ILIAS  release_5-1 Revision 5.0.0-5477-g43f3e3fab5f
Auth_OpenID_GenericConsumer Class Reference
+ Collaboration diagram for Auth_OpenID_GenericConsumer:

Public Member Functions

 Auth_OpenID_GenericConsumer ($store)
 This method initializes a new Auth_OpenID_Consumer instance to access the library. More...
 
 begin ($service_endpoint)
 Called to begin OpenID authentication using the specified Auth_OpenID_ServiceEndpoint. More...
 
 complete ($message, $endpoint, $return_to)
 Given an Auth_OpenID_Message, Auth_OpenID_ServiceEndpoint and optional return_to URL, complete OpenID authentication. More...
 
 _completeInvalid ($message, $endpoint, $unused)
 @access private More...
 
 _complete_cancel ($message, $endpoint, $unused)
 @access private More...
 
 _complete_error ($message, $endpoint, $unused)
 @access private More...
 
 _complete_setup_needed ($message, $endpoint, $unused)
 @access private More...
 
 _complete_id_res ($message, $endpoint, $return_to)
 @access private More...
 
 _checkSetupNeeded ($message)
 @access private More...
 
 _doIdRes ($message, $endpoint, $return_to)
 @access private More...
 
 _checkReturnTo ($message, $return_to)
 @access private More...
 
 _verifyReturnToArgs ($query)
 @access private More...
 
 _idResCheckSignature ($message, $server_url)
 @access private More...
 
 _verifyDiscoveryResults ($message, $endpoint=null)
 @access private More...
 
 _verifyDiscoveryResultsOpenID1 ($message, $endpoint)
 @access private More...
 
 _verifyDiscoverySingle ($endpoint, $to_match)
 @access private More...
 
 _verifyDiscoveryResultsOpenID2 ($message, $endpoint)
 @access private More...
 
 _discoverAndVerify ($claimed_id, $to_match_endpoints)
 @access private More...
 
 _verifyDiscoveryServices ($claimed_id, $services, $to_match_endpoints)
 @access private More...
 
 _idResGetNonceOpenID1 ($message, $endpoint)
 Extract the nonce from an OpenID 1 response. More...
 
 _idResCheckNonce ($message, $endpoint)
 @access private More...
 
 _idResCheckForFields ($message)
 @access private More...
 
 _checkAuth ($message, $server_url)
 @access private More...
 
 _createCheckAuthRequest ($message)
 @access private More...
 
 _processCheckAuthResponse ($response, $server_url)
 @access private More...
 
 _makeKVPost ($message, $server_url)
 @access private More...
 
 _getAssociation ($endpoint)
 @access private More...
 
 _extractSupportedAssociationType ($server_error, $endpoint, $assoc_type)
 Handle ServerErrors resulting from association requests. More...
 
 _negotiateAssociation ($endpoint)
 @access private More...
 
 _requestAssociation ($endpoint, $assoc_type, $session_type)
 @access private More...
 
 _extractAssociation ($assoc_response, $assoc_session)
 @access private More...
 
 _createAssociateRequest ($endpoint, $assoc_type, $session_type)
 @access private More...
 
 _getOpenID1SessionType ($assoc_response)
 Given an association response message, extract the OpenID 1.X session type. More...
 

Static Public Member Functions

static _httpResponseToMessage ($response, $server_url)
 Adapt a POST response to a Message. More...
 

Data Fields

 $discoverMethod = 'Auth_OpenID_discover'
 @access private More...
 
 $store
 This consumer's store object. More...
 
 $_use_assocs
 @access private More...
 
 $openid1_nonce_query_arg_name = 'janrain_nonce'
 @access private More...
 
 $openid1_return_to_identifier_name = 'openid1_claimed_id'
 Another query parameter that gets added to the return_to for OpenID 1; if the user's session state is lost, use this claimed identifier to do discovery when verifying the response. More...
 

Detailed Description

Definition at line 568 of file Consumer.php.

Member Function Documentation

◆ _checkAuth()

Auth_OpenID_GenericConsumer::_checkAuth (   $message,
  $server_url 
)

@access private

Definition at line 1334 of file Consumer.php.

1335 {
1336 $request = $this->_createCheckAuthRequest($message);
1337 if ($request === null) {
1338 return false;
1339 }
1340
1341 $resp_message = $this->_makeKVPost($request, $server_url);
1342 if (($resp_message === null) ||
1343 (is_a($resp_message, 'Auth_OpenID_ServerErrorContainer'))) {
1344 return false;
1345 }
1346
1347 return $this->_processCheckAuthResponse($resp_message, $server_url);
1348 }
_createCheckAuthRequest($message)
@access private
Definition: Consumer.php:1353
_makeKVPost($message, $server_url)
@access private
Definition: Consumer.php:1418
_processCheckAuthResponse($response, $server_url)
@access private
Definition: Consumer.php:1373

References _createCheckAuthRequest(), _makeKVPost(), and _processCheckAuthResponse().

Referenced by _idResCheckSignature().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _checkReturnTo()

Auth_OpenID_GenericConsumer::_checkReturnTo (   $message,
  $return_to 
)

@access private

Definition at line 813 of file Consumer.php.

814 {
815 // Check an OpenID message and its openid.return_to value
816 // against a return_to URL from an application. Return True
817 // on success, False on failure.
818
819 // Check the openid.return_to args against args in the
820 // original message.
822 $message->toPostArgs());
824 return false;
825 }
826
827 // Check the return_to base URL against the one in the
828 // message.
829 $msg_return_to = $message->getArg(Auth_OpenID_OPENID_NS,
830 'return_to');
831 if (Auth_OpenID::isFailure($return_to)) {
832 // XXX log me
833 return false;
834 }
835
836 $return_to_parts = parse_url(Auth_OpenID_urinorm($return_to));
837 $msg_return_to_parts = parse_url(Auth_OpenID_urinorm($msg_return_to));
838
839 // If port is absent from both, add it so it's equal in the
840 // check below.
841 if ((!array_key_exists('port', $return_to_parts)) &&
842 (!array_key_exists('port', $msg_return_to_parts))) {
843 $return_to_parts['port'] = null;
844 $msg_return_to_parts['port'] = null;
845 }
846
847 // If path is absent from both, add it so it's equal in the
848 // check below.
849 if ((!array_key_exists('path', $return_to_parts)) &&
850 (!array_key_exists('path', $msg_return_to_parts))) {
851 $return_to_parts['path'] = null;
852 $msg_return_to_parts['path'] = null;
853 }
854
855 // The URL scheme, authority, and path MUST be the same
856 // between the two URLs.
857 foreach (array('scheme', 'host', 'port', 'path') as $component) {
858 // If the url component is absent in either URL, fail.
859 // There should always be a scheme, host, port, and path.
860 if (!array_key_exists($component, $return_to_parts)) {
861 return false;
862 }
863
864 if (!array_key_exists($component, $msg_return_to_parts)) {
865 return false;
866 }
867
868 if (Auth_OpenID::arrayGet($return_to_parts, $component) !==
869 Auth_OpenID::arrayGet($msg_return_to_parts, $component)) {
870 return false;
871 }
872 }
873
874 return true;
875 }
$result
const Auth_OpenID_OPENID_NS
Definition: Message.php:42
Auth_OpenID_urinorm($uri)
Definition: URINorm.php:142
_verifyReturnToArgs($query)
@access private
Definition: Consumer.php:880
static arrayGet($arr, $key, $fallback=null)
Convenience function for getting array values.
Definition: OpenID.php:242
static isFailure($thing)
Return true if $thing is an Auth_OpenID_FailureResponse object; false if not.
Definition: OpenID.php:118

References $result, _verifyReturnToArgs(), Auth_OpenID\arrayGet(), Auth_OpenID_OPENID_NS, Auth_OpenID_urinorm(), and Auth_OpenID\isFailure().

Referenced by _doIdRes().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _checkSetupNeeded()

Auth_OpenID_GenericConsumer::_checkSetupNeeded (   $message)

@access private

Definition at line 738 of file Consumer.php.

739 {
740 // In OpenID 1, we check to see if this is a cancel from
741 // immediate mode by the presence of the user_setup_url
742 // parameter.
743 if ($message->isOpenID1()) {
744 $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS,
745 'user_setup_url');
746 if ($user_setup_url !== null) {
747 return true;
748 }
749 }
750
751 return false;
752 }
const Auth_OpenID_OPENID1_NS
Definition: Message.php:25

References Auth_OpenID_OPENID1_NS.

Referenced by _complete_id_res().

+ Here is the caller graph for this function:

◆ _complete_cancel()

Auth_OpenID_GenericConsumer::_complete_cancel (   $message,
  $endpoint,
  $unused 
)

@access private

Definition at line 687 of file Consumer.php.

688 {
689 return new Auth_OpenID_CancelResponse($endpoint);
690 }

◆ _complete_error()

Auth_OpenID_GenericConsumer::_complete_error (   $message,
  $endpoint,
  $unused 
)

@access private

Definition at line 695 of file Consumer.php.

696 {
697 $error = $message->getArg(Auth_OpenID_OPENID_NS, 'error');
698 $contact = $message->getArg(Auth_OpenID_OPENID_NS, 'contact');
699 $reference = $message->getArg(Auth_OpenID_OPENID_NS, 'reference');
700
701 return new Auth_OpenID_FailureResponse($endpoint, $error,
702 $contact, $reference);
703 }

References Auth_OpenID_OPENID_NS.

◆ _complete_id_res()

Auth_OpenID_GenericConsumer::_complete_id_res (   $message,
  $endpoint,
  $return_to 
)

@access private

Definition at line 722 of file Consumer.php.

723 {
724 $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS,
725 'user_setup_url');
726
727 if ($this->_checkSetupNeeded($message)) {
729 $endpoint, $user_setup_url);
730 } else {
731 return $this->_doIdRes($message, $endpoint, $return_to);
732 }
733 }
_doIdRes($message, $endpoint, $return_to)
@access private
Definition: Consumer.php:757
_checkSetupNeeded($message)
@access private
Definition: Consumer.php:738

References _checkSetupNeeded(), _doIdRes(), and Auth_OpenID_OPENID1_NS.

+ Here is the call graph for this function:

◆ _complete_setup_needed()

Auth_OpenID_GenericConsumer::_complete_setup_needed (   $message,
  $endpoint,
  $unused 
)

@access private

Definition at line 708 of file Consumer.php.

709 {
710 if (!$message->isOpenID2()) {
711 return $this->_completeInvalid($message, $endpoint);
712 }
713
714 $user_setup_url = $message->getArg(Auth_OpenID_OPENID2_NS,
715 'user_setup_url');
716 return new Auth_OpenID_SetupNeededResponse($endpoint, $user_setup_url);
717 }
const Auth_OpenID_OPENID2_NS
Definition: Message.php:35
_completeInvalid($message, $endpoint, $unused)
@access private
Definition: Consumer.php:675

References _completeInvalid(), and Auth_OpenID_OPENID2_NS.

+ Here is the call graph for this function:

◆ _completeInvalid()

Auth_OpenID_GenericConsumer::_completeInvalid (   $message,
  $endpoint,
  $unused 
)

@access private

Definition at line 675 of file Consumer.php.

676 {
677 $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode',
678 '<No mode set>');
679
680 return new Auth_OpenID_FailureResponse($endpoint,
681 sprintf("Invalid openid.mode '%s'", $mode));
682 }

References Auth_OpenID_OPENID_NS.

Referenced by _complete_setup_needed().

+ Here is the caller graph for this function:

◆ _createAssociateRequest()

Auth_OpenID_GenericConsumer::_createAssociateRequest (   $endpoint,
  $assoc_type,
  $session_type 
)

@access private

Definition at line 1661 of file Consumer.php.

1662 {
1663 if (array_key_exists($session_type, $this->session_types)) {
1664 $session_type_class = $this->session_types[$session_type];
1665
1666 if (is_callable($session_type_class)) {
1667 $assoc_session = $session_type_class();
1668 } else {
1669 $assoc_session = new $session_type_class();
1670 }
1671 } else {
1672 return null;
1673 }
1674
1675 $args = array(
1676 'mode' => 'associate',
1677 'assoc_type' => $assoc_type);
1678
1679 if (!$endpoint->compatibilityMode()) {
1680 $args['ns'] = Auth_OpenID_OPENID2_NS;
1681 }
1682
1683 // Leave out the session type if we're in compatibility mode
1684 // *and* it's no-encryption.
1685 if ((!$endpoint->compatibilityMode()) ||
1686 ($assoc_session->session_type != 'no-encryption')) {
1687 $args['session_type'] = $assoc_session->session_type;
1688 }
1689
1690 $args = array_merge($args, $assoc_session->getRequest());
1691 $message = Auth_OpenID_Message::fromOpenIDArgs($args);
1692 return array($assoc_session, $message);
1693 }
static fromOpenIDArgs($openid_args)
Definition: Message.php:479

References Auth_OpenID_OPENID2_NS, and Auth_OpenID_Message\fromOpenIDArgs().

Referenced by _requestAssociation().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _createCheckAuthRequest()

Auth_OpenID_GenericConsumer::_createCheckAuthRequest (   $message)

@access private

Definition at line 1353 of file Consumer.php.

1354 {
1355 $signed = $message->getArg(Auth_OpenID_OPENID_NS, 'signed');
1356 if ($signed) {
1357 foreach (explode(',', $signed) as $k) {
1358 $value = $message->getAliasedArg($k);
1359 if ($value === null) {
1360 return null;
1361 }
1362 }
1363 }
1364 $ca_message = $message->copy();
1365 $ca_message->setArg(Auth_OpenID_OPENID_NS, 'mode',
1366 'check_authentication');
1367 return $ca_message;
1368 }

References Auth_OpenID_OPENID_NS.

Referenced by _checkAuth().

+ Here is the caller graph for this function:

◆ _discoverAndVerify()

Auth_OpenID_GenericConsumer::_discoverAndVerify (   $claimed_id,
  $to_match_endpoints 
)

@access private

Definition at line 1179 of file Consumer.php.

1180 {
1181 // oidutil.log('Performing discovery on %s' % (claimed_id,))
1182 list($unused, $services) = call_user_func($this->discoverMethod,
1183 $claimed_id,
1184 $this->fetcher); // fixed php 5.4 compatability
1185
1186 if (!$services) {
1187 return new Auth_OpenID_FailureResponse(null,
1188 sprintf("No OpenID information found at %s",
1189 $claimed_id));
1190 }
1191
1192 return $this->_verifyDiscoveryServices($claimed_id, $services,
1193 $to_match_endpoints);
1194 }
_verifyDiscoveryServices($claimed_id, $services, $to_match_endpoints)
@access private
Definition: Consumer.php:1199

References _verifyDiscoveryServices().

Referenced by _verifyDiscoveryResultsOpenID1(), and _verifyDiscoveryResultsOpenID2().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _doIdRes()

Auth_OpenID_GenericConsumer::_doIdRes (   $message,
  $endpoint,
  $return_to 
)

@access private

Definition at line 757 of file Consumer.php.

758 {
759 // Checks for presence of appropriate fields (and checks
760 // signed list fields)
761 $result = $this->_idResCheckForFields($message);
762
764 return $result;
765 }
766
767 if (!$this->_checkReturnTo($message, $return_to)) {
768 return new Auth_OpenID_FailureResponse(null,
769 sprintf("return_to does not match return URL. Expected %s, got %s",
770 $return_to,
771 $message->getArg(Auth_OpenID_OPENID_NS, 'return_to')));
772 }
773
774 // Verify discovery information:
775 $result = $this->_verifyDiscoveryResults($message, $endpoint);
776
778 return $result;
779 }
780
781 $endpoint = $result;
782
783 $result = $this->_idResCheckSignature($message,
784 $endpoint->server_url);
785
787 return $result;
788 }
789
790 $result = $this->_idResCheckNonce($message, $endpoint);
791
793 return $result;
794 }
795
796 $signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS, 'signed',
798 if (Auth_OpenID::isFailure($signed_list_str)) {
799 return $signed_list_str;
800 }
801 $signed_list = explode(',', $signed_list_str);
802
803 $signed_fields = Auth_OpenID::addPrefix($signed_list, "openid.");
804
805 return new Auth_OpenID_SuccessResponse($endpoint, $message,
806 $signed_fields);
807
808 }
const Auth_OpenID_NO_DEFAULT
Definition: Message.php:50
_verifyDiscoveryResults($message, $endpoint=null)
@access private
Definition: Consumer.php:980
_idResCheckNonce($message, $endpoint)
@access private
Definition: Consumer.php:1243
_checkReturnTo($message, $return_to)
@access private
Definition: Consumer.php:813
_idResCheckForFields($message)
@access private
Definition: Consumer.php:1281
_idResCheckSignature($message, $server_url)
@access private
Definition: Consumer.php:937
static addPrefix($values, $prefix)
Adds a string prefix to all values of an array.
Definition: OpenID.php:226

References $result, _checkReturnTo(), _idResCheckForFields(), _idResCheckNonce(), _idResCheckSignature(), _verifyDiscoveryResults(), Auth_OpenID\addPrefix(), Auth_OpenID_NO_DEFAULT, Auth_OpenID_OPENID_NS, and Auth_OpenID\isFailure().

Referenced by _complete_id_res().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _extractAssociation()

Auth_OpenID_GenericConsumer::_extractAssociation (   $assoc_response,
  $assoc_session 
)

@access private

Definition at line 1569 of file Consumer.php.

1570 {
1571 // Extract the common fields from the response, raising an
1572 // exception if they are not found
1573 $assoc_type = $assoc_response->getArg(
1574 Auth_OpenID_OPENID_NS, 'assoc_type',
1576
1577 if (Auth_OpenID::isFailure($assoc_type)) {
1578 return $assoc_type;
1579 }
1580
1581 $assoc_handle = $assoc_response->getArg(
1582 Auth_OpenID_OPENID_NS, 'assoc_handle',
1584
1585 if (Auth_OpenID::isFailure($assoc_handle)) {
1586 return $assoc_handle;
1587 }
1588
1589 // expires_in is a base-10 string. The Python parsing will
1590 // accept literals that have whitespace around them and will
1591 // accept negative values. Neither of these are really in-spec,
1592 // but we think it's OK to accept them.
1593 $expires_in_str = $assoc_response->getArg(
1594 Auth_OpenID_OPENID_NS, 'expires_in',
1596
1597 if (Auth_OpenID::isFailure($expires_in_str)) {
1598 return $expires_in_str;
1599 }
1600
1601 $expires_in = Auth_OpenID::intval($expires_in_str);
1602 if ($expires_in === false) {
1603
1604 $err = sprintf("Could not parse expires_in from association ".
1605 "response %s", print_r($assoc_response, true));
1606 return new Auth_OpenID_FailureResponse(null, $err);
1607 }
1608
1609 // OpenID 1 has funny association session behaviour.
1610 if ($assoc_response->isOpenID1()) {
1611 $session_type = $this->_getOpenID1SessionType($assoc_response);
1612 } else {
1613 $session_type = $assoc_response->getArg(
1614 Auth_OpenID_OPENID2_NS, 'session_type',
1616
1617 if (Auth_OpenID::isFailure($session_type)) {
1618 return $session_type;
1619 }
1620 }
1621
1622 // Session type mismatch
1623 if ($assoc_session->session_type != $session_type) {
1624 if ($assoc_response->isOpenID1() &&
1625 ($session_type == 'no-encryption')) {
1626 // In OpenID 1, any association request can result in
1627 // a 'no-encryption' association response. Setting
1628 // assoc_session to a new no-encryption session should
1629 // make the rest of this function work properly for
1630 // that case.
1631 $assoc_session = new Auth_OpenID_PlainTextConsumerSession();
1632 } else {
1633 // Any other mismatch, regardless of protocol version
1634 // results in the failure of the association session
1635 // altogether.
1636 return null;
1637 }
1638 }
1639
1640 // Make sure assoc_type is valid for session_type
1641 if (!in_array($assoc_type, $assoc_session->allowed_assoc_types)) {
1642 return null;
1643 }
1644
1645 // Delegate to the association session to extract the secret
1646 // from the response, however is appropriate for that session
1647 // type.
1648 $secret = $assoc_session->extractSecret($assoc_response);
1649
1650 if ($secret === null) {
1651 return null;
1652 }
1653
1655 $expires_in, $assoc_handle, $secret, $assoc_type);
1656 }
static fromExpiresIn($expires_in, $handle, $secret, $assoc_type)
This is an alternate constructor (factory method) used by the OpenID consumer library to create assoc...
Definition: Association.php:97
_getOpenID1SessionType($assoc_response)
Given an association response message, extract the OpenID 1.X session type.
Definition: Consumer.php:1708
static intval($value)
Replacement (wrapper) for PHP's intval() because it's broken.
Definition: OpenID.php:444

References _getOpenID1SessionType(), Auth_OpenID_NO_DEFAULT, Auth_OpenID_OPENID2_NS, Auth_OpenID_OPENID_NS, Auth_OpenID_Association\fromExpiresIn(), Auth_OpenID\intval(), and Auth_OpenID\isFailure().

Referenced by _requestAssociation().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _extractSupportedAssociationType()

Auth_OpenID_GenericConsumer::_extractSupportedAssociationType (   $server_error,
  $endpoint,
  $assoc_type 
)

Handle ServerErrors resulting from association requests.

Returns
$result If server replied with an C{unsupported-type} error, return a tuple of supported C{association_type}, C{session_type}. Otherwise logs the error and returns null.

@access private

Definition at line 1464 of file Consumer.php.

1466 {
1467 // Any error message whose code is not 'unsupported-type'
1468 // should be considered a total failure.
1469 if (($server_error->error_code != 'unsupported-type') ||
1470 ($server_error->message->isOpenID1())) {
1471 return null;
1472 }
1473
1474 // The server didn't like the association/session type that we
1475 // sent, and it sent us back a message that might tell us how
1476 // to handle it.
1477
1478 // Extract the session_type and assoc_type from the error
1479 // message
1480 $assoc_type = $server_error->message->getArg(Auth_OpenID_OPENID_NS,
1481 'assoc_type');
1482
1483 $session_type = $server_error->message->getArg(Auth_OpenID_OPENID_NS,
1484 'session_type');
1485
1486 if (($assoc_type === null) || ($session_type === null)) {
1487 return null;
1488 } else if (!$this->negotiator->isAllowed($assoc_type,
1489 $session_type)) {
1490 return null;
1491 } else {
1492 return array($assoc_type, $session_type);
1493 }
1494 }

References Auth_OpenID_OPENID_NS.

Referenced by _negotiateAssociation().

+ Here is the caller graph for this function:

◆ _getAssociation()

Auth_OpenID_GenericConsumer::_getAssociation (   $endpoint)

@access private

Definition at line 1433 of file Consumer.php.

1434 {
1435 if (!$this->_use_assocs) {
1436 return null;
1437 }
1438
1439 $assoc = $this->store->getAssociation($endpoint->server_url);
1440
1441 if (($assoc === null) ||
1442 ($assoc->getExpiresIn() <= 0)) {
1443
1444 $assoc = $this->_negotiateAssociation($endpoint);
1445
1446 if ($assoc !== null) {
1447 $this->store->storeAssociation($endpoint->server_url,
1448 $assoc);
1449 }
1450 }
1451
1452 return $assoc;
1453 }
_negotiateAssociation($endpoint)
@access private
Definition: Consumer.php:1499

References _negotiateAssociation().

Referenced by begin().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _getOpenID1SessionType()

Auth_OpenID_GenericConsumer::_getOpenID1SessionType (   $assoc_response)

Given an association response message, extract the OpenID 1.X session type.

This function mostly takes care of the 'no-encryption' default behavior in OpenID 1.

If the association type is plain-text, this function will return 'no-encryption'

@access private

Returns
$typ The association type for this message

Definition at line 1708 of file Consumer.php.

1709 {
1710 // If it's an OpenID 1 message, allow session_type to default
1711 // to None (which signifies "no-encryption")
1712 $session_type = $assoc_response->getArg(Auth_OpenID_OPENID1_NS,
1713 'session_type');
1714
1715 // Handle the differences between no-encryption association
1716 // respones in OpenID 1 and 2:
1717
1718 // no-encryption is not really a valid session type for OpenID
1719 // 1, but we'll accept it anyway, while issuing a warning.
1720 if ($session_type == 'no-encryption') {
1721 // oidutil.log('WARNING: OpenID server sent "no-encryption"'
1722 // 'for OpenID 1.X')
1723 } else if (($session_type == '') || ($session_type === null)) {
1724 // Missing or empty session type is the way to flag a
1725 // 'no-encryption' response. Change the session type to
1726 // 'no-encryption' so that it can be handled in the same
1727 // way as OpenID 2 'no-encryption' respones.
1728 $session_type = 'no-encryption';
1729 }
1730
1731 return $session_type;
1732 }

References Auth_OpenID_OPENID1_NS.

Referenced by _extractAssociation().

+ Here is the caller graph for this function:

◆ _httpResponseToMessage()

static Auth_OpenID_GenericConsumer::_httpResponseToMessage (   $response,
  $server_url 
)
static

Adapt a POST response to a Message.

Parameters
$responseResult of a POST to an OpenID endpoint.

@access private

Definition at line 1400 of file Consumer.php.

1401 {
1402 // Should this function be named Message.fromHTTPResponse instead?
1403 $response_message = Auth_OpenID_Message::fromKVForm($response->body);
1404
1405 if ($response->status == 400) {
1407 $response_message);
1408 } else if ($response->status != 200 and $response->status != 206) {
1409 return null;
1410 }
1411
1412 return $response_message;
1413 }
static fromKVForm($kvform_string)
Definition: Message.php:596
static fromMessage($message)
@access private
Definition: Consumer.php:2170

References Auth_OpenID_Message\fromKVForm(), and Auth_OpenID_ServerErrorContainer\fromMessage().

Referenced by _makeKVPost().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _idResCheckForFields()

Auth_OpenID_GenericConsumer::_idResCheckForFields (   $message)

@access private

Definition at line 1281 of file Consumer.php.

1282 {
1283 $basic_fields = array('return_to', 'assoc_handle', 'sig', 'signed');
1284 $basic_sig_fields = array('return_to', 'identity');
1285
1286 $require_fields = array(
1287 Auth_OpenID_OPENID2_NS => array_merge($basic_fields,
1288 array('op_endpoint')),
1289
1290 Auth_OpenID_OPENID1_NS => array_merge($basic_fields,
1291 array('identity'))
1292 );
1293
1294 $require_sigs = array(
1295 Auth_OpenID_OPENID2_NS => array_merge($basic_sig_fields,
1296 array('response_nonce',
1297 'claimed_id',
1298 'assoc_handle',
1299 'op_endpoint')),
1300 Auth_OpenID_OPENID1_NS => array_merge($basic_sig_fields,
1301 array('nonce'))
1302 );
1303
1304 foreach ($require_fields[$message->getOpenIDNamespace()] as $field) {
1305 if (!$message->hasKey(Auth_OpenID_OPENID_NS, $field)) {
1306 return new Auth_OpenID_FailureResponse(null,
1307 "Missing required field '".$field."'");
1308 }
1309 }
1310
1311 $signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS,
1312 'signed',
1314 if (Auth_OpenID::isFailure($signed_list_str)) {
1315 return $signed_list_str;
1316 }
1317 $signed_list = explode(',', $signed_list_str);
1318
1319 foreach ($require_sigs[$message->getOpenIDNamespace()] as $field) {
1320 // Field is present and not in signed list
1321 if ($message->hasKey(Auth_OpenID_OPENID_NS, $field) &&
1322 (!in_array($field, $signed_list))) {
1323 return new Auth_OpenID_FailureResponse(null,
1324 "'".$field."' not signed");
1325 }
1326 }
1327
1328 return null;
1329 }

References Auth_OpenID_NO_DEFAULT, Auth_OpenID_OPENID1_NS, Auth_OpenID_OPENID2_NS, Auth_OpenID_OPENID_NS, and Auth_OpenID\isFailure().

Referenced by _doIdRes().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _idResCheckNonce()

Auth_OpenID_GenericConsumer::_idResCheckNonce (   $message,
  $endpoint 
)

@access private

Definition at line 1243 of file Consumer.php.

1244 {
1245 if ($message->isOpenID1()) {
1246 // This indicates that the nonce was generated by the consumer
1247 $nonce = $this->_idResGetNonceOpenID1($message, $endpoint);
1248 $server_url = '';
1249 } else {
1250 $nonce = $message->getArg(Auth_OpenID_OPENID2_NS,
1251 'response_nonce');
1252
1253 $server_url = $endpoint->server_url;
1254 }
1255
1256 if ($nonce === null) {
1257 return new Auth_OpenID_FailureResponse($endpoint,
1258 "Nonce missing from response");
1259 }
1260
1261 $parts = Auth_OpenID_splitNonce($nonce);
1262
1263 if ($parts === null) {
1264 return new Auth_OpenID_FailureResponse($endpoint,
1265 "Malformed nonce in response");
1266 }
1267
1268 list($timestamp, $salt) = $parts;
1269
1270 if (!$this->store->useNonce($server_url, $timestamp, $salt)) {
1271 return new Auth_OpenID_FailureResponse($endpoint,
1272 "Nonce already used or out of range");
1273 }
1274
1275 return null;
1276 }
Auth_OpenID_splitNonce($nonce_string)
Definition: Nonce.php:30
foreach($mandatory_scripts as $file) $timestamp
Definition: buildRTE.php:81
_idResGetNonceOpenID1($message, $endpoint)
Extract the nonce from an OpenID 1 response.
Definition: Consumer.php:1234

References $timestamp, _idResGetNonceOpenID1(), Auth_OpenID_OPENID2_NS, and Auth_OpenID_splitNonce().

Referenced by _doIdRes().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _idResCheckSignature()

Auth_OpenID_GenericConsumer::_idResCheckSignature (   $message,
  $server_url 
)

@access private

Definition at line 937 of file Consumer.php.

938 {
939 $assoc_handle = $message->getArg(Auth_OpenID_OPENID_NS,
940 'assoc_handle');
941 if (Auth_OpenID::isFailure($assoc_handle)) {
942 return $assoc_handle;
943 }
944
945 $assoc = $this->store->getAssociation($server_url, $assoc_handle);
946
947 if ($assoc) {
948 if ($assoc->getExpiresIn() <= 0) {
949 // XXX: It might be a good idea sometimes to re-start
950 // the authentication with a new association. Doing it
951 // automatically opens the possibility for
952 // denial-of-service by a server that just returns
953 // expired associations (or really short-lived
954 // associations)
955 return new Auth_OpenID_FailureResponse(null,
956 'Association with ' . $server_url . ' expired');
957 }
958
959 if (!$assoc->checkMessageSignature($message)) {
960 return new Auth_OpenID_FailureResponse(null,
961 "Bad signature");
962 }
963 } else {
964 // It's not an association we know about. Stateless mode
965 // is our only possible path for recovery. XXX - async
966 // framework will not want to block on this call to
967 // _checkAuth.
968 if (!$this->_checkAuth($message, $server_url)) {
969 return new Auth_OpenID_FailureResponse(null,
970 "Server denied check_authentication");
971 }
972 }
973
974 return null;
975 }
_checkAuth($message, $server_url)
@access private
Definition: Consumer.php:1334

References _checkAuth(), Auth_OpenID_OPENID_NS, and Auth_OpenID\isFailure().

Referenced by _doIdRes().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _idResGetNonceOpenID1()

Auth_OpenID_GenericConsumer::_idResGetNonceOpenID1 (   $message,
  $endpoint 
)

Extract the nonce from an OpenID 1 response.

Return the nonce from the BARE_NS since we independently check the return_to arguments are the same as those in the response message.

See the openid1_nonce_query_arg_name class variable

Returns
$nonce The nonce as a string or null

@access private

Definition at line 1234 of file Consumer.php.

1235 {
1236 return $message->getArg(Auth_OpenID_BARE_NS,
1237 $this->openid1_nonce_query_arg_name);
1238 }
const Auth_OpenID_BARE_NS
Definition: Message.php:46

References Auth_OpenID_BARE_NS.

Referenced by _idResCheckNonce().

+ Here is the caller graph for this function:

◆ _makeKVPost()

Auth_OpenID_GenericConsumer::_makeKVPost (   $message,
  $server_url 
)

@access private

Definition at line 1418 of file Consumer.php.

1419 {
1420 $body = $message->toURLEncoded();
1421 $resp = $this->fetcher->post($server_url, $body);
1422
1423 if ($resp === null) {
1424 return null;
1425 }
1426
1427 return $this->_httpResponseToMessage($resp, $server_url);
1428 }
static _httpResponseToMessage($response, $server_url)
Adapt a POST response to a Message.
Definition: Consumer.php:1400

References _httpResponseToMessage().

Referenced by _checkAuth(), and _requestAssociation().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _negotiateAssociation()

Auth_OpenID_GenericConsumer::_negotiateAssociation (   $endpoint)

@access private

Definition at line 1499 of file Consumer.php.

1500 {
1501 // Get our preferred session/association type from the negotiatior.
1502 list($assoc_type, $session_type) = $this->negotiator->getAllowedType();
1503
1504 $assoc = $this->_requestAssociation(
1505 $endpoint, $assoc_type, $session_type);
1506
1507 if (Auth_OpenID::isFailure($assoc)) {
1508 return null;
1509 }
1510
1511 if (is_a($assoc, 'Auth_OpenID_ServerErrorContainer')) {
1512 $why = $assoc;
1513
1514 $supportedTypes = $this->_extractSupportedAssociationType(
1515 $why, $endpoint, $assoc_type);
1516
1517 if ($supportedTypes !== null) {
1518 list($assoc_type, $session_type) = $supportedTypes;
1519
1520 // Attempt to create an association from the assoc_type
1521 // and session_type that the server told us it
1522 // supported.
1523 $assoc = $this->_requestAssociation(
1524 $endpoint, $assoc_type, $session_type);
1525
1526 if (is_a($assoc, 'Auth_OpenID_ServerErrorContainer')) {
1527 // Do not keep trying, since it rejected the
1528 // association type that it told us to use.
1529 // oidutil.log('Server %s refused its suggested association
1530 // 'type: session_type=%s, assoc_type=%s'
1531 // % (endpoint.server_url, session_type,
1532 // assoc_type))
1533 return null;
1534 } else {
1535 return $assoc;
1536 }
1537 } else {
1538 return null;
1539 }
1540 } else {
1541 return $assoc;
1542 }
1543 }
_requestAssociation($endpoint, $assoc_type, $session_type)
@access private
Definition: Consumer.php:1548
_extractSupportedAssociationType($server_error, $endpoint, $assoc_type)
Handle ServerErrors resulting from association requests.
Definition: Consumer.php:1464

References _extractSupportedAssociationType(), _requestAssociation(), and Auth_OpenID\isFailure().

Referenced by _getAssociation().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _processCheckAuthResponse()

Auth_OpenID_GenericConsumer::_processCheckAuthResponse (   $response,
  $server_url 
)

@access private

Definition at line 1373 of file Consumer.php.

1374 {
1375 $is_valid = $response->getArg(Auth_OpenID_OPENID_NS, 'is_valid',
1376 'false');
1377
1378 $invalidate_handle = $response->getArg(Auth_OpenID_OPENID_NS,
1379 'invalidate_handle');
1380
1381 if ($invalidate_handle !== null) {
1382 $this->store->removeAssociation($server_url,
1383 $invalidate_handle);
1384 }
1385
1386 if ($is_valid == 'true') {
1387 return true;
1388 }
1389
1390 return false;
1391 }

References Auth_OpenID_OPENID_NS.

Referenced by _checkAuth().

+ Here is the caller graph for this function:

◆ _requestAssociation()

Auth_OpenID_GenericConsumer::_requestAssociation (   $endpoint,
  $assoc_type,
  $session_type 
)

@access private

Definition at line 1548 of file Consumer.php.

1549 {
1550 list($assoc_session, $args) = $this->_createAssociateRequest(
1551 $endpoint, $assoc_type, $session_type);
1552
1553 $response_message = $this->_makeKVPost($args, $endpoint->server_url);
1554
1555 if ($response_message === null) {
1556 // oidutil.log('openid.associate request failed: %s' % (why[0],))
1557 return null;
1558 } else if (is_a($response_message,
1559 'Auth_OpenID_ServerErrorContainer')) {
1560 return $response_message;
1561 }
1562
1563 return $this->_extractAssociation($response_message, $assoc_session);
1564 }
_createAssociateRequest($endpoint, $assoc_type, $session_type)
@access private
Definition: Consumer.php:1661
_extractAssociation($assoc_response, $assoc_session)
@access private
Definition: Consumer.php:1569

References _createAssociateRequest(), _extractAssociation(), and _makeKVPost().

Referenced by _negotiateAssociation().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _verifyDiscoveryResults()

Auth_OpenID_GenericConsumer::_verifyDiscoveryResults (   $message,
  $endpoint = null 
)

@access private

Definition at line 980 of file Consumer.php.

981 {
982 if ($message->getOpenIDNamespace() == Auth_OpenID_OPENID2_NS) {
983 return $this->_verifyDiscoveryResultsOpenID2($message,
984 $endpoint);
985 } else {
986 return $this->_verifyDiscoveryResultsOpenID1($message,
987 $endpoint);
988 }
989 }
_verifyDiscoveryResultsOpenID1($message, $endpoint)
@access private
Definition: Consumer.php:994
_verifyDiscoveryResultsOpenID2($message, $endpoint)
@access private
Definition: Consumer.php:1103

References _verifyDiscoveryResultsOpenID1(), _verifyDiscoveryResultsOpenID2(), and Auth_OpenID_OPENID2_NS.

Referenced by _doIdRes().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _verifyDiscoveryResultsOpenID1()

Auth_OpenID_GenericConsumer::_verifyDiscoveryResultsOpenID1 (   $message,
  $endpoint 
)

@access private

Definition at line 994 of file Consumer.php.

995 {
996 $claimed_id = $message->getArg(Auth_OpenID_BARE_NS,
997 $this->openid1_return_to_identifier_name);
998
999 if (($endpoint === null) && ($claimed_id === null)) {
1000 return new Auth_OpenID_FailureResponse($endpoint,
1001 'When using OpenID 1, the claimed ID must be supplied, ' .
1002 'either by passing it through as a return_to parameter ' .
1003 'or by using a session, and supplied to the GenericConsumer ' .
1004 'as the argument to complete()');
1005 } else if (($endpoint !== null) && ($claimed_id === null)) {
1006 $claimed_id = $endpoint->claimed_id;
1007 }
1008
1009 $to_match = new Auth_OpenID_ServiceEndpoint();
1010 $to_match->type_uris = array(Auth_OpenID_TYPE_1_1);
1011 $to_match->local_id = $message->getArg(Auth_OpenID_OPENID1_NS,
1012 'identity');
1013
1014 // Restore delegate information from the initiation phase
1015 $to_match->claimed_id = $claimed_id;
1016
1017 if ($to_match->local_id === null) {
1018 return new Auth_OpenID_FailureResponse($endpoint,
1019 "Missing required field openid.identity");
1020 }
1021
1022 $to_match_1_0 = $to_match->copy();
1023 $to_match_1_0->type_uris = array(Auth_OpenID_TYPE_1_0);
1024
1025 if ($endpoint !== null) {
1026 $result = $this->_verifyDiscoverySingle($endpoint, $to_match);
1027
1028 if (is_a($result, 'Auth_OpenID_TypeURIMismatch')) {
1029 $result = $this->_verifyDiscoverySingle($endpoint,
1030 $to_match_1_0);
1031 }
1032
1034 // oidutil.log("Error attempting to use stored
1035 // discovery information: " + str(e))
1036 // oidutil.log("Attempting discovery to
1037 // verify endpoint")
1038 } else {
1039 return $endpoint;
1040 }
1041 }
1042
1043 // Endpoint is either bad (failed verification) or None
1044 return $this->_discoverAndVerify($to_match->claimed_id,
1045 array($to_match, $to_match_1_0));
1046 }
const Auth_OpenID_TYPE_1_1
Definition: Discover.php:18
const Auth_OpenID_TYPE_1_0
Definition: Discover.php:19
_discoverAndVerify($claimed_id, $to_match_endpoints)
@access private
Definition: Consumer.php:1179
_verifyDiscoverySingle($endpoint, $to_match)
@access private
Definition: Consumer.php:1051
Object representing an OpenID service endpoint.
Definition: Discover.php:63

References $result, _discoverAndVerify(), _verifyDiscoverySingle(), Auth_OpenID_BARE_NS, Auth_OpenID_OPENID1_NS, Auth_OpenID_TYPE_1_0, Auth_OpenID_TYPE_1_1, and Auth_OpenID\isFailure().

Referenced by _verifyDiscoveryResults().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _verifyDiscoveryResultsOpenID2()

Auth_OpenID_GenericConsumer::_verifyDiscoveryResultsOpenID2 (   $message,
  $endpoint 
)

@access private

Definition at line 1103 of file Consumer.php.

1104 {
1105 $to_match = new Auth_OpenID_ServiceEndpoint();
1106 $to_match->type_uris = array(Auth_OpenID_TYPE_2_0);
1107 $to_match->claimed_id = $message->getArg(Auth_OpenID_OPENID2_NS,
1108 'claimed_id');
1109
1110 $to_match->local_id = $message->getArg(Auth_OpenID_OPENID2_NS,
1111 'identity');
1112
1113 $to_match->server_url = $message->getArg(Auth_OpenID_OPENID2_NS,
1114 'op_endpoint');
1115
1116 if ($to_match->server_url === null) {
1117 return new Auth_OpenID_FailureResponse($endpoint,
1118 "OP Endpoint URL missing");
1119 }
1120
1121 // claimed_id and identifier must both be present or both be
1122 // absent
1123 if (($to_match->claimed_id === null) &&
1124 ($to_match->local_id !== null)) {
1125 return new Auth_OpenID_FailureResponse($endpoint,
1126 'openid.identity is present without openid.claimed_id');
1127 }
1128
1129 if (($to_match->claimed_id !== null) &&
1130 ($to_match->local_id === null)) {
1131 return new Auth_OpenID_FailureResponse($endpoint,
1132 'openid.claimed_id is present without openid.identity');
1133 }
1134
1135 if ($to_match->claimed_id === null) {
1136 // This is a response without identifiers, so there's
1137 // really no checking that we can do, so return an
1138 // endpoint that's for the specified `openid.op_endpoint'
1140 $to_match->server_url);
1141 }
1142
1143 if (!$endpoint) {
1144 // The claimed ID doesn't match, so we have to do
1145 // discovery again. This covers not using sessions, OP
1146 // identifier endpoints and responses that didn't match
1147 // the original request.
1148 // oidutil.log('No pre-discovered information supplied.')
1149 return $this->_discoverAndVerify($to_match->claimed_id,
1150 array($to_match));
1151 } else {
1152
1153 // The claimed ID matches, so we use the endpoint that we
1154 // discovered in initiation. This should be the most
1155 // common case.
1156 $result = $this->_verifyDiscoverySingle($endpoint, $to_match);
1157
1159 $endpoint = $this->_discoverAndVerify($to_match->claimed_id,
1160 array($to_match));
1161 if (Auth_OpenID::isFailure($endpoint)) {
1162 return $endpoint;
1163 }
1164 }
1165 }
1166
1167 // The endpoint we return should have the claimed ID from the
1168 // message we just verified, fragment and all.
1169 if ($endpoint->claimed_id != $to_match->claimed_id) {
1170 $endpoint->claimed_id = $to_match->claimed_id;
1171 }
1172
1173 return $endpoint;
1174 }
const Auth_OpenID_TYPE_2_0
Definition: Discover.php:21
static fromOPEndpointURL($op_endpoint_url)
Definition: Discover.php:152

References $result, _discoverAndVerify(), _verifyDiscoverySingle(), Auth_OpenID_OPENID2_NS, Auth_OpenID_TYPE_2_0, Auth_OpenID_ServiceEndpoint\fromOPEndpointURL(), and Auth_OpenID\isFailure().

Referenced by _verifyDiscoveryResults().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _verifyDiscoveryServices()

Auth_OpenID_GenericConsumer::_verifyDiscoveryServices (   $claimed_id,
  $services,
  $to_match_endpoints 
)

@access private

Definition at line 1199 of file Consumer.php.

1201 {
1202 // Search the services resulting from discovery to find one
1203 // that matches the information from the assertion
1204
1205 foreach ($services as $endpoint) {
1206 foreach ($to_match_endpoints as $to_match_endpoint) {
1207 $result = $this->_verifyDiscoverySingle($endpoint,
1208 $to_match_endpoint);
1209
1211 // It matches, so discover verification has
1212 // succeeded. Return this endpoint.
1213 return $endpoint;
1214 }
1215 }
1216 }
1217
1218 return new Auth_OpenID_FailureResponse(null,
1219 sprintf('No matching endpoint found after discovering %s: %s',
1220 $claimed_id, $result->message));
1221 }

References $result, _verifyDiscoverySingle(), and Auth_OpenID\isFailure().

Referenced by _discoverAndVerify().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _verifyDiscoverySingle()

Auth_OpenID_GenericConsumer::_verifyDiscoverySingle (   $endpoint,
  $to_match 
)

@access private

Definition at line 1051 of file Consumer.php.

1052 {
1053 // Every type URI that's in the to_match endpoint has to be
1054 // present in the discovered endpoint.
1055 foreach ($to_match->type_uris as $type_uri) {
1056 if (!$endpoint->usesExtension($type_uri)) {
1057 return new Auth_OpenID_TypeURIMismatch($endpoint,
1058 "Required type ".$type_uri." not present");
1059 }
1060 }
1061
1062 // Fragments do not influence discovery, so we can't compare a
1063 // claimed identifier with a fragment to discovered
1064 // information.
1065 list($defragged_claimed_id, $_) =
1066 Auth_OpenID::urldefrag($to_match->claimed_id);
1067
1068 if ($defragged_claimed_id != $endpoint->claimed_id) {
1069 return new Auth_OpenID_FailureResponse($endpoint,
1070 sprintf('Claimed ID does not match (different subjects!), ' .
1071 'Expected %s, got %s', $defragged_claimed_id,
1072 $endpoint->claimed_id));
1073 }
1074
1075 if ($to_match->getLocalID() != $endpoint->getLocalID()) {
1076 return new Auth_OpenID_FailureResponse($endpoint,
1077 sprintf('local_id mismatch. Expected %s, got %s',
1078 $to_match->getLocalID(), $endpoint->getLocalID()));
1079 }
1080
1081 // If the server URL is None, this must be an OpenID 1
1082 // response, because op_endpoint is a required parameter in
1083 // OpenID 2. In that case, we don't actually care what the
1084 // discovered server_url is, because signature checking or
1085 // check_auth should take care of that check for us.
1086 if ($to_match->server_url === null) {
1087 if ($to_match->preferredNamespace() != Auth_OpenID_OPENID1_NS) {
1088 return new Auth_OpenID_FailureResponse($endpoint,
1089 "Preferred namespace mismatch (bug)");
1090 }
1091 } else if ($to_match->server_url != $endpoint->server_url) {
1092 return new Auth_OpenID_FailureResponse($endpoint,
1093 sprintf('OP Endpoint mismatch. Expected %s, got %s',
1094 $to_match->server_url, $endpoint->server_url));
1095 }
1096
1097 return null;
1098 }
static urldefrag($url)
Definition: OpenID.php:487

References Auth_OpenID_OPENID1_NS, and Auth_OpenID\urldefrag().

Referenced by _verifyDiscoveryResultsOpenID1(), _verifyDiscoveryResultsOpenID2(), and _verifyDiscoveryServices().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _verifyReturnToArgs()

Auth_OpenID_GenericConsumer::_verifyReturnToArgs (   $query)

@access private

Definition at line 880 of file Consumer.php.

881 {
882 // Verify that the arguments in the return_to URL are present in this
883 // response.
884
886 $return_to = $message->getArg(Auth_OpenID_OPENID_NS, 'return_to');
887
888 if (Auth_OpenID::isFailure($return_to)) {
889 return $return_to;
890 }
891 // XXX: this should be checked by _idResCheckForFields
892 if (!$return_to) {
893 return new Auth_OpenID_FailureResponse(null,
894 "Response has no return_to");
895 }
896
897 $parsed_url = parse_url($return_to);
898
899 $q = array();
900 if (array_key_exists('query', $parsed_url)) {
901 $rt_query = $parsed_url['query'];
902 $q = Auth_OpenID::parse_str($rt_query);
903 }
904
905 foreach ($q as $rt_key => $rt_value) {
906 if (!array_key_exists($rt_key, $query)) {
907 return new Auth_OpenID_FailureResponse(null,
908 sprintf("return_to parameter %s absent from query", $rt_key));
909 } else {
910 $value = $query[$rt_key];
911 if ($rt_value != $value) {
912 return new Auth_OpenID_FailureResponse(null,
913 sprintf("parameter %s value %s does not match " .
914 "return_to value %s", $rt_key,
915 $value, $rt_value));
916 }
917 }
918 }
919
920 // Make sure all non-OpenID arguments in the response are also
921 // in the signed return_to.
922 $bare_args = $message->getArgs(Auth_OpenID_BARE_NS);
923 foreach ($bare_args as $key => $value) {
924 if (Auth_OpenID::arrayGet($q, $key) != $value) {
925 return new Auth_OpenID_FailureResponse(null,
926 sprintf("Parameter %s = %s not in return_to URL",
927 $key, $value));
928 }
929 }
930
931 return true;
932 }
static fromPostArgs($args)
Definition: Message.php:444
static parse_str($query)
Replacement for PHP's broken parse_str.
Definition: OpenID.php:262

References $query, Auth_OpenID\arrayGet(), Auth_OpenID_BARE_NS, Auth_OpenID_OPENID_NS, Auth_OpenID_Message\fromPostArgs(), Auth_OpenID\isFailure(), and Auth_OpenID\parse_str().

Referenced by _checkReturnTo().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ Auth_OpenID_GenericConsumer()

Auth_OpenID_GenericConsumer::Auth_OpenID_GenericConsumer (   $store)

This method initializes a new Auth_OpenID_Consumer instance to access the library.

Parameters
Auth_OpenID_OpenIDStore$storeThis must be an object that implements the interface in Auth_OpenID_OpenIDStore. Several concrete implementations are provided, to cover most common use cases. For stores backed by MySQL, PostgreSQL, or SQLite, see the Auth_OpenID_SQLStore class and its sublcasses. For a filesystem-backed store, see the Auth_OpenID_FileStore module. As a last resort, if it isn't possible for the server to store state at all, an instance of Auth_OpenID_DumbStore can be used.
bool$immediateThis is an optional boolean value. It controls whether the library uses immediate mode, as explained in the module description. The default value is False, which disables immediate mode.

Definition at line 614 of file Consumer.php.

615 {
616 $this->store = $store;
617 $this->negotiator = Auth_OpenID_getDefaultNegotiator();
618 $this->_use_assocs = (is_null($this->store) ? false : true);
619
620 $this->fetcher = Auth_Yadis_Yadis::getHTTPFetcher();
621
622 $this->session_types = Auth_OpenID_getAvailableSessionTypes();
623 }
Auth_OpenID_getDefaultNegotiator()
Auth_OpenID_getAvailableSessionTypes()
Returns available session types.
Definition: Consumer.php:551
$store
This consumer's store object.
Definition: Consumer.php:577
static getHTTPFetcher($timeout=20)
Returns an HTTP fetcher object.
Definition: Yadis.php:253

References $store, Auth_OpenID_getAvailableSessionTypes(), Auth_OpenID_getDefaultNegotiator(), and Auth_Yadis_Yadis\getHTTPFetcher().

+ Here is the call graph for this function:

◆ begin()

Auth_OpenID_GenericConsumer::begin (   $service_endpoint)

Called to begin OpenID authentication using the specified Auth_OpenID_ServiceEndpoint.

@access private

Definition at line 631 of file Consumer.php.

632 {
633 $assoc = $this->_getAssociation($service_endpoint);
634 $r = new Auth_OpenID_AuthRequest($service_endpoint, $assoc);
635 $r->return_to_args[$this->openid1_nonce_query_arg_name] =
637
638 if ($r->message->isOpenID1()) {
640 $r->endpoint->claimed_id;
641 }
642
643 return $r;
644 }
Auth_OpenID_mkNonce($when=null)
Definition: Nonce.php:91
$openid1_return_to_identifier_name
Another query parameter that gets added to the return_to for OpenID 1; if the user's session state is...
Definition: Consumer.php:594
$openid1_nonce_query_arg_name
@access private
Definition: Consumer.php:587
_getAssociation($endpoint)
@access private
Definition: Consumer.php:1433
$r
Definition: example_031.php:79

References $openid1_nonce_query_arg_name, $openid1_return_to_identifier_name, $r, _getAssociation(), and Auth_OpenID_mkNonce().

+ Here is the call graph for this function:

◆ complete()

Auth_OpenID_GenericConsumer::complete (   $message,
  $endpoint,
  $return_to 
)

Given an Auth_OpenID_Message, Auth_OpenID_ServiceEndpoint and optional return_to URL, complete OpenID authentication.

@access private

Definition at line 653 of file Consumer.php.

654 {
655 $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode',
656 '<no mode set>');
657
658 $mode_methods = array(
659 'cancel' => '_complete_cancel',
660 'error' => '_complete_error',
661 'setup_needed' => '_complete_setup_needed',
662 'id_res' => '_complete_id_res',
663 );
664
665 $method = Auth_OpenID::arrayGet($mode_methods, $mode,
666 '_completeInvalid');
667
668 return call_user_func_array(array($this, $method),
669 array($message, &$endpoint, $return_to));
670 }

References Auth_OpenID\arrayGet(), and Auth_OpenID_OPENID_NS.

+ Here is the call graph for this function:

Field Documentation

◆ $_use_assocs

Auth_OpenID_GenericConsumer::$_use_assocs

@access private

Definition at line 582 of file Consumer.php.

◆ $discoverMethod

Auth_OpenID_GenericConsumer::$discoverMethod = 'Auth_OpenID_discover'

@access private

Definition at line 572 of file Consumer.php.

◆ $openid1_nonce_query_arg_name

Auth_OpenID_GenericConsumer::$openid1_nonce_query_arg_name = 'janrain_nonce'

@access private

Definition at line 587 of file Consumer.php.

Referenced by begin().

◆ $openid1_return_to_identifier_name

Auth_OpenID_GenericConsumer::$openid1_return_to_identifier_name = 'openid1_claimed_id'

Another query parameter that gets added to the return_to for OpenID 1; if the user's session state is lost, use this claimed identifier to do discovery when verifying the response.

Definition at line 594 of file Consumer.php.

Referenced by begin().

◆ $store

Auth_OpenID_GenericConsumer::$store

This consumer's store object.

Definition at line 577 of file Consumer.php.

Referenced by Auth_OpenID_GenericConsumer().


The documentation for this class was generated from the following file: