               sprintf('local_id mismatch. Expected %s, got %s',
                       $to_match->getLocalID(), $endpoint->getLocalID()));
         }
 
         // If the server URL is None, this must be an OpenID 1
         // response, because op_endpoint is a required parameter in
         // OpenID 2. In that case, we don't actually care what the
         // discovered server_url is, because signature checking or
         // check_auth should take care of that check for us.
         if ($to_match->server_url === null) {
             if ($to_match->preferredNamespace() != Auth_OpenID_OPENID1_NS) {
                 return new Auth_OpenID_FailureResponse($endpoint,
                              "Preferred namespace mismatch (bug)");
             }
         } else if ($to_match->server_url != $endpoint->server_url) {
             return new Auth_OpenID_FailureResponse($endpoint,
               sprintf('OP Endpoint mismatch. Expected %s, got %s',
                       $to_match->server_url, $endpoint->server_url));
         }
 
         return null;
     }

Here is the call graph for this function:

◆ _verifyReturnToArgs()

Auth_OpenID_GenericConsumer::_verifyReturnToArgs ( $query )

private

Definition at line 880 of file Consumer.php.

References $query, Auth_OpenID\arrayGet(), Auth_OpenID_BARE_NS, Auth_OpenID_OPENID_NS, Auth_OpenID_Message\fromPostArgs(), Auth_OpenID\isFailure(), and Auth_OpenID\parse_str().

Referenced by _checkReturnTo().

     {
         // Verify that the arguments in the return_to URL are present in this
         // response.
 
         $message = Auth_OpenID_Message::fromPostArgs($query);
         $return_to = $message->getArg(Auth_OpenID_OPENID_NS, 'return_to');
 
         if (Auth_OpenID::isFailure($return_to)) {
             return $return_to;
         }
         // XXX: this should be checked by _idResCheckForFields
         if (!$return_to) {
             return new Auth_OpenID_FailureResponse(null,
                            "Response has no return_to");
         }
 
         $parsed_url = parse_url($return_to);
 
         $q = array();
         if (array_key_exists('query', $parsed_url)) {
             $rt_query = $parsed_url['query'];
             $q = Auth_OpenID::parse_str($rt_query);
         }
 
         foreach ($q as $rt_key => $rt_value) {
             if (!array_key_exists($rt_key, $query)) {
                 return new Auth_OpenID_FailureResponse(null,
                   sprintf("return_to parameter %s absent from query", $rt_key));
             } else {
                 $value = $query[$rt_key];
                 if ($rt_value != $value) {
                     return new Auth_OpenID_FailureResponse(null,
                       sprintf("parameter %s value %s does not match " .
                               "return_to value %s", $rt_key,
                               $value, $rt_value));
                 }
             }
         }
 
         // Make sure all non-OpenID arguments in the response are also
         // in the signed return_to.
         $bare_args = $message->getArgs(Auth_OpenID_BARE_NS);
         foreach ($bare_args as $key => $value) {
             if (Auth_OpenID::arrayGet($q, $key) != $value) {
                 return new Auth_OpenID_FailureResponse(null,
                   sprintf("Parameter %s = %s not in return_to URL",
                           $key, $value));
             }
         }
 
         return true;
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ Auth_OpenID_GenericConsumer()

Auth_OpenID_GenericConsumer::Auth_OpenID_GenericConsumer ( $store )

This method initializes a new Auth_OpenID_Consumer instance to access the library.

Parameters

Auth_OpenID_OpenIDStore	$store	This must be an object that implements the interface in Auth_OpenID_OpenIDStore. Several concrete implementations are provided, to cover most common use cases. For stores backed by MySQL, PostgreSQL, or SQLite, see the Auth_OpenID_SQLStore class and its sublcasses. For a filesystem-backed store, see the Auth_OpenID_FileStore module. As a last resort, if it isn't possible for the server to store state at all, an instance of Auth_OpenID_DumbStore can be used.
bool	$immediate	This is an optional boolean value. It controls whether the library uses immediate mode, as explained in the module description. The default value is False, which disables immediate mode.

Definition at line 614 of file Consumer.php.

References Auth_OpenID_getAvailableSessionTypes(), Auth_OpenID_getDefaultNegotiator(), and Auth_Yadis_Yadis\getHTTPFetcher().

     {
         $this->store = $store;
         $this->negotiator = Auth_OpenID_getDefaultNegotiator();
         $this->_use_assocs = (is_null($this->store) ? false : true);
 
         $this->fetcher = Auth_Yadis_Yadis::getHTTPFetcher();
 
         $this->session_types = Auth_OpenID_getAvailableSessionTypes();
     }

Here is the call graph for this function:

◆ begin()

Auth_OpenID_GenericConsumer::begin ( $service_endpoint )

Called to begin OpenID authentication using the specified Auth_OpenID_ServiceEndpoint.

private

Definition at line 631 of file Consumer.php.

References $r, and Auth_OpenID_mkNonce().

     {
         $assoc = $this->_getAssociation($service_endpoint);
         $r = new Auth_OpenID_AuthRequest($service_endpoint, $assoc);
         $r->return_to_args[$this->openid1_nonce_query_arg_name] =
             Auth_OpenID_mkNonce();
 
         if ($r->message->isOpenID1()) {
             $r->return_to_args[$this->openid1_return_to_identifier_name] =
                 $r->endpoint->claimed_id;
         }
 
         return $r;
     }

Here is the call graph for this function:

◆ complete()

Auth_OpenID_GenericConsumer::complete	(	$message,
		$endpoint,
		$return_to
	)

Given an Auth_OpenID_Message, Auth_OpenID_ServiceEndpoint and optional return_to URL, complete OpenID authentication.

private

Definition at line 653 of file Consumer.php.

References Auth_OpenID\arrayGet(), and Auth_OpenID_OPENID_NS.

     {
         $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode',
                                  '<no mode set>');
 
         $mode_methods = array(
                               'cancel' => '_complete_cancel',
                               'error' => '_complete_error',
                               'setup_needed' => '_complete_setup_needed',
                               'id_res' => '_complete_id_res',
                               );
 
         $method = Auth_OpenID::arrayGet($mode_methods, $mode,
                                         '_completeInvalid');
 
         return call_user_func_array(array($this, $method),
                                     array($message, &$endpoint, $return_to));
     }

Here is the call graph for this function:

Field Documentation

◆ $_use_assocs

Auth_OpenID_GenericConsumer::$_use_assocs

private

Definition at line 582 of file Consumer.php.

◆ $discoverMethod

Auth_OpenID_GenericConsumer::$discoverMethod = 'Auth_OpenID_discover'

private

Definition at line 572 of file Consumer.php.

◆ $openid1_nonce_query_arg_name

Auth_OpenID_GenericConsumer::$openid1_nonce_query_arg_name = 'janrain_nonce'

private

Definition at line 587 of file Consumer.php.

◆ $openid1_return_to_identifier_name

Auth_OpenID_GenericConsumer::$openid1_return_to_identifier_name = 'openid1_claimed_id'

Another query parameter that gets added to the return_to for OpenID 1; if the user's session state is lost, use this claimed identifier to do discovery when verifying the response.

Definition at line 594 of file Consumer.php.

◆ $store

Auth_OpenID_GenericConsumer::$store

This consumer's store object.

Definition at line 577 of file Consumer.php.

The documentation for this class was generated from the following file:

Services/OpenId/lib/Auth/OpenID/Consumer.php

Public Member Functions

Static Public Member Functions

Data Fields

Detailed Description

Member Function Documentation

◆ _checkAuth()

◆ _checkReturnTo()

◆ _checkSetupNeeded()

◆ _complete_cancel()

◆ _complete_error()

◆ _complete_id_res()

◆ _complete_setup_needed()

◆ _completeInvalid()

◆ _createAssociateRequest()

◆ _createCheckAuthRequest()

◆ _discoverAndVerify()

◆ _doIdRes()

◆ _extractAssociation()

◆ _extractSupportedAssociationType()

◆ _getAssociation()

◆ _getOpenID1SessionType()

◆ _httpResponseToMessage()

◆ _idResCheckForFields()

◆ _idResCheckNonce()

◆ _idResCheckSignature()

◆ _idResGetNonceOpenID1()

◆ _makeKVPost()

◆ _negotiateAssociation()

◆ _processCheckAuthResponse()

◆ _requestAssociation()

◆ _verifyDiscoveryResults()

◆ _verifyDiscoveryResultsOpenID1()

◆ _verifyDiscoveryResultsOpenID2()

◆ _verifyDiscoveryServices()

◆ _verifyDiscoverySingle()

◆ _verifyReturnToArgs()

◆ Auth_OpenID_GenericConsumer()

◆ begin()

◆ complete()

Field Documentation

◆ $_use_assocs

◆ $discoverMethod

◆ $openid1_nonce_query_arg_name

◆ $openid1_return_to_identifier_name

◆ $store