ILIAS  release_5-1 Revision 5.0.0-5477-g43f3e3fab5f
Consumer.php
Go to the documentation of this file.
1<?php
2
163require_once "Auth/OpenID.php";
164require_once "Auth/OpenID/Message.php";
165require_once "Auth/OpenID/HMAC.php";
166require_once "Auth/OpenID/Association.php";
167require_once "Auth/OpenID/CryptUtil.php";
168require_once "Auth/OpenID/DiffieHellman.php";
169require_once "Auth/OpenID/KVForm.php";
170require_once "Auth/OpenID/Nonce.php";
171require_once "Auth/OpenID/Discover.php";
172require_once "Auth/OpenID/URINorm.php";
173require_once "Auth/Yadis/Manager.php";
174require_once "Auth/Yadis/XRI.php";
175
180define('Auth_OpenID_SUCCESS', 'success');
181
185define('Auth_OpenID_CANCEL', 'cancel');
186
191define('Auth_OpenID_FAILURE', 'failure');
192
199define('Auth_OpenID_SETUP_NEEDED', 'setup needed');
200
206define('Auth_OpenID_PARSE_ERROR', 'parse error');
207
215class Auth_OpenID_Consumer {
216
220 var $discoverMethod = 'Auth_OpenID_discover';
221
225 var $session_key_prefix = "_openid_consumer_";
226
230 var $_token_suffix = "last_token";
231
261 function Auth_OpenID_Consumer($store, $session = null,
262 $consumer_cls = null)
263 {
264 if ($session === null) {
265 $session = new Auth_Yadis_PHPSession();
266 }
267
268 $this->session = $session;
269
270 if ($consumer_cls !== null) {
271 $this->consumer = new $consumer_cls($store);
272 } else {
273 $this->consumer = new Auth_OpenID_GenericConsumer($store);
274 }
275
276 $this->_token_key = $this->session_key_prefix . $this->_token_suffix;
277 }
278
284 function getDiscoveryObject($session, $openid_url,
285 $session_key_prefix)
286 {
287 return new Auth_Yadis_Discovery($session, $openid_url,
288 $session_key_prefix);
289 }
290
313 function begin($user_url, $anonymous=false)
314 {
315 $openid_url = $user_url;
316
317 $disco = $this->getDiscoveryObject($this->session,
318 $openid_url,
319 $this->session_key_prefix);
320
321 // Set the 'stale' attribute of the manager. If discovery
322 // fails in a fatal way, the stale flag will cause the manager
323 // to be cleaned up next time discovery is attempted.
324
325 $m = $disco->getManager();
326 $loader = new Auth_Yadis_ManagerLoader();
327
328 if ($m) {
329 if ($m->stale) {
330 $disco->destroyManager();
331 } else {
332 $m->stale = true;
333 $disco->session->set($disco->session_key,
334 serialize($loader->toSession($m)));
335 }
336 }
337
338 $endpoint = $disco->getNextService($this->discoverMethod,
339 $this->consumer->fetcher);
340
341 // Reset the 'stale' attribute of the manager.
342 $m = $disco->getManager();
343 if ($m) {
344 $m->stale = false;
345 $disco->session->set($disco->session_key,
346 serialize($loader->toSession($m)));
347 }
348
349 if ($endpoint === null) {
350 return null;
351 } else {
352 return $this->beginWithoutDiscovery($endpoint,
353 $anonymous);
354 }
355 }
356
373 function beginWithoutDiscovery($endpoint, $anonymous=false)
374 {
375 $loader = new Auth_OpenID_ServiceEndpointLoader();
376 $auth_req = $this->consumer->begin($endpoint);
377 $this->session->set($this->_token_key,
378 $loader->toSession($auth_req->endpoint));
379 if (!$auth_req->setAnonymous($anonymous)) {
380 return new Auth_OpenID_FailureResponse(null,
381 "OpenID 1 requests MUST include the identifier " .
382 "in the request.");
383 }
384 return $auth_req;
385 }
386
410 function complete($current_url, $query=null)
411 {
412 if ($current_url && !is_string($current_url)) {
413 // This is ugly, but we need to complain loudly when
414 // someone uses the API incorrectly.
415 trigger_error("current_url must be a string; see NEWS file " .
416 "for upgrading notes.",
417 E_USER_ERROR);
418 }
419
420 if ($query === null) {
421 $query = Auth_OpenID::getQuery();
422 }
423
424 $loader = new Auth_OpenID_ServiceEndpointLoader();
425 $endpoint_data = $this->session->get($this->_token_key);
426 $endpoint =
427 $loader->fromSession($endpoint_data);
428
429 $message = Auth_OpenID_Message::fromPostArgs($query);
430 $response = $this->consumer->complete($message, $endpoint,
431 $current_url);
432 $this->session->del($this->_token_key);
433
434 if (in_array($response->status, array(Auth_OpenID_SUCCESS,
435 Auth_OpenID_CANCEL))) {
436 if ($response->identity_url !== null) {
437 $disco = $this->getDiscoveryObject($this->session,
438 $response->identity_url,
439 $this->session_key_prefix);
440 $disco->cleanup(true);
441 }
442 }
443
444 return $response;
445 }
446}
447
453class Auth_OpenID_DiffieHellmanSHA1ConsumerSession {
454 var $session_type = 'DH-SHA1';
455 var $hash_func = 'Auth_OpenID_SHA1';
456 var $secret_size = 20;
457 var $allowed_assoc_types = array('HMAC-SHA1');
458
459 function Auth_OpenID_DiffieHellmanSHA1ConsumerSession($dh = null)
460 {
461 if ($dh === null) {
462 $dh = new Auth_OpenID_DiffieHellman();
463 }
464
465 $this->dh = $dh;
466 }
467
468 function getRequest()
469 {
470 $math = Auth_OpenID_getMathLib();
471
472 $cpub = $math->longToBase64($this->dh->public);
473
474 $args = array('dh_consumer_public' => $cpub);
475
476 if (!$this->dh->usingDefaultValues()) {
477 $args = array_merge($args, array(
478 'dh_modulus' =>
479 $math->longToBase64($this->dh->mod),
480 'dh_gen' =>
481 $math->longToBase64($this->dh->gen)));
482 }
483
484 return $args;
485 }
486
487 function extractSecret($response)
488 {
489 if (!$response->hasKey(Auth_OpenID_OPENID_NS,
490 'dh_server_public')) {
491 return null;
492 }
493
494 if (!$response->hasKey(Auth_OpenID_OPENID_NS,
495 'enc_mac_key')) {
496 return null;
497 }
498
499 $math = Auth_OpenID_getMathLib();
500
501 $spub = $math->base64ToLong($response->getArg(Auth_OpenID_OPENID_NS,
502 'dh_server_public'));
503 $enc_mac_key = base64_decode($response->getArg(Auth_OpenID_OPENID_NS,
504 'enc_mac_key'));
505
506 return $this->dh->xorSecret($spub, $enc_mac_key, $this->hash_func);
507 }
508}
509
515class Auth_OpenID_DiffieHellmanSHA256ConsumerSession extends
516 Auth_OpenID_DiffieHellmanSHA1ConsumerSession {
517 var $session_type = 'DH-SHA256';
518 var $hash_func = 'Auth_OpenID_SHA256';
519 var $secret_size = 32;
520 var $allowed_assoc_types = array('HMAC-SHA256');
521}
522
528class Auth_OpenID_PlainTextConsumerSession {
529 var $session_type = 'no-encryption';
530 var $allowed_assoc_types = array('HMAC-SHA1', 'HMAC-SHA256');
531
532 function getRequest()
533 {
534 return array();
535 }
536
537 function extractSecret($response)
538 {
539 if (!$response->hasKey(Auth_OpenID_OPENID_NS, 'mac_key')) {
540 return null;
541 }
542
543 return base64_decode($response->getArg(Auth_OpenID_OPENID_NS,
544 'mac_key'));
545 }
546}
547
551function Auth_OpenID_getAvailableSessionTypes()
552{
553 $types = array(
554 'no-encryption' => 'Auth_OpenID_PlainTextConsumerSession',
555 'DH-SHA1' => 'Auth_OpenID_DiffieHellmanSHA1ConsumerSession',
556 'DH-SHA256' => 'Auth_OpenID_DiffieHellmanSHA256ConsumerSession');
557
558 return $types;
559}
560
568class Auth_OpenID_GenericConsumer {
572 var $discoverMethod = 'Auth_OpenID_discover';
573
577 var $store;
578
582 var $_use_assocs;
583
587 var $openid1_nonce_query_arg_name = 'janrain_nonce';
588
594 var $openid1_return_to_identifier_name = 'openid1_claimed_id';
595
614 function Auth_OpenID_GenericConsumer($store)
615 {
616 $this->store = $store;
617 $this->negotiator = Auth_OpenID_getDefaultNegotiator();
618 $this->_use_assocs = (is_null($this->store) ? false : true);
619
620 $this->fetcher = Auth_Yadis_Yadis::getHTTPFetcher();
621
622 $this->session_types = Auth_OpenID_getAvailableSessionTypes();
623 }
624
631 function begin($service_endpoint)
632 {
633 $assoc = $this->_getAssociation($service_endpoint);
634 $r = new Auth_OpenID_AuthRequest($service_endpoint, $assoc);
635 $r->return_to_args[$this->openid1_nonce_query_arg_name] =
636 Auth_OpenID_mkNonce();
637
638 if ($r->message->isOpenID1()) {
639 $r->return_to_args[$this->openid1_return_to_identifier_name] =
640 $r->endpoint->claimed_id;
641 }
642
643 return $r;
644 }
645
653 function complete($message, $endpoint, $return_to)
654 {
655 $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode',
656 '<no mode set>');
657
658 $mode_methods = array(
659 'cancel' => '_complete_cancel',
660 'error' => '_complete_error',
661 'setup_needed' => '_complete_setup_needed',
662 'id_res' => '_complete_id_res',
663 );
664
665 $method = Auth_OpenID::arrayGet($mode_methods, $mode,
666 '_completeInvalid');
667
668 return call_user_func_array(array($this, $method),
669 array($message, &$endpoint, $return_to));
670 }
671
675 function _completeInvalid($message, $endpoint, $unused)
676 {
677 $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode',
678 '<No mode set>');
679
680 return new Auth_OpenID_FailureResponse($endpoint,
681 sprintf("Invalid openid.mode '%s'", $mode));
682 }
683
687 function _complete_cancel($message, $endpoint, $unused)
688 {
689 return new Auth_OpenID_CancelResponse($endpoint);
690 }
691
695 function _complete_error($message, $endpoint, $unused)
696 {
697 $error = $message->getArg(Auth_OpenID_OPENID_NS, 'error');
698 $contact = $message->getArg(Auth_OpenID_OPENID_NS, 'contact');
699 $reference = $message->getArg(Auth_OpenID_OPENID_NS, 'reference');
700
701 return new Auth_OpenID_FailureResponse($endpoint, $error,
702 $contact, $reference);
703 }
704
708 function _complete_setup_needed($message, $endpoint, $unused)
709 {
710 if (!$message->isOpenID2()) {
711 return $this->_completeInvalid($message, $endpoint);
712 }
713
714 $user_setup_url = $message->getArg(Auth_OpenID_OPENID2_NS,
715 'user_setup_url');
716 return new Auth_OpenID_SetupNeededResponse($endpoint, $user_setup_url);
717 }
718
722 function _complete_id_res($message, $endpoint, $return_to)
723 {
724 $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS,
725 'user_setup_url');
726
727 if ($this->_checkSetupNeeded($message)) {
728 return new Auth_OpenID_SetupNeededResponse(
729 $endpoint, $user_setup_url);
730 } else {
731 return $this->_doIdRes($message, $endpoint, $return_to);
732 }
733 }
734
738 function _checkSetupNeeded($message)
739 {
740 // In OpenID 1, we check to see if this is a cancel from
741 // immediate mode by the presence of the user_setup_url
742 // parameter.
743 if ($message->isOpenID1()) {
744 $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS,
745 'user_setup_url');
746 if ($user_setup_url !== null) {
747 return true;
748 }
749 }
750
751 return false;
752 }
753
757 function _doIdRes($message, $endpoint, $return_to)
758 {
759 // Checks for presence of appropriate fields (and checks
760 // signed list fields)
761 $result = $this->_idResCheckForFields($message);
762
763 if (Auth_OpenID::isFailure($result)) {
764 return $result;
765 }
766
767 if (!$this->_checkReturnTo($message, $return_to)) {
768 return new Auth_OpenID_FailureResponse(null,
769 sprintf("return_to does not match return URL. Expected %s, got %s",
770 $return_to,
771 $message->getArg(Auth_OpenID_OPENID_NS, 'return_to')));
772 }
773
774 // Verify discovery information:
775 $result = $this->_verifyDiscoveryResults($message, $endpoint);
776
777 if (Auth_OpenID::isFailure($result)) {
778 return $result;
779 }
780
781 $endpoint = $result;
782
783 $result = $this->_idResCheckSignature($message,
784 $endpoint->server_url);
785
786 if (Auth_OpenID::isFailure($result)) {
787 return $result;
788 }
789
790 $result = $this->_idResCheckNonce($message, $endpoint);
791
792 if (Auth_OpenID::isFailure($result)) {
793 return $result;
794 }
795
796 $signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS, 'signed',
797 Auth_OpenID_NO_DEFAULT);
798 if (Auth_OpenID::isFailure($signed_list_str)) {
799 return $signed_list_str;
800 }
801 $signed_list = explode(',', $signed_list_str);
802
803 $signed_fields = Auth_OpenID::addPrefix($signed_list, "openid.");
804
805 return new Auth_OpenID_SuccessResponse($endpoint, $message,
806 $signed_fields);
807
808 }
809
813 function _checkReturnTo($message, $return_to)
814 {
815 // Check an OpenID message and its openid.return_to value
816 // against a return_to URL from an application. Return True
817 // on success, False on failure.
818
819 // Check the openid.return_to args against args in the
820 // original message.
821 $result = Auth_OpenID_GenericConsumer::_verifyReturnToArgs(
822 $message->toPostArgs());
823 if (Auth_OpenID::isFailure($result)) {
824 return false;
825 }
826
827 // Check the return_to base URL against the one in the
828 // message.
829 $msg_return_to = $message->getArg(Auth_OpenID_OPENID_NS,
830 'return_to');
831 if (Auth_OpenID::isFailure($return_to)) {
832 // XXX log me
833 return false;
834 }
835
836 $return_to_parts = parse_url(Auth_OpenID_urinorm($return_to));
837 $msg_return_to_parts = parse_url(Auth_OpenID_urinorm($msg_return_to));
838
839 // If port is absent from both, add it so it's equal in the
840 // check below.
841 if ((!array_key_exists('port', $return_to_parts)) &&
842 (!array_key_exists('port', $msg_return_to_parts))) {
843 $return_to_parts['port'] = null;
844 $msg_return_to_parts['port'] = null;
845 }
846
847 // If path is absent from both, add it so it's equal in the
848 // check below.
849 if ((!array_key_exists('path', $return_to_parts)) &&
850 (!array_key_exists('path', $msg_return_to_parts))) {
851 $return_to_parts['path'] = null;
852 $msg_return_to_parts['path'] = null;
853 }
854
855 // The URL scheme, authority, and path MUST be the same
856 // between the two URLs.
857 foreach (array('scheme', 'host', 'port', 'path') as $component) {
858 // If the url component is absent in either URL, fail.
859 // There should always be a scheme, host, port, and path.
860 if (!array_key_exists($component, $return_to_parts)) {
861 return false;
862 }
863
864 if (!array_key_exists($component, $msg_return_to_parts)) {
865 return false;
866 }
867
868 if (Auth_OpenID::arrayGet($return_to_parts, $component) !==
869 Auth_OpenID::arrayGet($msg_return_to_parts, $component)) {
870 return false;
871 }
872 }
873
874 return true;
875 }
876
880 function _verifyReturnToArgs($query)
881 {
882 // Verify that the arguments in the return_to URL are present in this
883 // response.
884
885 $message = Auth_OpenID_Message::fromPostArgs($query);
886 $return_to = $message->getArg(Auth_OpenID_OPENID_NS, 'return_to');
887
888 if (Auth_OpenID::isFailure($return_to)) {
889 return $return_to;
890 }
891 // XXX: this should be checked by _idResCheckForFields
892 if (!$return_to) {
893 return new Auth_OpenID_FailureResponse(null,
894 "Response has no return_to");
895 }
896
897 $parsed_url = parse_url($return_to);
898
899 $q = array();
900 if (array_key_exists('query', $parsed_url)) {
901 $rt_query = $parsed_url['query'];
902 $q = Auth_OpenID::parse_str($rt_query);
903 }
904
905 foreach ($q as $rt_key => $rt_value) {
906 if (!array_key_exists($rt_key, $query)) {
907 return new Auth_OpenID_FailureResponse(null,
908 sprintf("return_to parameter %s absent from query", $rt_key));
909 } else {
910 $value = $query[$rt_key];
911 if ($rt_value != $value) {
912 return new Auth_OpenID_FailureResponse(null,
913 sprintf("parameter %s value %s does not match " .
914 "return_to value %s", $rt_key,
915 $value, $rt_value));
916 }
917 }
918 }
919
920 // Make sure all non-OpenID arguments in the response are also
921 // in the signed return_to.
922 $bare_args = $message->getArgs(Auth_OpenID_BARE_NS);
923 foreach ($bare_args as $key => $value) {
924 if (Auth_OpenID::arrayGet($q, $key) != $value) {
925 return new Auth_OpenID_FailureResponse(null,
926 sprintf("Parameter %s = %s not in return_to URL",
927 $key, $value));
928 }
929 }
930
931 return true;
932 }
933
937 function _idResCheckSignature($message, $server_url)
938 {
939 $assoc_handle = $message->getArg(Auth_OpenID_OPENID_NS,
940 'assoc_handle');
941 if (Auth_OpenID::isFailure($assoc_handle)) {
942 return $assoc_handle;
943 }
944
945 $assoc = $this->store->getAssociation($server_url, $assoc_handle);
946
947 if ($assoc) {
948 if ($assoc->getExpiresIn() <= 0) {
949 // XXX: It might be a good idea sometimes to re-start
950 // the authentication with a new association. Doing it
951 // automatically opens the possibility for
952 // denial-of-service by a server that just returns
953 // expired associations (or really short-lived
954 // associations)
955 return new Auth_OpenID_FailureResponse(null,
956 'Association with ' . $server_url . ' expired');
957 }
958
959 if (!$assoc->checkMessageSignature($message)) {
960 return new Auth_OpenID_FailureResponse(null,
961 "Bad signature");
962 }
963 } else {
964 // It's not an association we know about. Stateless mode
965 // is our only possible path for recovery. XXX - async
966 // framework will not want to block on this call to
967 // _checkAuth.
968 if (!$this->_checkAuth($message, $server_url)) {
969 return new Auth_OpenID_FailureResponse(null,
970 "Server denied check_authentication");
971 }
972 }
973
974 return null;
975 }
976
980 function _verifyDiscoveryResults($message, $endpoint=null)
981 {
982 if ($message->getOpenIDNamespace() == Auth_OpenID_OPENID2_NS) {
983 return $this->_verifyDiscoveryResultsOpenID2($message,
984 $endpoint);
985 } else {
986 return $this->_verifyDiscoveryResultsOpenID1($message,
987 $endpoint);
988 }
989 }
990
994 function _verifyDiscoveryResultsOpenID1($message, $endpoint)
995 {
996 $claimed_id = $message->getArg(Auth_OpenID_BARE_NS,
997 $this->openid1_return_to_identifier_name);
998
999 if (($endpoint === null) && ($claimed_id === null)) {
1000 return new Auth_OpenID_FailureResponse($endpoint,
1001 'When using OpenID 1, the claimed ID must be supplied, ' .
1002 'either by passing it through as a return_to parameter ' .
1003 'or by using a session, and supplied to the GenericConsumer ' .
1004 'as the argument to complete()');
1005 } else if (($endpoint !== null) && ($claimed_id === null)) {
1006 $claimed_id = $endpoint->claimed_id;
1007 }
1008
1009 $to_match = new Auth_OpenID_ServiceEndpoint();
1010 $to_match->type_uris = array(Auth_OpenID_TYPE_1_1);
1011 $to_match->local_id = $message->getArg(Auth_OpenID_OPENID1_NS,
1012 'identity');
1013
1014 // Restore delegate information from the initiation phase
1015 $to_match->claimed_id = $claimed_id;
1016
1017 if ($to_match->local_id === null) {
1018 return new Auth_OpenID_FailureResponse($endpoint,
1019 "Missing required field openid.identity");
1020 }
1021
1022 $to_match_1_0 = $to_match->copy();
1023 $to_match_1_0->type_uris = array(Auth_OpenID_TYPE_1_0);
1024
1025 if ($endpoint !== null) {
1026 $result = $this->_verifyDiscoverySingle($endpoint, $to_match);
1027
1028 if (is_a($result, 'Auth_OpenID_TypeURIMismatch')) {
1029 $result = $this->_verifyDiscoverySingle($endpoint,
1030 $to_match_1_0);
1031 }
1032
1033 if (Auth_OpenID::isFailure($result)) {
1034 // oidutil.log("Error attempting to use stored
1035 // discovery information: " + str(e))
1036 // oidutil.log("Attempting discovery to
1037 // verify endpoint")
1038 } else {
1039 return $endpoint;
1040 }
1041 }
1042
1043 // Endpoint is either bad (failed verification) or None
1044 return $this->_discoverAndVerify($to_match->claimed_id,
1045 array($to_match, $to_match_1_0));
1046 }
1047
1051 function _verifyDiscoverySingle($endpoint, $to_match)
1052 {
1053 // Every type URI that's in the to_match endpoint has to be
1054 // present in the discovered endpoint.
1055 foreach ($to_match->type_uris as $type_uri) {
1056 if (!$endpoint->usesExtension($type_uri)) {
1057 return new Auth_OpenID_TypeURIMismatch($endpoint,
1058 "Required type ".$type_uri." not present");
1059 }
1060 }
1061
1062 // Fragments do not influence discovery, so we can't compare a
1063 // claimed identifier with a fragment to discovered
1064 // information.
1065 list($defragged_claimed_id, $_) =
1066 Auth_OpenID::urldefrag($to_match->claimed_id);
1067
1068 if ($defragged_claimed_id != $endpoint->claimed_id) {
1069 return new Auth_OpenID_FailureResponse($endpoint,
1070 sprintf('Claimed ID does not match (different subjects!), ' .
1071 'Expected %s, got %s', $defragged_claimed_id,
1072 $endpoint->claimed_id));
1073 }
1074
1075 if ($to_match->getLocalID() != $endpoint->getLocalID()) {
1076 return new Auth_OpenID_FailureResponse($endpoint,
1077 sprintf('local_id mismatch. Expected %s, got %s',
1078 $to_match->getLocalID(), $endpoint->getLocalID()));
1079 }
1080
1081 // If the server URL is None, this must be an OpenID 1
1082 // response, because op_endpoint is a required parameter in
1083 // OpenID 2. In that case, we don't actually care what the
1084 // discovered server_url is, because signature checking or
1085 // check_auth should take care of that check for us.
1086 if ($to_match->server_url === null) {
1087 if ($to_match->preferredNamespace() != Auth_OpenID_OPENID1_NS) {
1088 return new Auth_OpenID_FailureResponse($endpoint,
1089 "Preferred namespace mismatch (bug)");
1090 }
1091 } else if ($to_match->server_url != $endpoint->server_url) {
1092 return new Auth_OpenID_FailureResponse($endpoint,
1093 sprintf('OP Endpoint mismatch. Expected %s, got %s',
1094 $to_match->server_url, $endpoint->server_url));
1095 }
1096
1097 return null;
1098 }
1099
1103 function _verifyDiscoveryResultsOpenID2($message, $endpoint)
1104 {
1105 $to_match = new Auth_OpenID_ServiceEndpoint();
1106 $to_match->type_uris = array(Auth_OpenID_TYPE_2_0);
1107 $to_match->claimed_id = $message->getArg(Auth_OpenID_OPENID2_NS,
1108 'claimed_id');
1109
1110 $to_match->local_id = $message->getArg(Auth_OpenID_OPENID2_NS,
1111 'identity');
1112
1113 $to_match->server_url = $message->getArg(Auth_OpenID_OPENID2_NS,
1114 'op_endpoint');
1115
1116 if ($to_match->server_url === null) {
1117 return new Auth_OpenID_FailureResponse($endpoint,
1118 "OP Endpoint URL missing");
1119 }
1120
1121 // claimed_id and identifier must both be present or both be
1122 // absent
1123 if (($to_match->claimed_id === null) &&
1124 ($to_match->local_id !== null)) {
1125 return new Auth_OpenID_FailureResponse($endpoint,
1126 'openid.identity is present without openid.claimed_id');
1127 }
1128
1129 if (($to_match->claimed_id !== null) &&
1130 ($to_match->local_id === null)) {
1131 return new Auth_OpenID_FailureResponse($endpoint,
1132 'openid.claimed_id is present without openid.identity');
1133 }
1134
1135 if ($to_match->claimed_id === null) {
1136 // This is a response without identifiers, so there's
1137 // really no checking that we can do, so return an
1138 // endpoint that's for the specified `openid.op_endpoint'
1139 return Auth_OpenID_ServiceEndpoint::fromOPEndpointURL(
1140 $to_match->server_url);
1141 }
1142
1143 if (!$endpoint) {
1144 // The claimed ID doesn't match, so we have to do
1145 // discovery again. This covers not using sessions, OP
1146 // identifier endpoints and responses that didn't match
1147 // the original request.
1148 // oidutil.log('No pre-discovered information supplied.')
1149 return $this->_discoverAndVerify($to_match->claimed_id,
1150 array($to_match));
1151 } else {
1152
1153 // The claimed ID matches, so we use the endpoint that we
1154 // discovered in initiation. This should be the most
1155 // common case.
1156 $result = $this->_verifyDiscoverySingle($endpoint, $to_match);
1157
1158 if (Auth_OpenID::isFailure($result)) {
1159 $endpoint = $this->_discoverAndVerify($to_match->claimed_id,
1160 array($to_match));
1161 if (Auth_OpenID::isFailure($endpoint)) {
1162 return $endpoint;
1163 }
1164 }
1165 }
1166
1167 // The endpoint we return should have the claimed ID from the
1168 // message we just verified, fragment and all.
1169 if ($endpoint->claimed_id != $to_match->claimed_id) {
1170 $endpoint->claimed_id = $to_match->claimed_id;
1171 }
1172
1173 return $endpoint;
1174 }
1175
1179 function _discoverAndVerify($claimed_id, $to_match_endpoints)
1180 {
1181 // oidutil.log('Performing discovery on %s' % (claimed_id,))
1182 list($unused, $services) = call_user_func($this->discoverMethod,
1183 $claimed_id,
1184 $this->fetcher); // fixed php 5.4 compatability
1185
1186 if (!$services) {
1187 return new Auth_OpenID_FailureResponse(null,
1188 sprintf("No OpenID information found at %s",
1189 $claimed_id));
1190 }
1191
1192 return $this->_verifyDiscoveryServices($claimed_id, $services,
1193 $to_match_endpoints);
1194 }
1195
1199 function _verifyDiscoveryServices($claimed_id,
1200 $services, $to_match_endpoints)
1201 {
1202 // Search the services resulting from discovery to find one
1203 // that matches the information from the assertion
1204
1205 foreach ($services as $endpoint) {
1206 foreach ($to_match_endpoints as $to_match_endpoint) {
1207 $result = $this->_verifyDiscoverySingle($endpoint,
1208 $to_match_endpoint);
1209
1210 if (!Auth_OpenID::isFailure($result)) {
1211 // It matches, so discover verification has
1212 // succeeded. Return this endpoint.
1213 return $endpoint;
1214 }
1215 }
1216 }
1217
1218 return new Auth_OpenID_FailureResponse(null,
1219 sprintf('No matching endpoint found after discovering %s: %s',
1220 $claimed_id, $result->message));
1221 }
1222
1234 function _idResGetNonceOpenID1($message, $endpoint)
1235 {
1236 return $message->getArg(Auth_OpenID_BARE_NS,
1237 $this->openid1_nonce_query_arg_name);
1238 }
1239
1243 function _idResCheckNonce($message, $endpoint)
1244 {
1245 if ($message->isOpenID1()) {
1246 // This indicates that the nonce was generated by the consumer
1247 $nonce = $this->_idResGetNonceOpenID1($message, $endpoint);
1248 $server_url = '';
1249 } else {
1250 $nonce = $message->getArg(Auth_OpenID_OPENID2_NS,
1251 'response_nonce');
1252
1253 $server_url = $endpoint->server_url;
1254 }
1255
1256 if ($nonce === null) {
1257 return new Auth_OpenID_FailureResponse($endpoint,
1258 "Nonce missing from response");
1259 }
1260
1261 $parts = Auth_OpenID_splitNonce($nonce);
1262
1263 if ($parts === null) {
1264 return new Auth_OpenID_FailureResponse($endpoint,
1265 "Malformed nonce in response");
1266 }
1267
1268 list($timestamp, $salt) = $parts;
1269
1270 if (!$this->store->useNonce($server_url, $timestamp, $salt)) {
1271 return new Auth_OpenID_FailureResponse($endpoint,
1272 "Nonce already used or out of range");
1273 }
1274
1275 return null;
1276 }
1277
1281 function _idResCheckForFields($message)
1282 {
1283 $basic_fields = array('return_to', 'assoc_handle', 'sig', 'signed');
1284 $basic_sig_fields = array('return_to', 'identity');
1285
1286 $require_fields = array(
1287 Auth_OpenID_OPENID2_NS => array_merge($basic_fields,
1288 array('op_endpoint')),
1289
1290 Auth_OpenID_OPENID1_NS => array_merge($basic_fields,
1291 array('identity'))
1292 );
1293
1294 $require_sigs = array(
1295 Auth_OpenID_OPENID2_NS => array_merge($basic_sig_fields,
1296 array('response_nonce',
1297 'claimed_id',
1298 'assoc_handle',
1299 'op_endpoint')),
1300 Auth_OpenID_OPENID1_NS => array_merge($basic_sig_fields,
1301 array('nonce'))
1302 );
1303
1304 foreach ($require_fields[$message->getOpenIDNamespace()] as $field) {
1305 if (!$message->hasKey(Auth_OpenID_OPENID_NS, $field)) {
1306 return new Auth_OpenID_FailureResponse(null,
1307 "Missing required field '".$field."'");
1308 }
1309 }
1310
1311 $signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS,
1312 'signed',
1313 Auth_OpenID_NO_DEFAULT);
1314 if (Auth_OpenID::isFailure($signed_list_str)) {
1315 return $signed_list_str;
1316 }
1317 $signed_list = explode(',', $signed_list_str);
1318
1319 foreach ($require_sigs[$message->getOpenIDNamespace()] as $field) {
1320 // Field is present and not in signed list
1321 if ($message->hasKey(Auth_OpenID_OPENID_NS, $field) &&
1322 (!in_array($field, $signed_list))) {
1323 return new Auth_OpenID_FailureResponse(null,
1324 "'".$field."' not signed");
1325 }
1326 }
1327
1328 return null;
1329 }
1330
1334 function _checkAuth($message, $server_url)
1335 {
1336 $request = $this->_createCheckAuthRequest($message);
1337 if ($request === null) {
1338 return false;
1339 }
1340
1341 $resp_message = $this->_makeKVPost($request, $server_url);
1342 if (($resp_message === null) ||
1343 (is_a($resp_message, 'Auth_OpenID_ServerErrorContainer'))) {
1344 return false;
1345 }
1346
1347 return $this->_processCheckAuthResponse($resp_message, $server_url);
1348 }
1349
1353 function _createCheckAuthRequest($message)
1354 {
1355 $signed = $message->getArg(Auth_OpenID_OPENID_NS, 'signed');
1356 if ($signed) {
1357 foreach (explode(',', $signed) as $k) {
1358 $value = $message->getAliasedArg($k);
1359 if ($value === null) {
1360 return null;
1361 }
1362 }
1363 }
1364 $ca_message = $message->copy();
1365 $ca_message->setArg(Auth_OpenID_OPENID_NS, 'mode',
1366 'check_authentication');
1367 return $ca_message;
1368 }
1369
1373 function _processCheckAuthResponse($response, $server_url)
1374 {
1375 $is_valid = $response->getArg(Auth_OpenID_OPENID_NS, 'is_valid',
1376 'false');
1377
1378 $invalidate_handle = $response->getArg(Auth_OpenID_OPENID_NS,
1379 'invalidate_handle');
1380
1381 if ($invalidate_handle !== null) {
1382 $this->store->removeAssociation($server_url,
1383 $invalidate_handle);
1384 }
1385
1386 if ($is_valid == 'true') {
1387 return true;
1388 }
1389
1390 return false;
1391 }
1392
1400 static function _httpResponseToMessage($response, $server_url)
1401 {
1402 // Should this function be named Message.fromHTTPResponse instead?
1403 $response_message = Auth_OpenID_Message::fromKVForm($response->body);
1404
1405 if ($response->status == 400) {
1406 return Auth_OpenID_ServerErrorContainer::fromMessage(
1407 $response_message);
1408 } else if ($response->status != 200 and $response->status != 206) {
1409 return null;
1410 }
1411
1412 return $response_message;
1413 }
1414
1418 function _makeKVPost($message, $server_url)
1419 {
1420 $body = $message->toURLEncoded();
1421 $resp = $this->fetcher->post($server_url, $body);
1422
1423 if ($resp === null) {
1424 return null;
1425 }
1426
1427 return $this->_httpResponseToMessage($resp, $server_url);
1428 }
1429
1433 function _getAssociation($endpoint)
1434 {
1435 if (!$this->_use_assocs) {
1436 return null;
1437 }
1438
1439 $assoc = $this->store->getAssociation($endpoint->server_url);
1440
1441 if (($assoc === null) ||
1442 ($assoc->getExpiresIn() <= 0)) {
1443
1444 $assoc = $this->_negotiateAssociation($endpoint);
1445
1446 if ($assoc !== null) {
1447 $this->store->storeAssociation($endpoint->server_url,
1448 $assoc);
1449 }
1450 }
1451
1452 return $assoc;
1453 }
1454
1464 function _extractSupportedAssociationType($server_error, $endpoint,
1465 $assoc_type)
1466 {
1467 // Any error message whose code is not 'unsupported-type'
1468 // should be considered a total failure.
1469 if (($server_error->error_code != 'unsupported-type') ||
1470 ($server_error->message->isOpenID1())) {
1471 return null;
1472 }
1473
1474 // The server didn't like the association/session type that we
1475 // sent, and it sent us back a message that might tell us how
1476 // to handle it.
1477
1478 // Extract the session_type and assoc_type from the error
1479 // message
1480 $assoc_type = $server_error->message->getArg(Auth_OpenID_OPENID_NS,
1481 'assoc_type');
1482
1483 $session_type = $server_error->message->getArg(Auth_OpenID_OPENID_NS,
1484 'session_type');
1485
1486 if (($assoc_type === null) || ($session_type === null)) {
1487 return null;
1488 } else if (!$this->negotiator->isAllowed($assoc_type,
1489 $session_type)) {
1490 return null;
1491 } else {
1492 return array($assoc_type, $session_type);
1493 }
1494 }
1495
1499 function _negotiateAssociation($endpoint)
1500 {
1501 // Get our preferred session/association type from the negotiatior.
1502 list($assoc_type, $session_type) = $this->negotiator->getAllowedType();
1503
1504 $assoc = $this->_requestAssociation(
1505 $endpoint, $assoc_type, $session_type);
1506
1507 if (Auth_OpenID::isFailure($assoc)) {
1508 return null;
1509 }
1510
1511 if (is_a($assoc, 'Auth_OpenID_ServerErrorContainer')) {
1512 $why = $assoc;
1513
1514 $supportedTypes = $this->_extractSupportedAssociationType(
1515 $why, $endpoint, $assoc_type);
1516
1517 if ($supportedTypes !== null) {
1518 list($assoc_type, $session_type) = $supportedTypes;
1519
1520 // Attempt to create an association from the assoc_type
1521 // and session_type that the server told us it
1522 // supported.
1523 $assoc = $this->_requestAssociation(
1524 $endpoint, $assoc_type, $session_type);
1525
1526 if (is_a($assoc, 'Auth_OpenID_ServerErrorContainer')) {
1527 // Do not keep trying, since it rejected the
1528 // association type that it told us to use.
1529 // oidutil.log('Server %s refused its suggested association
1530 // 'type: session_type=%s, assoc_type=%s'
1531 // % (endpoint.server_url, session_type,
1532 // assoc_type))
1533 return null;
1534 } else {
1535 return $assoc;
1536 }
1537 } else {
1538 return null;
1539 }
1540 } else {
1541 return $assoc;
1542 }
1543 }
1544
1548 function _requestAssociation($endpoint, $assoc_type, $session_type)
1549 {
1550 list($assoc_session, $args) = $this->_createAssociateRequest(
1551 $endpoint, $assoc_type, $session_type);
1552
1553 $response_message = $this->_makeKVPost($args, $endpoint->server_url);
1554
1555 if ($response_message === null) {
1556 // oidutil.log('openid.associate request failed: %s' % (why[0],))
1557 return null;
1558 } else if (is_a($response_message,
1559 'Auth_OpenID_ServerErrorContainer')) {
1560 return $response_message;
1561 }
1562
1563 return $this->_extractAssociation($response_message, $assoc_session);
1564 }
1565
1569 function _extractAssociation($assoc_response, $assoc_session)
1570 {
1571 // Extract the common fields from the response, raising an
1572 // exception if they are not found
1573 $assoc_type = $assoc_response->getArg(
1574 Auth_OpenID_OPENID_NS, 'assoc_type',
1575 Auth_OpenID_NO_DEFAULT);
1576
1577 if (Auth_OpenID::isFailure($assoc_type)) {
1578 return $assoc_type;
1579 }
1580
1581 $assoc_handle = $assoc_response->getArg(
1582 Auth_OpenID_OPENID_NS, 'assoc_handle',
1583 Auth_OpenID_NO_DEFAULT);
1584
1585 if (Auth_OpenID::isFailure($assoc_handle)) {
1586 return $assoc_handle;
1587 }
1588
1589 // expires_in is a base-10 string. The Python parsing will
1590 // accept literals that have whitespace around them and will
1591 // accept negative values. Neither of these are really in-spec,
1592 // but we think it's OK to accept them.
1593 $expires_in_str = $assoc_response->getArg(
1594 Auth_OpenID_OPENID_NS, 'expires_in',
1595 Auth_OpenID_NO_DEFAULT);
1596
1597 if (Auth_OpenID::isFailure($expires_in_str)) {
1598 return $expires_in_str;
1599 }
1600
1601 $expires_in = Auth_OpenID::intval($expires_in_str);
1602 if ($expires_in === false) {
1603
1604 $err = sprintf("Could not parse expires_in from association ".
1605 "response %s", print_r($assoc_response, true));
1606 return new Auth_OpenID_FailureResponse(null, $err);
1607 }
1608
1609 // OpenID 1 has funny association session behaviour.
1610 if ($assoc_response->isOpenID1()) {
1611 $session_type = $this->_getOpenID1SessionType($assoc_response);
1612 } else {
1613 $session_type = $assoc_response->getArg(
1614 Auth_OpenID_OPENID2_NS, 'session_type',
1615 Auth_OpenID_NO_DEFAULT);
1616
1617 if (Auth_OpenID::isFailure($session_type)) {
1618 return $session_type;
1619 }
1620 }
1621
1622 // Session type mismatch
1623 if ($assoc_session->session_type != $session_type) {
1624 if ($assoc_response->isOpenID1() &&
1625 ($session_type == 'no-encryption')) {
1626 // In OpenID 1, any association request can result in
1627 // a 'no-encryption' association response. Setting
1628 // assoc_session to a new no-encryption session should
1629 // make the rest of this function work properly for
1630 // that case.
1631 $assoc_session = new Auth_OpenID_PlainTextConsumerSession();
1632 } else {
1633 // Any other mismatch, regardless of protocol version
1634 // results in the failure of the association session
1635 // altogether.
1636 return null;
1637 }
1638 }
1639
1640 // Make sure assoc_type is valid for session_type
1641 if (!in_array($assoc_type, $assoc_session->allowed_assoc_types)) {
1642 return null;
1643 }
1644
1645 // Delegate to the association session to extract the secret
1646 // from the response, however is appropriate for that session
1647 // type.
1648 $secret = $assoc_session->extractSecret($assoc_response);
1649
1650 if ($secret === null) {
1651 return null;
1652 }
1653
1654 return Auth_OpenID_Association::fromExpiresIn(
1655 $expires_in, $assoc_handle, $secret, $assoc_type);
1656 }
1657
1661 function _createAssociateRequest($endpoint, $assoc_type, $session_type)
1662 {
1663 if (array_key_exists($session_type, $this->session_types)) {
1664 $session_type_class = $this->session_types[$session_type];
1665
1666 if (is_callable($session_type_class)) {
1667 $assoc_session = $session_type_class();
1668 } else {
1669 $assoc_session = new $session_type_class();
1670 }
1671 } else {
1672 return null;
1673 }
1674
1675 $args = array(
1676 'mode' => 'associate',
1677 'assoc_type' => $assoc_type);
1678
1679 if (!$endpoint->compatibilityMode()) {
1680 $args['ns'] = Auth_OpenID_OPENID2_NS;
1681 }
1682
1683 // Leave out the session type if we're in compatibility mode
1684 // *and* it's no-encryption.
1685 if ((!$endpoint->compatibilityMode()) ||
1686 ($assoc_session->session_type != 'no-encryption')) {
1687 $args['session_type'] = $assoc_session->session_type;
1688 }
1689
1690 $args = array_merge($args, $assoc_session->getRequest());
1691 $message = Auth_OpenID_Message::fromOpenIDArgs($args);
1692 return array($assoc_session, $message);
1693 }
1694
1708 function _getOpenID1SessionType($assoc_response)
1709 {
1710 // If it's an OpenID 1 message, allow session_type to default
1711 // to None (which signifies "no-encryption")
1712 $session_type = $assoc_response->getArg(Auth_OpenID_OPENID1_NS,
1713 'session_type');
1714
1715 // Handle the differences between no-encryption association
1716 // respones in OpenID 1 and 2:
1717
1718 // no-encryption is not really a valid session type for OpenID
1719 // 1, but we'll accept it anyway, while issuing a warning.
1720 if ($session_type == 'no-encryption') {
1721 // oidutil.log('WARNING: OpenID server sent "no-encryption"'
1722 // 'for OpenID 1.X')
1723 } else if (($session_type == '') || ($session_type === null)) {
1724 // Missing or empty session type is the way to flag a
1725 // 'no-encryption' response. Change the session type to
1726 // 'no-encryption' so that it can be handled in the same
1727 // way as OpenID 2 'no-encryption' respones.
1728 $session_type = 'no-encryption';
1729 }
1730
1731 return $session_type;
1732 }
1733}
1734
1741class Auth_OpenID_AuthRequest {
1742
1751 function Auth_OpenID_AuthRequest($endpoint, $assoc)
1752 {
1753 $this->assoc = $assoc;
1754 $this->endpoint = $endpoint;
1755 $this->return_to_args = array();
1756 $this->message = new Auth_OpenID_Message(
1757 $endpoint->preferredNamespace());
1758 $this->_anonymous = false;
1759 }
1760
1767 function addExtension($extension_request)
1768 {
1769 $extension_request->toMessage($this->message);
1770 }
1771
1791 function addExtensionArg($namespace, $key, $value)
1792 {
1793 return $this->message->setArg($namespace, $key, $value);
1794 }
1795
1805 function setAnonymous($is_anonymous)
1806 {
1807 if ($is_anonymous && $this->message->isOpenID1()) {
1808 return false;
1809 } else {
1810 $this->_anonymous = $is_anonymous;
1811 return true;
1812 }
1813 }
1814
1835 function getMessage($realm, $return_to=null, $immediate=false)
1836 {
1837 if ($return_to) {
1838 $return_to = Auth_OpenID::appendArgs($return_to,
1839 $this->return_to_args);
1840 } else if ($immediate) {
1841 // raise ValueError(
1842 // '"return_to" is mandatory when
1843 //using "checkid_immediate"')
1844 return new Auth_OpenID_FailureResponse(null,
1845 "'return_to' is mandatory when using checkid_immediate");
1846 } else if ($this->message->isOpenID1()) {
1847 // raise ValueError('"return_to" is
1848 // mandatory for OpenID 1 requests')
1849 return new Auth_OpenID_FailureResponse(null,
1850 "'return_to' is mandatory for OpenID 1 requests");
1851 } else if ($this->return_to_args) {
1852 // raise ValueError('extra "return_to" arguments
1853 // were specified, but no return_to was specified')
1854 return new Auth_OpenID_FailureResponse(null,
1855 "extra 'return_to' arguments where specified, " .
1856 "but no return_to was specified");
1857 }
1858
1859 if ($immediate) {
1860 $mode = 'checkid_immediate';
1861 } else {
1862 $mode = 'checkid_setup';
1863 }
1864
1865 $message = $this->message->copy();
1866 if ($message->isOpenID1()) {
1867 $realm_key = 'trust_root';
1868 } else {
1869 $realm_key = 'realm';
1870 }
1871
1872 $message->updateArgs(Auth_OpenID_OPENID_NS,
1873 array(
1874 $realm_key => $realm,
1875 'mode' => $mode,
1876 'return_to' => $return_to));
1877
1878 if (!$this->_anonymous) {
1879 if ($this->endpoint->isOPIdentifier()) {
1880 // This will never happen when we're in compatibility
1881 // mode, as long as isOPIdentifier() returns False
1882 // whenever preferredNamespace() returns OPENID1_NS.
1883 $claimed_id = $request_identity =
1884 Auth_OpenID_IDENTIFIER_SELECT;
1885 } else {
1886 $request_identity = $this->endpoint->getLocalID();
1887 $claimed_id = $this->endpoint->claimed_id;
1888 }
1889
1890 // This is true for both OpenID 1 and 2
1891 $message->setArg(Auth_OpenID_OPENID_NS, 'identity',
1892 $request_identity);
1893
1894 if ($message->isOpenID2()) {
1895 $message->setArg(Auth_OpenID_OPENID2_NS, 'claimed_id',
1896 $claimed_id);
1897 }
1898 }
1899
1900 if ($this->assoc) {
1901 $message->setArg(Auth_OpenID_OPENID_NS, 'assoc_handle',
1902 $this->assoc->handle);
1903 }
1904
1905 return $message;
1906 }
1907
1908 function redirectURL($realm, $return_to = null,
1909 $immediate = false)
1910 {
1911 $message = $this->getMessage($realm, $return_to, $immediate);
1912
1913 if (Auth_OpenID::isFailure($message)) {
1914 return $message;
1915 }
1916
1917 return $message->toURL($this->endpoint->server_url);
1918 }
1919
1928 function formMarkup($realm, $return_to=null, $immediate=false,
1929 $form_tag_attrs=null)
1930 {
1931 $message = $this->getMessage($realm, $return_to, $immediate);
1932
1933 if (Auth_OpenID::isFailure($message)) {
1934 return $message;
1935 }
1936
1937 return $message->toFormMarkup($this->endpoint->server_url,
1938 $form_tag_attrs);
1939 }
1940
1947 function htmlMarkup($realm, $return_to=null, $immediate=false,
1948 $form_tag_attrs=null)
1949 {
1950 $form = $this->formMarkup($realm, $return_to, $immediate,
1951 $form_tag_attrs);
1952
1953 if (Auth_OpenID::isFailure($form)) {
1954 return $form;
1955 }
1956 return Auth_OpenID::autoSubmitHTML($form);
1957 }
1958
1959 function shouldSendRedirect()
1960 {
1961 return $this->endpoint->compatibilityMode();
1962 }
1963}
1964
1970class Auth_OpenID_ConsumerResponse {
1971 var $status = null;
1972
1973 function setEndpoint($endpoint)
1974 {
1975 $this->endpoint = $endpoint;
1976 if ($endpoint === null) {
1977 $this->identity_url = null;
1978 } else {
1979 $this->identity_url = $endpoint->claimed_id;
1980 }
1981 }
1982
2000 function getDisplayIdentifier()
2001 {
2002 if ($this->endpoint !== null) {
2003 return $this->endpoint->getDisplayIdentifier();
2004 }
2005 return null;
2006 }
2007}
2008
2024class Auth_OpenID_SuccessResponse extends Auth_OpenID_ConsumerResponse {
2025 var $status = Auth_OpenID_SUCCESS;
2026
2030 function Auth_OpenID_SuccessResponse($endpoint, $message, $signed_args=null)
2031 {
2032 $this->endpoint = $endpoint;
2033 $this->identity_url = $endpoint->claimed_id;
2034 $this->signed_args = $signed_args;
2035 $this->message = $message;
2036
2037 if ($this->signed_args === null) {
2038 $this->signed_args = array();
2039 }
2040 }
2041
2048 function extensionResponse($namespace_uri, $require_signed)
2049 {
2050 if ($require_signed) {
2051 return $this->getSignedNS($namespace_uri);
2052 } else {
2053 return $this->message->getArgs($namespace_uri);
2054 }
2055 }
2056
2057 function isOpenID1()
2058 {
2059 return $this->message->isOpenID1();
2060 }
2061
2062 function isSigned($ns_uri, $ns_key)
2063 {
2064 // Return whether a particular key is signed, regardless of
2065 // its namespace alias
2066 return in_array($this->message->getKey($ns_uri, $ns_key),
2067 $this->signed_args);
2068 }
2069
2070 function getSigned($ns_uri, $ns_key, $default = null)
2071 {
2072 // Return the specified signed field if available, otherwise
2073 // return default
2074 if ($this->isSigned($ns_uri, $ns_key)) {
2075 return $this->message->getArg($ns_uri, $ns_key, $default);
2076 } else {
2077 return $default;
2078 }
2079 }
2080
2081 function getSignedNS($ns_uri)
2082 {
2083 $args = array();
2084
2085 $msg_args = $this->message->getArgs($ns_uri);
2086 if (Auth_OpenID::isFailure($msg_args)) {
2087 return null;
2088 }
2089
2090 foreach ($msg_args as $key => $value) {
2091 if (!$this->isSigned($ns_uri, $key)) {
2092 unset($msg_args[$key]);
2093 }
2094 }
2095
2096 return $msg_args;
2097 }
2098
2109 function getReturnTo()
2110 {
2111 return $this->getSigned(Auth_OpenID_OPENID_NS, 'return_to');
2112 }
2113}
2114
2130class Auth_OpenID_FailureResponse extends Auth_OpenID_ConsumerResponse {
2131 var $status = Auth_OpenID_FAILURE;
2132
2133 function Auth_OpenID_FailureResponse($endpoint, $message = null,
2134 $contact = null, $reference = null)
2135 {
2136 $this->setEndpoint($endpoint);
2137 $this->message = $message;
2138 $this->contact = $contact;
2139 $this->reference = $reference;
2140 }
2141}
2142
2148class Auth_OpenID_TypeURIMismatch extends Auth_OpenID_FailureResponse {
2149}
2150
2157class Auth_OpenID_ServerErrorContainer {
2158 function Auth_OpenID_ServerErrorContainer($error_text,
2159 $error_code,
2160 $message)
2161 {
2162 $this->error_text = $error_text;
2163 $this->error_code = $error_code;
2164 $this->message = $message;
2165 }
2166
2170 static function fromMessage($message)
2171 {
2172 $error_text = $message->getArg(
2173 Auth_OpenID_OPENID_NS, 'error', '<no error message supplied>');
2174 $error_code = $message->getArg(Auth_OpenID_OPENID_NS, 'error_code');
2175 return new Auth_OpenID_ServerErrorContainer($error_text,
2176 $error_code,
2177 $message);
2178 }
2179}
2180
2193class Auth_OpenID_CancelResponse extends Auth_OpenID_ConsumerResponse {
2194 var $status = Auth_OpenID_CANCEL;
2195
2196 function Auth_OpenID_CancelResponse($endpoint)
2197 {
2198 $this->setEndpoint($endpoint);
2199 }
2200}
2201
2219class Auth_OpenID_SetupNeededResponse extends Auth_OpenID_ConsumerResponse {
2220 var $status = Auth_OpenID_SETUP_NEEDED;
2221
2222 function Auth_OpenID_SetupNeededResponse($endpoint,
2223 $setup_url = null)
2224 {
2225 $this->setEndpoint($endpoint);
2226 $this->setup_url = $setup_url;
2227 }
2228}
2229
2230
Auth_OpenID_getDefaultNegotiator
Auth_OpenID_getDefaultNegotiator()
Definition: Association.php:472
Auth_OpenID_getMathLib
Auth_OpenID_getMathLib()
Definition: BigMath.php:400
$result
$result
Definition: CleanUpTest.php:407
Auth_OpenID_getAvailableSessionTypes
Auth_OpenID_getAvailableSessionTypes()
Returns available session types.
Definition: Consumer.php:551
Auth_OpenID_FAILURE
const Auth_OpenID_FAILURE
This is the status code completeAuth returns when the value it received indicated an invalid login.
Definition: Consumer.php:191
Auth_OpenID_CANCEL
const Auth_OpenID_CANCEL
Status to indicate cancellation of OpenID authentication.
Definition: Consumer.php:185
Auth_OpenID_SETUP_NEEDED
const Auth_OpenID_SETUP_NEEDED
This is the status code completeAuth returns when the Auth_OpenID_Consumer instance is in immediate m...
Definition: Consumer.php:199
Auth_OpenID_SUCCESS
const Auth_OpenID_SUCCESS
Require utility classes and functions for the consumer.
Definition: Consumer.php:180
Auth_OpenID_TYPE_1_1
const Auth_OpenID_TYPE_1_1
Definition: Discover.php:18
Auth_OpenID_TYPE_1_0
const Auth_OpenID_TYPE_1_0
Definition: Discover.php:19
Auth_OpenID_TYPE_2_0
const Auth_OpenID_TYPE_2_0
Definition: Discover.php:21
Auth_OpenID_IDENTIFIER_SELECT
const Auth_OpenID_IDENTIFIER_SELECT
Import tools needed to deal with messages.
Definition: Message.php:18
Auth_OpenID_OPENID_NS
const Auth_OpenID_OPENID_NS
Definition: Message.php:42
Auth_OpenID_OPENID1_NS
const Auth_OpenID_OPENID1_NS
Definition: Message.php:25
Auth_OpenID_NO_DEFAULT
const Auth_OpenID_NO_DEFAULT
Definition: Message.php:50
Auth_OpenID_OPENID2_NS
const Auth_OpenID_OPENID2_NS
Definition: Message.php:35
Auth_OpenID_BARE_NS
const Auth_OpenID_BARE_NS
Definition: Message.php:46
Auth_OpenID_splitNonce
Auth_OpenID_splitNonce($nonce_string)
Definition: Nonce.php:30
Auth_OpenID_mkNonce
Auth_OpenID_mkNonce($when=null)
Definition: Nonce.php:91
Auth_OpenID_urinorm
Auth_OpenID_urinorm($uri)
Definition: URINorm.php:142
$timestamp
foreach($mandatory_scripts as $file) $timestamp
Definition: buildRTE.php:81
Auth_OpenID_Association\fromExpiresIn
static fromExpiresIn($expires_in, $handle, $secret, $assoc_type)
This is an alternate constructor (factory method) used by the OpenID consumer library to create assoc...
Definition: Association.php:97
Auth_OpenID_AuthRequest
Definition: Consumer.php:1741
Auth_OpenID_AuthRequest\addExtension
addExtension($extension_request)
Add an extension to this checkid request.
Definition: Consumer.php:1767
Auth_OpenID_AuthRequest\addExtensionArg
addExtensionArg($namespace, $key, $value)
Add an extension argument to this OpenID authentication request.
Definition: Consumer.php:1791
Auth_OpenID_AuthRequest\redirectURL
redirectURL($realm, $return_to=null, $immediate=false)
Definition: Consumer.php:1908
Auth_OpenID_AuthRequest\Auth_OpenID_AuthRequest
Auth_OpenID_AuthRequest($endpoint, $assoc)
Initialize an authentication request with the specified token, association, and endpoint.
Definition: Consumer.php:1751
Auth_OpenID_AuthRequest\shouldSendRedirect
shouldSendRedirect()
Definition: Consumer.php:1959
Auth_OpenID_AuthRequest\formMarkup
formMarkup($realm, $return_to=null, $immediate=false, $form_tag_attrs=null)
Get html for a form to submit this request to the IDP.
Definition: Consumer.php:1928
Auth_OpenID_AuthRequest\setAnonymous
setAnonymous($is_anonymous)
Set whether this request should be made anonymously.
Definition: Consumer.php:1805
Auth_OpenID_AuthRequest\htmlMarkup
htmlMarkup($realm, $return_to=null, $immediate=false, $form_tag_attrs=null)
Get a complete html document that will autosubmit the request to the IDP.
Definition: Consumer.php:1947
Auth_OpenID_AuthRequest\getMessage
getMessage($realm, $return_to=null, $immediate=false)
Produce a Auth_OpenID_Message representing this request.
Definition: Consumer.php:1835
Auth_OpenID_CancelResponse
Definition: Consumer.php:2193
Auth_OpenID_CancelResponse\Auth_OpenID_CancelResponse
Auth_OpenID_CancelResponse($endpoint)
Definition: Consumer.php:2196
Auth_OpenID_CancelResponse\$status
$status
Definition: Consumer.php:2194
Auth_OpenID_ConsumerResponse
Definition: Consumer.php:1970
Auth_OpenID_ConsumerResponse\$status
$status
Definition: Consumer.php:1971
Auth_OpenID_ConsumerResponse\getDisplayIdentifier
getDisplayIdentifier()
Return the display identifier for this response.
Definition: Consumer.php:2000
Auth_OpenID_ConsumerResponse\setEndpoint
setEndpoint($endpoint)
Definition: Consumer.php:1973
Auth_OpenID_Consumer
Definition: Consumer.php:215
Auth_OpenID_Consumer\$session_key_prefix
$session_key_prefix
@access private
Definition: Consumer.php:225
Auth_OpenID_Consumer\$discoverMethod
$discoverMethod
@access private
Definition: Consumer.php:220
Auth_OpenID_Consumer\begin
begin($user_url, $anonymous=false)
Start the OpenID authentication process.
Definition: Consumer.php:313
Auth_OpenID_Consumer\getDiscoveryObject
getDiscoveryObject($session, $openid_url, $session_key_prefix)
Used in testing to define the discovery mechanism.
Definition: Consumer.php:284
Auth_OpenID_Consumer\$_token_suffix
$_token_suffix
@access private
Definition: Consumer.php:230
Auth_OpenID_Consumer\complete
complete($current_url, $query=null)
Called to interpret the server's response to an OpenID request.
Definition: Consumer.php:410
Auth_OpenID_Consumer\beginWithoutDiscovery
beginWithoutDiscovery($endpoint, $anonymous=false)
Start OpenID verification without doing OpenID server discovery.
Definition: Consumer.php:373
Auth_OpenID_Consumer\Auth_OpenID_Consumer
Auth_OpenID_Consumer($store, $session=null, $consumer_cls=null)
Initialize a Consumer instance.
Definition: Consumer.php:261
Auth_OpenID_DiffieHellmanSHA1ConsumerSession
Definition: Consumer.php:453
Auth_OpenID_DiffieHellmanSHA1ConsumerSession\$session_type
$session_type
Definition: Consumer.php:454
Auth_OpenID_DiffieHellmanSHA1ConsumerSession\Auth_OpenID_DiffieHellmanSHA1ConsumerSession
Auth_OpenID_DiffieHellmanSHA1ConsumerSession($dh=null)
Definition: Consumer.php:459
Auth_OpenID_DiffieHellmanSHA1ConsumerSession\$secret_size
$secret_size
Definition: Consumer.php:456
Auth_OpenID_DiffieHellmanSHA1ConsumerSession\extractSecret
extractSecret($response)
Definition: Consumer.php:487
Auth_OpenID_DiffieHellmanSHA1ConsumerSession\getRequest
getRequest()
Definition: Consumer.php:468
Auth_OpenID_DiffieHellmanSHA1ConsumerSession\$hash_func
$hash_func
Definition: Consumer.php:455
Auth_OpenID_DiffieHellmanSHA1ConsumerSession\$allowed_assoc_types
$allowed_assoc_types
Definition: Consumer.php:457
Auth_OpenID_DiffieHellmanSHA256ConsumerSession
Definition: Consumer.php:516
Auth_OpenID_DiffieHellmanSHA256ConsumerSession\$hash_func
$hash_func
Definition: Consumer.php:518
Auth_OpenID_DiffieHellmanSHA256ConsumerSession\$session_type
$session_type
Definition: Consumer.php:517
Auth_OpenID_DiffieHellmanSHA256ConsumerSession\$allowed_assoc_types
$allowed_assoc_types
Definition: Consumer.php:520
Auth_OpenID_DiffieHellmanSHA256ConsumerSession\$secret_size
$secret_size
Definition: Consumer.php:519
Auth_OpenID_DiffieHellman
Definition: DiffieHellman.php:43
Auth_OpenID_FailureResponse
Definition: Consumer.php:2130
Auth_OpenID_FailureResponse\$status
$status
Definition: Consumer.php:2131
Auth_OpenID_FailureResponse\Auth_OpenID_FailureResponse
Auth_OpenID_FailureResponse($endpoint, $message=null, $contact=null, $reference=null)
Definition: Consumer.php:2133
Auth_OpenID_GenericConsumer
Definition: Consumer.php:568
Auth_OpenID_GenericConsumer\_requestAssociation
_requestAssociation($endpoint, $assoc_type, $session_type)
@access private
Definition: Consumer.php:1548
Auth_OpenID_GenericConsumer\$openid1_return_to_identifier_name
$openid1_return_to_identifier_name
Another query parameter that gets added to the return_to for OpenID 1; if the user's session state is...
Definition: Consumer.php:594
Auth_OpenID_GenericConsumer\_extractSupportedAssociationType
_extractSupportedAssociationType($server_error, $endpoint, $assoc_type)
Handle ServerErrors resulting from association requests.
Definition: Consumer.php:1464
Auth_OpenID_GenericConsumer\_idResGetNonceOpenID1
_idResGetNonceOpenID1($message, $endpoint)
Extract the nonce from an OpenID 1 response.
Definition: Consumer.php:1234
Auth_OpenID_GenericConsumer\_verifyDiscoveryResults
_verifyDiscoveryResults($message, $endpoint=null)
@access private
Definition: Consumer.php:980
Auth_OpenID_GenericConsumer\_doIdRes
_doIdRes($message, $endpoint, $return_to)
@access private
Definition: Consumer.php:757
Auth_OpenID_GenericConsumer\_complete_setup_needed
_complete_setup_needed($message, $endpoint, $unused)
@access private
Definition: Consumer.php:708
Auth_OpenID_GenericConsumer\$openid1_nonce_query_arg_name
$openid1_nonce_query_arg_name
@access private
Definition: Consumer.php:587
Auth_OpenID_GenericConsumer\_createCheckAuthRequest
_createCheckAuthRequest($message)
@access private
Definition: Consumer.php:1353
Auth_OpenID_GenericConsumer\_complete_id_res
_complete_id_res($message, $endpoint, $return_to)
@access private
Definition: Consumer.php:722
Auth_OpenID_GenericConsumer\$_use_assocs
$_use_assocs
@access private
Definition: Consumer.php:582
Auth_OpenID_GenericConsumer\$store
$store
This consumer's store object.
Definition: Consumer.php:577
Auth_OpenID_GenericConsumer\_verifyDiscoveryServices
_verifyDiscoveryServices($claimed_id, $services, $to_match_endpoints)
@access private
Definition: Consumer.php:1199
Auth_OpenID_GenericConsumer\_createAssociateRequest
_createAssociateRequest($endpoint, $assoc_type, $session_type)
@access private
Definition: Consumer.php:1661
Auth_OpenID_GenericConsumer\_httpResponseToMessage
static _httpResponseToMessage($response, $server_url)
Adapt a POST response to a Message.
Definition: Consumer.php:1400
Auth_OpenID_GenericConsumer\Auth_OpenID_GenericConsumer
Auth_OpenID_GenericConsumer($store)
This method initializes a new Auth_OpenID_Consumer instance to access the library.
Definition: Consumer.php:614
Auth_OpenID_GenericConsumer\_idResCheckNonce
_idResCheckNonce($message, $endpoint)
@access private
Definition: Consumer.php:1243
Auth_OpenID_GenericConsumer\_checkReturnTo
_checkReturnTo($message, $return_to)
@access private
Definition: Consumer.php:813
Auth_OpenID_GenericConsumer\complete
complete($message, $endpoint, $return_to)
Given an Auth_OpenID_Message, Auth_OpenID_ServiceEndpoint and optional return_to URL,...
Definition: Consumer.php:653
Auth_OpenID_GenericConsumer\_complete_cancel
_complete_cancel($message, $endpoint, $unused)
@access private
Definition: Consumer.php:687
Auth_OpenID_GenericConsumer\_complete_error
_complete_error($message, $endpoint, $unused)
@access private
Definition: Consumer.php:695
Auth_OpenID_GenericConsumer\_checkSetupNeeded
_checkSetupNeeded($message)
@access private
Definition: Consumer.php:738
Auth_OpenID_GenericConsumer\_verifyReturnToArgs
_verifyReturnToArgs($query)
@access private
Definition: Consumer.php:880
Auth_OpenID_GenericConsumer\_makeKVPost
_makeKVPost($message, $server_url)
@access private
Definition: Consumer.php:1418
Auth_OpenID_GenericConsumer\_discoverAndVerify
_discoverAndVerify($claimed_id, $to_match_endpoints)
@access private
Definition: Consumer.php:1179
Auth_OpenID_GenericConsumer\_extractAssociation
_extractAssociation($assoc_response, $assoc_session)
@access private
Definition: Consumer.php:1569
Auth_OpenID_GenericConsumer\_negotiateAssociation
_negotiateAssociation($endpoint)
@access private
Definition: Consumer.php:1499
Auth_OpenID_GenericConsumer\_getAssociation
_getAssociation($endpoint)
@access private
Definition: Consumer.php:1433
Auth_OpenID_GenericConsumer\_verifyDiscoverySingle
_verifyDiscoverySingle($endpoint, $to_match)
@access private
Definition: Consumer.php:1051
Auth_OpenID_GenericConsumer\_idResCheckForFields
_idResCheckForFields($message)
@access private
Definition: Consumer.php:1281
Auth_OpenID_GenericConsumer\_checkAuth
_checkAuth($message, $server_url)
@access private
Definition: Consumer.php:1334
Auth_OpenID_GenericConsumer\begin
begin($service_endpoint)
Called to begin OpenID authentication using the specified Auth_OpenID_ServiceEndpoint.
Definition: Consumer.php:631
Auth_OpenID_GenericConsumer\_verifyDiscoveryResultsOpenID1
_verifyDiscoveryResultsOpenID1($message, $endpoint)
@access private
Definition: Consumer.php:994
Auth_OpenID_GenericConsumer\_verifyDiscoveryResultsOpenID2
_verifyDiscoveryResultsOpenID2($message, $endpoint)
@access private
Definition: Consumer.php:1103
Auth_OpenID_GenericConsumer\$discoverMethod
$discoverMethod
@access private
Definition: Consumer.php:572
Auth_OpenID_GenericConsumer\_getOpenID1SessionType
_getOpenID1SessionType($assoc_response)
Given an association response message, extract the OpenID 1.X session type.
Definition: Consumer.php:1708
Auth_OpenID_GenericConsumer\_idResCheckSignature
_idResCheckSignature($message, $server_url)
@access private
Definition: Consumer.php:937
Auth_OpenID_GenericConsumer\_completeInvalid
_completeInvalid($message, $endpoint, $unused)
@access private
Definition: Consumer.php:675
Auth_OpenID_GenericConsumer\_processCheckAuthResponse
_processCheckAuthResponse($response, $server_url)
@access private
Definition: Consumer.php:1373
Auth_OpenID_Message
Definition: Message.php:414
Auth_OpenID_Message\fromPostArgs
static fromPostArgs($args)
Definition: Message.php:444
Auth_OpenID_Message\fromKVForm
static fromKVForm($kvform_string)
Definition: Message.php:596
Auth_OpenID_Message\fromOpenIDArgs
static fromOpenIDArgs($openid_args)
Definition: Message.php:479
Auth_OpenID_PlainTextConsumerSession
Definition: Consumer.php:528
Auth_OpenID_PlainTextConsumerSession\getRequest
getRequest()
Definition: Consumer.php:532
Auth_OpenID_PlainTextConsumerSession\$allowed_assoc_types
$allowed_assoc_types
Definition: Consumer.php:530
Auth_OpenID_PlainTextConsumerSession\$session_type
$session_type
Definition: Consumer.php:529
Auth_OpenID_PlainTextConsumerSession\extractSecret
extractSecret($response)
Definition: Consumer.php:537
Auth_OpenID_ServerErrorContainer
Definition: Consumer.php:2157
Auth_OpenID_ServerErrorContainer\fromMessage
static fromMessage($message)
@access private
Definition: Consumer.php:2170
Auth_OpenID_ServerErrorContainer\Auth_OpenID_ServerErrorContainer
Auth_OpenID_ServerErrorContainer($error_text, $error_code, $message)
Definition: Consumer.php:2158
Auth_OpenID_ServiceEndpointLoader
Definition: Manager.php:196
Auth_OpenID_ServiceEndpoint
Object representing an OpenID service endpoint.
Definition: Discover.php:63
Auth_OpenID_ServiceEndpoint\fromOPEndpointURL
static fromOPEndpointURL($op_endpoint_url)
Definition: Discover.php:152
Auth_OpenID_SetupNeededResponse
Definition: Consumer.php:2219
Auth_OpenID_SetupNeededResponse\$status
$status
Definition: Consumer.php:2220
Auth_OpenID_SetupNeededResponse\Auth_OpenID_SetupNeededResponse
Auth_OpenID_SetupNeededResponse($endpoint, $setup_url=null)
Definition: Consumer.php:2222
Auth_OpenID_SuccessResponse
Definition: Consumer.php:2024
Auth_OpenID_SuccessResponse\$status
$status
Definition: Consumer.php:2025
Auth_OpenID_SuccessResponse\isSigned
isSigned($ns_uri, $ns_key)
Definition: Consumer.php:2062
Auth_OpenID_SuccessResponse\getReturnTo
getReturnTo()
Get the openid.return_to argument from this response.
Definition: Consumer.php:2109
Auth_OpenID_SuccessResponse\getSignedNS
getSignedNS($ns_uri)
Definition: Consumer.php:2081
Auth_OpenID_SuccessResponse\Auth_OpenID_SuccessResponse
Auth_OpenID_SuccessResponse($endpoint, $message, $signed_args=null)
@access private
Definition: Consumer.php:2030
Auth_OpenID_SuccessResponse\getSigned
getSigned($ns_uri, $ns_key, $default=null)
Definition: Consumer.php:2070
Auth_OpenID_SuccessResponse\isOpenID1
isOpenID1()
Definition: Consumer.php:2057
Auth_OpenID_SuccessResponse\extensionResponse
extensionResponse($namespace_uri, $require_signed)
Extract signed extension data from the server's response.
Definition: Consumer.php:2048
Auth_OpenID_TypeURIMismatch
Definition: Consumer.php:2148
Auth_OpenID\autoSubmitHTML
static autoSubmitHTML($form, $title="OpenId transaction in progress")
Definition: OpenID.php:532
Auth_OpenID\arrayGet
static arrayGet($arr, $key, $fallback=null)
Convenience function for getting array values.
Definition: OpenID.php:242
Auth_OpenID\addPrefix
static addPrefix($values, $prefix)
Adds a string prefix to all values of an array.
Definition: OpenID.php:226
Auth_OpenID\isFailure
static isFailure($thing)
Return true if $thing is an Auth_OpenID_FailureResponse object; false if not.
Definition: OpenID.php:118
Auth_OpenID\parse_str
static parse_str($query)
Replacement for PHP's broken parse_str.
Definition: OpenID.php:262
Auth_OpenID\urldefrag
static urldefrag($url)
Definition: OpenID.php:487
Auth_OpenID\intval
static intval($value)
Replacement (wrapper) for PHP's intval() because it's broken.
Definition: OpenID.php:444
Auth_OpenID\getQuery
static getQuery($query_str=null)
Gets the query data from the server environment based on the request method used.
Definition: OpenID.php:142
Auth_OpenID\appendArgs
static appendArgs($url, $args)
"Appends" query arguments onto a URL.
Definition: OpenID.php:324
Auth_Yadis_Discovery
Definition: Manager.php:369
Auth_Yadis_ManagerLoader
Definition: Manager.php:223
Auth_Yadis_PHPSession
Definition: Manager.php:17
Auth_Yadis_Yadis\getHTTPFetcher
static getHTTPFetcher($timeout=20)
Returns an HTTP fetcher object.
Definition: Yadis.php:253
$namespace
if($err=$client->getError()) $namespace
Definition: dummy_client.php:51
$r
$r
Definition: example_031.php:79
$loader
$loader
Definition: loadtestdbgen.php:11