Auth_OpenID_GenericConsumer Class Reference
Collaboration diagram for Auth_OpenID_GenericConsumer:
Public Member Functions | |
| Auth_OpenID_GenericConsumer ($store) | |
This method initializes a new Auth_OpenID_Consumer instance to access the library. More... | |
| begin ($service_endpoint) | |
Called to begin OpenID authentication using the specified Auth_OpenID_ServiceEndpoint. More... | |
| complete ($message, $endpoint, $return_to) | |
Given an Auth_OpenID_Message, Auth_OpenID_ServiceEndpoint and optional return_to URL, complete OpenID authentication. More... | |
| _completeInvalid ($message, $endpoint, $unused) | |
| @access private More... | |
| _complete_cancel ($message, $endpoint, $unused) | |
| @access private More... | |
| _complete_error ($message, $endpoint, $unused) | |
| @access private More... | |
| _complete_setup_needed ($message, $endpoint, $unused) | |
| @access private More... | |
| _complete_id_res ($message, $endpoint, $return_to) | |
| @access private More... | |
| _checkSetupNeeded ($message) | |
| @access private More... | |
| _doIdRes ($message, $endpoint, $return_to) | |
| @access private More... | |
| _checkReturnTo ($message, $return_to) | |
| @access private More... | |
| _verifyReturnToArgs ($query) | |
| @access private More... | |
| _idResCheckSignature ($message, $server_url) | |
| @access private More... | |
| _verifyDiscoveryResults ($message, $endpoint=null) | |
| @access private More... | |
| _verifyDiscoveryResultsOpenID1 ($message, $endpoint) | |
| @access private More... | |
| _verifyDiscoverySingle ($endpoint, $to_match) | |
| @access private More... | |
| _verifyDiscoveryResultsOpenID2 ($message, $endpoint) | |
| @access private More... | |
| _discoverAndVerify ($claimed_id, $to_match_endpoints) | |
| @access private More... | |
| _verifyDiscoveryServices ($claimed_id, $services, $to_match_endpoints) | |
| @access private More... | |
| _idResGetNonceOpenID1 ($message, $endpoint) | |
| Extract the nonce from an OpenID 1 response. More... | |
| _idResCheckNonce ($message, $endpoint) | |
| @access private More... | |
| _idResCheckForFields ($message) | |
| @access private More... | |
| _checkAuth ($message, $server_url) | |
| @access private More... | |
| _createCheckAuthRequest ($message) | |
| @access private More... | |
| _processCheckAuthResponse ($response, $server_url) | |
| @access private More... | |
| _makeKVPost ($message, $server_url) | |
| @access private More... | |
| _getAssociation ($endpoint) | |
| @access private More... | |
| _extractSupportedAssociationType ($server_error, $endpoint, $assoc_type) | |
| Handle ServerErrors resulting from association requests. More... | |
| _negotiateAssociation ($endpoint) | |
| @access private More... | |
| _requestAssociation ($endpoint, $assoc_type, $session_type) | |
| @access private More... | |
| _extractAssociation ($assoc_response, $assoc_session) | |
| @access private More... | |
| _createAssociateRequest ($endpoint, $assoc_type, $session_type) | |
| @access private More... | |
| _getOpenID1SessionType ($assoc_response) | |
| Given an association response message, extract the OpenID 1.X session type. More... | |
Static Public Member Functions | |
| static | _httpResponseToMessage ($response, $server_url) |
| Adapt a POST response to a Message. More... | |
Data Fields | |
| $discoverMethod = 'Auth_OpenID_discover' | |
| @access private More... | |
| $store | |
| This consumer's store object. More... | |
| $_use_assocs | |
| @access private More... | |
| $openid1_nonce_query_arg_name = 'janrain_nonce' | |
| @access private More... | |
| $openid1_return_to_identifier_name = 'openid1_claimed_id' | |
| Another query parameter that gets added to the return_to for OpenID 1; if the user's session state is lost, use this claimed identifier to do discovery when verifying the response. More... | |
Detailed Description
Definition at line 568 of file Consumer.php.
Member Function Documentation
◆ _checkAuth()
| Auth_OpenID_GenericConsumer::_checkAuth | ( | $message, | |
| $server_url | |||
| ) |
@access private
Definition at line 1334 of file Consumer.php.
1335 {
1336 $request = $this->_createCheckAuthRequest($message);
1337 if ($request === null) {
1338 return false;
1339 }
1340
1341 $resp_message = $this->_makeKVPost($request, $server_url);
1342 if (($resp_message === null) ||
1343 (is_a($resp_message, 'Auth_OpenID_ServerErrorContainer'))) {
1344 return false;
1345 }
1346
1348 }
References _createCheckAuthRequest(), _makeKVPost(), and _processCheckAuthResponse().
Referenced by _idResCheckSignature().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ _checkReturnTo()
| Auth_OpenID_GenericConsumer::_checkReturnTo | ( | $message, | |
| $return_to | |||
| ) |
@access private
Definition at line 813 of file Consumer.php.
814 {
815 // Check an OpenID message and its openid.return_to value
816 // against a return_to URL from an application. Return True
817 // on success, False on failure.
818
819 // Check the openid.return_to args against args in the
820 // original message.
822 $message->toPostArgs());
824 return false;
825 }
826
827 // Check the return_to base URL against the one in the
828 // message.
829 $msg_return_to = $message->getArg(Auth_OpenID_OPENID_NS,
830 'return_to');
832 // XXX log me
833 return false;
834 }
835
836 $return_to_parts = parse_url(Auth_OpenID_urinorm($return_to));
837 $msg_return_to_parts = parse_url(Auth_OpenID_urinorm($msg_return_to));
838
839 // If port is absent from both, add it so it's equal in the
840 // check below.
841 if ((!array_key_exists('port', $return_to_parts)) &&
842 (!array_key_exists('port', $msg_return_to_parts))) {
843 $return_to_parts['port'] = null;
844 $msg_return_to_parts['port'] = null;
845 }
846
847 // If path is absent from both, add it so it's equal in the
848 // check below.
849 if ((!array_key_exists('path', $return_to_parts)) &&
850 (!array_key_exists('path', $msg_return_to_parts))) {
851 $return_to_parts['path'] = null;
852 $msg_return_to_parts['path'] = null;
853 }
854
855 // The URL scheme, authority, and path MUST be the same
856 // between the two URLs.
857 foreach (array('scheme', 'host', 'port', 'path') as $component) {
858 // If the url component is absent in either URL, fail.
859 // There should always be a scheme, host, port, and path.
860 if (!array_key_exists($component, $return_to_parts)) {
861 return false;
862 }
863
864 if (!array_key_exists($component, $msg_return_to_parts)) {
865 return false;
866 }
867
869 Auth_OpenID::arrayGet($msg_return_to_parts, $component)) {
870 return false;
871 }
872 }
873
874 return true;
875 }
static arrayGet($arr, $key, $fallback=null)
Convenience function for getting array values.
Definition: OpenID.php:242
static isFailure($thing)
Return true if $thing is an Auth_OpenID_FailureResponse object; false if not.
Definition: OpenID.php:118
References $result, _verifyReturnToArgs(), Auth_OpenID\arrayGet(), Auth_OpenID_OPENID_NS, Auth_OpenID_urinorm(), and Auth_OpenID\isFailure().
Referenced by _doIdRes().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ _checkSetupNeeded()
| Auth_OpenID_GenericConsumer::_checkSetupNeeded | ( | $message | ) |
@access private
Definition at line 738 of file Consumer.php.
739 {
740 // In OpenID 1, we check to see if this is a cancel from
741 // immediate mode by the presence of the user_setup_url
742 // parameter.
743 if ($message->isOpenID1()) {
744 $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS,
745 'user_setup_url');
746 if ($user_setup_url !== null) {
747 return true;
748 }
749 }
750
751 return false;
752 }
References Auth_OpenID_OPENID1_NS.
Referenced by _complete_id_res().
Here is the caller graph for this function:
◆ _complete_cancel()
| Auth_OpenID_GenericConsumer::_complete_cancel | ( | $message, | |
| $endpoint, | |||
| $unused | |||
| ) |
@access private
Definition at line 687 of file Consumer.php.
◆ _complete_error()
| Auth_OpenID_GenericConsumer::_complete_error | ( | $message, | |
| $endpoint, | |||
| $unused | |||
| ) |
@access private
Definition at line 695 of file Consumer.php.
References Auth_OpenID_OPENID_NS.
◆ _complete_id_res()
| Auth_OpenID_GenericConsumer::_complete_id_res | ( | $message, | |
| $endpoint, | |||
| $return_to | |||
| ) |
@access private
Definition at line 722 of file Consumer.php.
723 {
724 $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS,
725 'user_setup_url');
726
729 $endpoint, $user_setup_url);
730 } else {
732 }
733 }
Definition: Consumer.php:2219
References _checkSetupNeeded(), _doIdRes(), and Auth_OpenID_OPENID1_NS.
Here is the call graph for this function:
◆ _complete_setup_needed()
| Auth_OpenID_GenericConsumer::_complete_setup_needed | ( | $message, | |
| $endpoint, | |||
| $unused | |||
| ) |
@access private
Definition at line 708 of file Consumer.php.
709 {
710 if (!$message->isOpenID2()) {
712 }
713
714 $user_setup_url = $message->getArg(Auth_OpenID_OPENID2_NS,
715 'user_setup_url');
717 }
References _completeInvalid(), and Auth_OpenID_OPENID2_NS.
Here is the call graph for this function:
◆ _completeInvalid()
| Auth_OpenID_GenericConsumer::_completeInvalid | ( | $message, | |
| $endpoint, | |||
| $unused | |||
| ) |
@access private
Definition at line 675 of file Consumer.php.
676 {
678 '<No mode set>');
679
681 sprintf("Invalid openid.mode '%s'", $mode));
682 }
References Auth_OpenID_OPENID_NS.
Referenced by _complete_setup_needed().
Here is the caller graph for this function:
◆ _createAssociateRequest()
| Auth_OpenID_GenericConsumer::_createAssociateRequest | ( | $endpoint, | |
| $assoc_type, | |||
| $session_type | |||
| ) |
@access private
Definition at line 1661 of file Consumer.php.
1662 {
1663 if (array_key_exists($session_type, $this->session_types)) {
1664 $session_type_class = $this->session_types[$session_type];
1665
1666 if (is_callable($session_type_class)) {
1667 $assoc_session = $session_type_class();
1668 } else {
1669 $assoc_session = new $session_type_class();
1670 }
1671 } else {
1672 return null;
1673 }
1674
1675 $args = array(
1676 'mode' => 'associate',
1677 'assoc_type' => $assoc_type);
1678
1679 if (!$endpoint->compatibilityMode()) {
1681 }
1682
1683 // Leave out the session type if we're in compatibility mode
1684 // *and* it's no-encryption.
1685 if ((!$endpoint->compatibilityMode()) ||
1686 ($assoc_session->session_type != 'no-encryption')) {
1687 $args['session_type'] = $assoc_session->session_type;
1688 }
1689
1690 $args = array_merge($args, $assoc_session->getRequest());
1691 $message = Auth_OpenID_Message::fromOpenIDArgs($args);
1692 return array($assoc_session, $message);
1693 }
References Auth_OpenID_OPENID2_NS, and Auth_OpenID_Message\fromOpenIDArgs().
Referenced by _requestAssociation().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ _createCheckAuthRequest()
| Auth_OpenID_GenericConsumer::_createCheckAuthRequest | ( | $message | ) |
@access private
Definition at line 1353 of file Consumer.php.
1354 {
1356 if ($signed) {
1357 foreach (explode(',', $signed) as $k) {
1358 $value = $message->getAliasedArg($k);
1359 if ($value === null) {
1360 return null;
1361 }
1362 }
1363 }
1364 $ca_message = $message->copy();
1366 'check_authentication');
1367 return $ca_message;
1368 }
References Auth_OpenID_OPENID_NS.
Referenced by _checkAuth().
Here is the caller graph for this function:
◆ _discoverAndVerify()
| Auth_OpenID_GenericConsumer::_discoverAndVerify | ( | $claimed_id, | |
| $to_match_endpoints | |||
| ) |
@access private
Definition at line 1179 of file Consumer.php.
1180 {
1181 // oidutil.log('Performing discovery on %s' % (claimed_id,))
1182 list($unused, $services) = call_user_func($this->discoverMethod,
1183 $claimed_id,
1184 $this->fetcher); // fixed php 5.4 compatability
1185
1186 if (!$services) {
1188 sprintf("No OpenID information found at %s",
1189 $claimed_id));
1190 }
1191
1193 $to_match_endpoints);
1194 }
_verifyDiscoveryServices($claimed_id, $services, $to_match_endpoints)
@access private
Definition: Consumer.php:1199
References _verifyDiscoveryServices().
Referenced by _verifyDiscoveryResultsOpenID1(), and _verifyDiscoveryResultsOpenID2().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ _doIdRes()
| Auth_OpenID_GenericConsumer::_doIdRes | ( | $message, | |
| $endpoint, | |||
| $return_to | |||
| ) |
@access private
Definition at line 757 of file Consumer.php.
758 {
759 // Checks for presence of appropriate fields (and checks
760 // signed list fields)
762
765 }
766
769 sprintf("return_to does not match return URL. Expected %s, got %s",
770 $return_to,
772 }
773
774 // Verify discovery information:
776
779 }
780
781 $endpoint = $result;
782
784 $endpoint->server_url);
785
788 }
789
791
794 }
795
797 Auth_OpenID_NO_DEFAULT);
799 return $signed_list_str;
800 }
801 $signed_list = explode(',', $signed_list_str);
802
804
806 $signed_fields);
807
808 }
Definition: Consumer.php:2024
static addPrefix($values, $prefix)
Adds a string prefix to all values of an array.
Definition: OpenID.php:226
References $result, _checkReturnTo(), _idResCheckForFields(), _idResCheckNonce(), _idResCheckSignature(), _verifyDiscoveryResults(), Auth_OpenID\addPrefix(), Auth_OpenID_NO_DEFAULT, Auth_OpenID_OPENID_NS, and Auth_OpenID\isFailure().
Referenced by _complete_id_res().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ _extractAssociation()
| Auth_OpenID_GenericConsumer::_extractAssociation | ( | $assoc_response, | |
| $assoc_session | |||
| ) |
@access private
Definition at line 1569 of file Consumer.php.
1570 {
1571 // Extract the common fields from the response, raising an
1572 // exception if they are not found
1573 $assoc_type = $assoc_response->getArg(
1575 Auth_OpenID_NO_DEFAULT);
1576
1578 return $assoc_type;
1579 }
1580
1581 $assoc_handle = $assoc_response->getArg(
1583 Auth_OpenID_NO_DEFAULT);
1584
1586 return $assoc_handle;
1587 }
1588
1589 // expires_in is a base-10 string. The Python parsing will
1590 // accept literals that have whitespace around them and will
1591 // accept negative values. Neither of these are really in-spec,
1592 // but we think it's OK to accept them.
1593 $expires_in_str = $assoc_response->getArg(
1595 Auth_OpenID_NO_DEFAULT);
1596
1598 return $expires_in_str;
1599 }
1600
1601 $expires_in = Auth_OpenID::intval($expires_in_str);
1602 if ($expires_in === false) {
1603
1604 $err = sprintf("Could not parse expires_in from association ".
1605 "response %s", print_r($assoc_response, true));
1607 }
1608
1609 // OpenID 1 has funny association session behaviour.
1610 if ($assoc_response->isOpenID1()) {
1611 $session_type = $this->_getOpenID1SessionType($assoc_response);
1612 } else {
1613 $session_type = $assoc_response->getArg(
1615 Auth_OpenID_NO_DEFAULT);
1616
1618 return $session_type;
1619 }
1620 }
1621
1622 // Session type mismatch
1623 if ($assoc_session->session_type != $session_type) {
1624 if ($assoc_response->isOpenID1() &&
1625 ($session_type == 'no-encryption')) {
1626 // In OpenID 1, any association request can result in
1627 // a 'no-encryption' association response. Setting
1628 // assoc_session to a new no-encryption session should
1629 // make the rest of this function work properly for
1630 // that case.
1632 } else {
1633 // Any other mismatch, regardless of protocol version
1634 // results in the failure of the association session
1635 // altogether.
1636 return null;
1637 }
1638 }
1639
1640 // Make sure assoc_type is valid for session_type
1641 if (!in_array($assoc_type, $assoc_session->allowed_assoc_types)) {
1642 return null;
1643 }
1644
1645 // Delegate to the association session to extract the secret
1646 // from the response, however is appropriate for that session
1647 // type.
1648 $secret = $assoc_session->extractSecret($assoc_response);
1649
1650 if ($secret === null) {
1651 return null;
1652 }
1653
1655 $expires_in, $assoc_handle, $secret, $assoc_type);
1656 }
static fromExpiresIn($expires_in, $handle, $secret, $assoc_type)
This is an alternate constructor (factory method) used by the OpenID consumer library to create assoc...
Definition: Association.php:97
_getOpenID1SessionType($assoc_response)
Given an association response message, extract the OpenID 1.X session type.
Definition: Consumer.php:1708
static intval($value)
Replacement (wrapper) for PHP's intval() because it's broken.
Definition: OpenID.php:444
References _getOpenID1SessionType(), Auth_OpenID_NO_DEFAULT, Auth_OpenID_OPENID2_NS, Auth_OpenID_OPENID_NS, Auth_OpenID_Association\fromExpiresIn(), Auth_OpenID\intval(), and Auth_OpenID\isFailure().
Referenced by _requestAssociation().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ _extractSupportedAssociationType()
| Auth_OpenID_GenericConsumer::_extractSupportedAssociationType | ( | $server_error, | |
| $endpoint, | |||
| $assoc_type | |||
| ) |
Handle ServerErrors resulting from association requests.
- Returns
- $result If server replied with an C{unsupported-type} error, return a tuple of supported C{association_type}, C{session_type}. Otherwise logs the error and returns null.
@access private
Definition at line 1464 of file Consumer.php.
1466 {
1467 // Any error message whose code is not 'unsupported-type'
1468 // should be considered a total failure.
1469 if (($server_error->error_code != 'unsupported-type') ||
1470 ($server_error->message->isOpenID1())) {
1471 return null;
1472 }
1473
1474 // The server didn't like the association/session type that we
1475 // sent, and it sent us back a message that might tell us how
1476 // to handle it.
1477
1478 // Extract the session_type and assoc_type from the error
1479 // message
1480 $assoc_type = $server_error->message->getArg(Auth_OpenID_OPENID_NS,
1481 'assoc_type');
1482
1483 $session_type = $server_error->message->getArg(Auth_OpenID_OPENID_NS,
1484 'session_type');
1485
1486 if (($assoc_type === null) || ($session_type === null)) {
1487 return null;
1488 } else if (!$this->negotiator->isAllowed($assoc_type,
1489 $session_type)) {
1490 return null;
1491 } else {
1492 return array($assoc_type, $session_type);
1493 }
1494 }
References Auth_OpenID_OPENID_NS.
Referenced by _negotiateAssociation().
Here is the caller graph for this function:
◆ _getAssociation()
| Auth_OpenID_GenericConsumer::_getAssociation | ( | $endpoint | ) |
@access private
Definition at line 1433 of file Consumer.php.
1434 {
1435 if (!$this->_use_assocs) {
1436 return null;
1437 }
1438
1439 $assoc = $this->store->getAssociation($endpoint->server_url);
1440
1441 if (($assoc === null) ||
1442 ($assoc->getExpiresIn() <= 0)) {
1443
1444 $assoc = $this->_negotiateAssociation($endpoint);
1445
1446 if ($assoc !== null) {
1447 $this->store->storeAssociation($endpoint->server_url,
1448 $assoc);
1449 }
1450 }
1451
1452 return $assoc;
1453 }
References _negotiateAssociation().
Referenced by begin().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ _getOpenID1SessionType()
| Auth_OpenID_GenericConsumer::_getOpenID1SessionType | ( | $assoc_response | ) |
Given an association response message, extract the OpenID 1.X session type.
This function mostly takes care of the 'no-encryption' default behavior in OpenID 1.
If the association type is plain-text, this function will return 'no-encryption'
@access private
- Returns
- $typ The association type for this message
Definition at line 1708 of file Consumer.php.
1709 {
1710 // If it's an OpenID 1 message, allow session_type to default
1711 // to None (which signifies "no-encryption")
1712 $session_type = $assoc_response->getArg(Auth_OpenID_OPENID1_NS,
1713 'session_type');
1714
1715 // Handle the differences between no-encryption association
1716 // respones in OpenID 1 and 2:
1717
1718 // no-encryption is not really a valid session type for OpenID
1719 // 1, but we'll accept it anyway, while issuing a warning.
1720 if ($session_type == 'no-encryption') {
1721 // oidutil.log('WARNING: OpenID server sent "no-encryption"'
1722 // 'for OpenID 1.X')
1723 } else if (($session_type == '') || ($session_type === null)) {
1724 // Missing or empty session type is the way to flag a
1725 // 'no-encryption' response. Change the session type to
1726 // 'no-encryption' so that it can be handled in the same
1727 // way as OpenID 2 'no-encryption' respones.
1728 $session_type = 'no-encryption';
1729 }
1730
1731 return $session_type;
1732 }
References Auth_OpenID_OPENID1_NS.
Referenced by _extractAssociation().
Here is the caller graph for this function:
◆ _httpResponseToMessage()
|
static |
Adapt a POST response to a Message.
- Parameters
-
$response Result of a POST to an OpenID endpoint.
@access private
Definition at line 1400 of file Consumer.php.
1401 {
1402 // Should this function be named Message.fromHTTPResponse instead?
1403 $response_message = Auth_OpenID_Message::fromKVForm($response->body);
1404
1405 if ($response->status == 400) {
1407 $response_message);
1408 } else if ($response->status != 200 and $response->status != 206) {
1409 return null;
1410 }
1411
1412 return $response_message;
1413 }
References Auth_OpenID_Message\fromKVForm(), and Auth_OpenID_ServerErrorContainer\fromMessage().
Referenced by _makeKVPost().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ _idResCheckForFields()
| Auth_OpenID_GenericConsumer::_idResCheckForFields | ( | $message | ) |
@access private
Definition at line 1281 of file Consumer.php.
1282 {
1283 $basic_fields = array('return_to', 'assoc_handle', 'sig', 'signed');
1284 $basic_sig_fields = array('return_to', 'identity');
1285
1286 $require_fields = array(
1287 Auth_OpenID_OPENID2_NS => array_merge($basic_fields,
1288 array('op_endpoint')),
1289
1290 Auth_OpenID_OPENID1_NS => array_merge($basic_fields,
1291 array('identity'))
1292 );
1293
1294 $require_sigs = array(
1295 Auth_OpenID_OPENID2_NS => array_merge($basic_sig_fields,
1296 array('response_nonce',
1297 'claimed_id',
1298 'assoc_handle',
1299 'op_endpoint')),
1300 Auth_OpenID_OPENID1_NS => array_merge($basic_sig_fields,
1301 array('nonce'))
1302 );
1303
1304 foreach ($require_fields[$message->getOpenIDNamespace()] as $field) {
1307 "Missing required field '".$field."'");
1308 }
1309 }
1310
1311 $signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS,
1312 'signed',
1313 Auth_OpenID_NO_DEFAULT);
1315 return $signed_list_str;
1316 }
1317 $signed_list = explode(',', $signed_list_str);
1318
1319 foreach ($require_sigs[$message->getOpenIDNamespace()] as $field) {
1320 // Field is present and not in signed list
1322 (!in_array($field, $signed_list))) {
1324 "'".$field."' not signed");
1325 }
1326 }
1327
1328 return null;
1329 }
References Auth_OpenID_NO_DEFAULT, Auth_OpenID_OPENID1_NS, Auth_OpenID_OPENID2_NS, Auth_OpenID_OPENID_NS, and Auth_OpenID\isFailure().
Referenced by _doIdRes().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ _idResCheckNonce()
| Auth_OpenID_GenericConsumer::_idResCheckNonce | ( | $message, | |
| $endpoint | |||
| ) |
@access private
Definition at line 1243 of file Consumer.php.
1244 {
1245 if ($message->isOpenID1()) {
1246 // This indicates that the nonce was generated by the consumer
1247 $nonce = $this->_idResGetNonceOpenID1($message, $endpoint);
1248 $server_url = '';
1249 } else {
1250 $nonce = $message->getArg(Auth_OpenID_OPENID2_NS,
1251 'response_nonce');
1252
1253 $server_url = $endpoint->server_url;
1254 }
1255
1256 if ($nonce === null) {
1258 "Nonce missing from response");
1259 }
1260
1261 $parts = Auth_OpenID_splitNonce($nonce);
1262
1263 if ($parts === null) {
1265 "Malformed nonce in response");
1266 }
1267
1268 list($timestamp, $salt) = $parts;
1269
1272 "Nonce already used or out of range");
1273 }
1274
1275 return null;
1276 }
_idResGetNonceOpenID1($message, $endpoint)
Extract the nonce from an OpenID 1 response.
Definition: Consumer.php:1234
References $timestamp, _idResGetNonceOpenID1(), Auth_OpenID_OPENID2_NS, and Auth_OpenID_splitNonce().
Referenced by _doIdRes().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ _idResCheckSignature()
| Auth_OpenID_GenericConsumer::_idResCheckSignature | ( | $message, | |
| $server_url | |||
| ) |
@access private
Definition at line 937 of file Consumer.php.
938 {
939 $assoc_handle = $message->getArg(Auth_OpenID_OPENID_NS,
940 'assoc_handle');
942 return $assoc_handle;
943 }
944
945 $assoc = $this->store->getAssociation($server_url, $assoc_handle);
946
947 if ($assoc) {
948 if ($assoc->getExpiresIn() <= 0) {
949 // XXX: It might be a good idea sometimes to re-start
950 // the authentication with a new association. Doing it
951 // automatically opens the possibility for
952 // denial-of-service by a server that just returns
953 // expired associations (or really short-lived
954 // associations)
956 'Association with ' . $server_url . ' expired');
957 }
958
959 if (!$assoc->checkMessageSignature($message)) {
961 "Bad signature");
962 }
963 } else {
964 // It's not an association we know about. Stateless mode
965 // is our only possible path for recovery. XXX - async
966 // framework will not want to block on this call to
967 // _checkAuth.
970 "Server denied check_authentication");
971 }
972 }
973
974 return null;
975 }
References _checkAuth(), Auth_OpenID_OPENID_NS, and Auth_OpenID\isFailure().
Referenced by _doIdRes().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ _idResGetNonceOpenID1()
| Auth_OpenID_GenericConsumer::_idResGetNonceOpenID1 | ( | $message, | |
| $endpoint | |||
| ) |
Extract the nonce from an OpenID 1 response.
Return the nonce from the BARE_NS since we independently check the return_to arguments are the same as those in the response message.
See the openid1_nonce_query_arg_name class variable
- Returns
- $nonce The nonce as a string or null
@access private
Definition at line 1234 of file Consumer.php.
1235 {
1237 $this->openid1_nonce_query_arg_name);
1238 }
References Auth_OpenID_BARE_NS.
Referenced by _idResCheckNonce().
Here is the caller graph for this function:
◆ _makeKVPost()
| Auth_OpenID_GenericConsumer::_makeKVPost | ( | $message, | |
| $server_url | |||
| ) |
@access private
Definition at line 1418 of file Consumer.php.
1419 {
1420 $body = $message->toURLEncoded();
1421 $resp = $this->fetcher->post($server_url, $body);
1422
1423 if ($resp === null) {
1424 return null;
1425 }
1426
1428 }
static _httpResponseToMessage($response, $server_url)
Adapt a POST response to a Message.
Definition: Consumer.php:1400
References _httpResponseToMessage().
Referenced by _checkAuth(), and _requestAssociation().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ _negotiateAssociation()
| Auth_OpenID_GenericConsumer::_negotiateAssociation | ( | $endpoint | ) |
@access private
Definition at line 1499 of file Consumer.php.
1500 {
1501 // Get our preferred session/association type from the negotiatior.
1502 list($assoc_type, $session_type) = $this->negotiator->getAllowedType();
1503
1504 $assoc = $this->_requestAssociation(
1505 $endpoint, $assoc_type, $session_type);
1506
1508 return null;
1509 }
1510
1511 if (is_a($assoc, 'Auth_OpenID_ServerErrorContainer')) {
1512 $why = $assoc;
1513
1514 $supportedTypes = $this->_extractSupportedAssociationType(
1515 $why, $endpoint, $assoc_type);
1516
1517 if ($supportedTypes !== null) {
1518 list($assoc_type, $session_type) = $supportedTypes;
1519
1520 // Attempt to create an association from the assoc_type
1521 // and session_type that the server told us it
1522 // supported.
1523 $assoc = $this->_requestAssociation(
1524 $endpoint, $assoc_type, $session_type);
1525
1526 if (is_a($assoc, 'Auth_OpenID_ServerErrorContainer')) {
1527 // Do not keep trying, since it rejected the
1528 // association type that it told us to use.
1529 // oidutil.log('Server %s refused its suggested association
1530 // 'type: session_type=%s, assoc_type=%s'
1531 // % (endpoint.server_url, session_type,
1532 // assoc_type))
1533 return null;
1534 } else {
1535 return $assoc;
1536 }
1537 } else {
1538 return null;
1539 }
1540 } else {
1541 return $assoc;
1542 }
1543 }
_requestAssociation($endpoint, $assoc_type, $session_type)
@access private
Definition: Consumer.php:1548
_extractSupportedAssociationType($server_error, $endpoint, $assoc_type)
Handle ServerErrors resulting from association requests.
Definition: Consumer.php:1464
References _extractSupportedAssociationType(), _requestAssociation(), and Auth_OpenID\isFailure().
Referenced by _getAssociation().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ _processCheckAuthResponse()
| Auth_OpenID_GenericConsumer::_processCheckAuthResponse | ( | $response, | |
| $server_url | |||
| ) |
@access private
Definition at line 1373 of file Consumer.php.
1374 {
1376 'false');
1377
1378 $invalidate_handle = $response->getArg(Auth_OpenID_OPENID_NS,
1379 'invalidate_handle');
1380
1381 if ($invalidate_handle !== null) {
1382 $this->store->removeAssociation($server_url,
1383 $invalidate_handle);
1384 }
1385
1386 if ($is_valid == 'true') {
1387 return true;
1388 }
1389
1390 return false;
1391 }
References Auth_OpenID_OPENID_NS.
Referenced by _checkAuth().
Here is the caller graph for this function:
◆ _requestAssociation()
| Auth_OpenID_GenericConsumer::_requestAssociation | ( | $endpoint, | |
| $assoc_type, | |||
| $session_type | |||
| ) |
@access private
Definition at line 1548 of file Consumer.php.
1549 {
1550 list($assoc_session, $args) = $this->_createAssociateRequest(
1551 $endpoint, $assoc_type, $session_type);
1552
1553 $response_message = $this->_makeKVPost($args, $endpoint->server_url);
1554
1555 if ($response_message === null) {
1556 // oidutil.log('openid.associate request failed: %s' % (why[0],))
1557 return null;
1558 } else if (is_a($response_message,
1559 'Auth_OpenID_ServerErrorContainer')) {
1560 return $response_message;
1561 }
1562
1564 }
_createAssociateRequest($endpoint, $assoc_type, $session_type)
@access private
Definition: Consumer.php:1661
References _createAssociateRequest(), _extractAssociation(), and _makeKVPost().
Referenced by _negotiateAssociation().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ _verifyDiscoveryResults()
| Auth_OpenID_GenericConsumer::_verifyDiscoveryResults | ( | $message, | |
$endpoint = null |
|||
| ) |
@access private
Definition at line 980 of file Consumer.php.
981 {
984 $endpoint);
985 } else {
987 $endpoint);
988 }
989 }
References _verifyDiscoveryResultsOpenID1(), _verifyDiscoveryResultsOpenID2(), and Auth_OpenID_OPENID2_NS.
Referenced by _doIdRes().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ _verifyDiscoveryResultsOpenID1()
| Auth_OpenID_GenericConsumer::_verifyDiscoveryResultsOpenID1 | ( | $message, | |
| $endpoint | |||
| ) |
@access private
Definition at line 994 of file Consumer.php.
995 {
996 $claimed_id = $message->getArg(Auth_OpenID_BARE_NS,
997 $this->openid1_return_to_identifier_name);
998
999 if (($endpoint === null) && ($claimed_id === null)) {
1001 'When using OpenID 1, the claimed ID must be supplied, ' .
1002 'either by passing it through as a return_to parameter ' .
1003 'or by using a session, and supplied to the GenericConsumer ' .
1004 'as the argument to complete()');
1005 } else if (($endpoint !== null) && ($claimed_id === null)) {
1006 $claimed_id = $endpoint->claimed_id;
1007 }
1008
1010 $to_match->type_uris = array(Auth_OpenID_TYPE_1_1);
1011 $to_match->local_id = $message->getArg(Auth_OpenID_OPENID1_NS,
1012 'identity');
1013
1014 // Restore delegate information from the initiation phase
1015 $to_match->claimed_id = $claimed_id;
1016
1017 if ($to_match->local_id === null) {
1019 "Missing required field openid.identity");
1020 }
1021
1022 $to_match_1_0 = $to_match->copy();
1023 $to_match_1_0->type_uris = array(Auth_OpenID_TYPE_1_0);
1024
1025 if ($endpoint !== null) {
1027
1030 $to_match_1_0);
1031 }
1032
1034 // oidutil.log("Error attempting to use stored
1035 // discovery information: " + str(e))
1036 // oidutil.log("Attempting discovery to
1037 // verify endpoint")
1038 } else {
1039 return $endpoint;
1040 }
1041 }
1042
1043 // Endpoint is either bad (failed verification) or None
1045 array($to_match, $to_match_1_0));
1046 }
Object representing an OpenID service endpoint.
Definition: Discover.php:63
References $result, _discoverAndVerify(), _verifyDiscoverySingle(), Auth_OpenID_BARE_NS, Auth_OpenID_OPENID1_NS, Auth_OpenID_TYPE_1_0, Auth_OpenID_TYPE_1_1, and Auth_OpenID\isFailure().
Referenced by _verifyDiscoveryResults().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ _verifyDiscoveryResultsOpenID2()
| Auth_OpenID_GenericConsumer::_verifyDiscoveryResultsOpenID2 | ( | $message, | |
| $endpoint | |||
| ) |
@access private
Definition at line 1103 of file Consumer.php.
1104 {
1106 $to_match->type_uris = array(Auth_OpenID_TYPE_2_0);
1107 $to_match->claimed_id = $message->getArg(Auth_OpenID_OPENID2_NS,
1108 'claimed_id');
1109
1110 $to_match->local_id = $message->getArg(Auth_OpenID_OPENID2_NS,
1111 'identity');
1112
1113 $to_match->server_url = $message->getArg(Auth_OpenID_OPENID2_NS,
1114 'op_endpoint');
1115
1116 if ($to_match->server_url === null) {
1118 "OP Endpoint URL missing");
1119 }
1120
1121 // claimed_id and identifier must both be present or both be
1122 // absent
1123 if (($to_match->claimed_id === null) &&
1124 ($to_match->local_id !== null)) {
1126 'openid.identity is present without openid.claimed_id');
1127 }
1128
1129 if (($to_match->claimed_id !== null) &&
1130 ($to_match->local_id === null)) {
1132 'openid.claimed_id is present without openid.identity');
1133 }
1134
1135 if ($to_match->claimed_id === null) {
1136 // This is a response without identifiers, so there's
1137 // really no checking that we can do, so return an
1138 // endpoint that's for the specified `openid.op_endpoint'
1140 $to_match->server_url);
1141 }
1142
1143 if (!$endpoint) {
1144 // The claimed ID doesn't match, so we have to do
1145 // discovery again. This covers not using sessions, OP
1146 // identifier endpoints and responses that didn't match
1147 // the original request.
1148 // oidutil.log('No pre-discovered information supplied.')
1150 array($to_match));
1151 } else {
1152
1153 // The claimed ID matches, so we use the endpoint that we
1154 // discovered in initiation. This should be the most
1155 // common case.
1157
1159 $endpoint = $this->_discoverAndVerify($to_match->claimed_id,
1160 array($to_match));
1162 return $endpoint;
1163 }
1164 }
1165 }
1166
1167 // The endpoint we return should have the claimed ID from the
1168 // message we just verified, fragment and all.
1169 if ($endpoint->claimed_id != $to_match->claimed_id) {
1170 $endpoint->claimed_id = $to_match->claimed_id;
1171 }
1172
1173 return $endpoint;
1174 }
static fromOPEndpointURL($op_endpoint_url)
Definition: Discover.php:152
References $result, _discoverAndVerify(), _verifyDiscoverySingle(), Auth_OpenID_OPENID2_NS, Auth_OpenID_TYPE_2_0, Auth_OpenID_ServiceEndpoint\fromOPEndpointURL(), and Auth_OpenID\isFailure().
Referenced by _verifyDiscoveryResults().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ _verifyDiscoveryServices()
| Auth_OpenID_GenericConsumer::_verifyDiscoveryServices | ( | $claimed_id, | |
| $services, | |||
| $to_match_endpoints | |||
| ) |
@access private
Definition at line 1199 of file Consumer.php.
1201 {
1202 // Search the services resulting from discovery to find one
1203 // that matches the information from the assertion
1204
1205 foreach ($services as $endpoint) {
1206 foreach ($to_match_endpoints as $to_match_endpoint) {
1208 $to_match_endpoint);
1209
1211 // It matches, so discover verification has
1212 // succeeded. Return this endpoint.
1213 return $endpoint;
1214 }
1215 }
1216 }
1217
1219 sprintf('No matching endpoint found after discovering %s: %s',
1220 $claimed_id, $result->message));
1221 }
References $result, _verifyDiscoverySingle(), and Auth_OpenID\isFailure().
Referenced by _discoverAndVerify().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ _verifyDiscoverySingle()
| Auth_OpenID_GenericConsumer::_verifyDiscoverySingle | ( | $endpoint, | |
| $to_match | |||
| ) |
@access private
Definition at line 1051 of file Consumer.php.
1052 {
1053 // Every type URI that's in the to_match endpoint has to be
1054 // present in the discovered endpoint.
1055 foreach ($to_match->type_uris as $type_uri) {
1056 if (!$endpoint->usesExtension($type_uri)) {
1058 "Required type ".$type_uri." not present");
1059 }
1060 }
1061
1062 // Fragments do not influence discovery, so we can't compare a
1063 // claimed identifier with a fragment to discovered
1064 // information.
1065 list($defragged_claimed_id, $_) =
1066 Auth_OpenID::urldefrag($to_match->claimed_id);
1067
1068 if ($defragged_claimed_id != $endpoint->claimed_id) {
1070 sprintf('Claimed ID does not match (different subjects!), ' .
1071 'Expected %s, got %s', $defragged_claimed_id,
1072 $endpoint->claimed_id));
1073 }
1074
1075 if ($to_match->getLocalID() != $endpoint->getLocalID()) {
1077 sprintf('local_id mismatch. Expected %s, got %s',
1078 $to_match->getLocalID(), $endpoint->getLocalID()));
1079 }
1080
1081 // If the server URL is None, this must be an OpenID 1
1082 // response, because op_endpoint is a required parameter in
1083 // OpenID 2. In that case, we don't actually care what the
1084 // discovered server_url is, because signature checking or
1085 // check_auth should take care of that check for us.
1086 if ($to_match->server_url === null) {
1089 "Preferred namespace mismatch (bug)");
1090 }
1091 } else if ($to_match->server_url != $endpoint->server_url) {
1093 sprintf('OP Endpoint mismatch. Expected %s, got %s',
1094 $to_match->server_url, $endpoint->server_url));
1095 }
1096
1097 return null;
1098 }
Definition: Consumer.php:2148
References Auth_OpenID_OPENID1_NS, and Auth_OpenID\urldefrag().
Referenced by _verifyDiscoveryResultsOpenID1(), _verifyDiscoveryResultsOpenID2(), and _verifyDiscoveryServices().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ _verifyReturnToArgs()
| Auth_OpenID_GenericConsumer::_verifyReturnToArgs | ( | $query | ) |
@access private
Definition at line 880 of file Consumer.php.
881 {
882 // Verify that the arguments in the return_to URL are present in this
883 // response.
884
887
889 return $return_to;
890 }
891 // XXX: this should be checked by _idResCheckForFields
892 if (!$return_to) {
894 "Response has no return_to");
895 }
896
897 $parsed_url = parse_url($return_to);
898
899 $q = array();
900 if (array_key_exists('query', $parsed_url)) {
901 $rt_query = $parsed_url['query'];
902 $q = Auth_OpenID::parse_str($rt_query);
903 }
904
905 foreach ($q as $rt_key => $rt_value) {
908 sprintf("return_to parameter %s absent from query", $rt_key));
909 } else {
910 $value = $query[$rt_key];
911 if ($rt_value != $value) {
913 sprintf("parameter %s value %s does not match " .
914 "return_to value %s", $rt_key,
915 $value, $rt_value));
916 }
917 }
918 }
919
920 // Make sure all non-OpenID arguments in the response are also
921 // in the signed return_to.
922 $bare_args = $message->getArgs(Auth_OpenID_BARE_NS);
923 foreach ($bare_args as $key => $value) {
926 sprintf("Parameter %s = %s not in return_to URL",
927 $key, $value));
928 }
929 }
930
931 return true;
932 }
References $query, Auth_OpenID\arrayGet(), Auth_OpenID_BARE_NS, Auth_OpenID_OPENID_NS, Auth_OpenID_Message\fromPostArgs(), Auth_OpenID\isFailure(), and Auth_OpenID\parse_str().
Referenced by _checkReturnTo().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ Auth_OpenID_GenericConsumer()
| Auth_OpenID_GenericConsumer::Auth_OpenID_GenericConsumer | ( | $store | ) |
This method initializes a new Auth_OpenID_Consumer instance to access the library.
- Parameters
-
Auth_OpenID_OpenIDStore $store This must be an object that implements the interface in Auth_OpenID_OpenIDStore. Several concrete implementations are provided, to cover most common use cases. For stores backed by MySQL, PostgreSQL, or SQLite, see theAuth_OpenID_SQLStoreclass and its sublcasses. For a filesystem-backed store, see theAuth_OpenID_FileStoremodule. As a last resort, if it isn't possible for the server to store state at all, an instance ofAuth_OpenID_DumbStorecan be used.bool $immediate This is an optional boolean value. It controls whether the library uses immediate mode, as explained in the module description. The default value is False, which disables immediate mode.
Definition at line 614 of file Consumer.php.
615 {
616 $this->store = $store;
617 $this->negotiator = Auth_OpenID_getDefaultNegotiator();
618 $this->_use_assocs = (is_null($this->store) ? false : true);
619
620 $this->fetcher = Auth_Yadis_Yadis::getHTTPFetcher();
621
622 $this->session_types = Auth_OpenID_getAvailableSessionTypes();
623 }
References $store, Auth_OpenID_getAvailableSessionTypes(), Auth_OpenID_getDefaultNegotiator(), and Auth_Yadis_Yadis\getHTTPFetcher().
Here is the call graph for this function:
◆ begin()
| Auth_OpenID_GenericConsumer::begin | ( | $service_endpoint | ) |
Called to begin OpenID authentication using the specified Auth_OpenID_ServiceEndpoint.
@access private
Definition at line 631 of file Consumer.php.
632 {
633 $assoc = $this->_getAssociation($service_endpoint);
636 Auth_OpenID_mkNonce();
637
640 $r->endpoint->claimed_id;
641 }
642
644 }
Definition: Consumer.php:1741
$openid1_return_to_identifier_name
Another query parameter that gets added to the return_to for OpenID 1; if the user's session state is...
Definition: Consumer.php:594
References $openid1_nonce_query_arg_name, $openid1_return_to_identifier_name, $r, _getAssociation(), and Auth_OpenID_mkNonce().
Here is the call graph for this function:
◆ complete()
| Auth_OpenID_GenericConsumer::complete | ( | $message, | |
| $endpoint, | |||
| $return_to | |||
| ) |
Given an Auth_OpenID_Message, Auth_OpenID_ServiceEndpoint and optional return_to URL, complete OpenID authentication.
@access private
Definition at line 653 of file Consumer.php.
654 {
656 '<no mode set>');
657
658 $mode_methods = array(
659 'cancel' => '_complete_cancel',
660 'error' => '_complete_error',
661 'setup_needed' => '_complete_setup_needed',
662 'id_res' => '_complete_id_res',
663 );
664
665 $method = Auth_OpenID::arrayGet($mode_methods, $mode,
666 '_completeInvalid');
667
668 return call_user_func_array(array($this, $method),
669 array($message, &$endpoint, $return_to));
670 }
References Auth_OpenID\arrayGet(), and Auth_OpenID_OPENID_NS.
Here is the call graph for this function:
Field Documentation
◆ $_use_assocs
| Auth_OpenID_GenericConsumer::$_use_assocs |
@access private
Definition at line 582 of file Consumer.php.
◆ $discoverMethod
| Auth_OpenID_GenericConsumer::$discoverMethod = 'Auth_OpenID_discover' |
@access private
Definition at line 572 of file Consumer.php.
◆ $openid1_nonce_query_arg_name
| Auth_OpenID_GenericConsumer::$openid1_nonce_query_arg_name = 'janrain_nonce' |
◆ $openid1_return_to_identifier_name
| Auth_OpenID_GenericConsumer::$openid1_return_to_identifier_name = 'openid1_claimed_id' |
Another query parameter that gets added to the return_to for OpenID 1; if the user's session state is lost, use this claimed identifier to do discovery when verifying the response.
Definition at line 594 of file Consumer.php.
Referenced by begin().
◆ $store
| Auth_OpenID_GenericConsumer::$store |
This consumer's store object.
Definition at line 577 of file Consumer.php.
Referenced by Auth_OpenID_GenericConsumer().
The documentation for this class was generated from the following file:
- Services/OpenId/lib/Auth/OpenID/Consumer.php
