Source code for file /openid/Auth/OpenID/Consumer.php
Documentation is available at Consumer.php
* This module documents the main interface with the OpenID consumer * library. The only part of the library which has to be used and * isn't documented in full here is the store required to create an * Auth_OpenID_Consumer instance. More on the abstract store type and * concrete implementations of it that are provided in the * documentation for the Auth_OpenID_Consumer constructor. * The OpenID identity verification process most commonly uses the * following steps, as visible to the user of this library: * 1. The user enters their OpenID into a field on the consumer's * site, and hits a login button. * 2. The consumer site discovers the user's OpenID server using the * 3. The consumer site sends the browser a redirect to the identity * server. This is the authentication request as described in * the OpenID specification. * 4. The identity server's site sends the browser a redirect back * to the consumer site. This redirect contains the server's * response to the authentication request. * The most important part of the flow to note is the consumer's site * must handle two separate HTTP requests in order to perform the full * This consumer library is designed with that flow in mind. The goal * is to make it as easy as possible to perform the above steps * At a high level, there are two important parts in the consumer * library. The first important part is this module, which contains * the interface to actually use this library. The second is the * Auth_OpenID_Interface class, which describes the interface to use * if you need to create a custom method for storing the state this * library needs to maintain between requests. * In general, the second part is less important for users of the * library to know about, as several implementations are provided * which cover a wide variety of situations in which consumers may use * This module contains a class, Auth_OpenID_Consumer, with methods * corresponding to the actions necessary in each of steps 2, 3, and 4 * described in the overview. Use of this library should be as easy * as creating an Auth_OpenID_Consumer instance and calling the * methods appropriate for the action the site wants to take. * OpenID is a protocol that works best when the consumer site is able * to store some state. This is the normal mode of operation for the * protocol, and is sometimes referred to as smart mode. There is * also a fallback mode, known as dumb mode, which is available when * the consumer site is not able to store state. This mode should be * avoided when possible, as it leaves the implementation more * vulnerable to replay attacks. * The mode the library works in for normal operation is determined by * the store that it is given. The store is an abstraction that * handles the data that the consumer needs to manage between http * requests in order to operate efficiently and securely. * Several store implementation are provided, and the interface is * fully documented so that custom stores can be used as well. See * the documentation for the Auth_OpenID_Consumer class for more * information on the interface for stores. The implementations that * are provided allow the consumer site to store the necessary data in * several different ways, including several SQL databases and normal * There is an additional concrete store provided that puts the system * in dumb mode. This is not recommended, as it removes the library's * ability to stop replay attacks reliably. It still uses time-based * checking to make replay attacks only possible within a small * window, but they remain possible within that window. This store * should only be used if the consumer site has no way to retain data * between requests at all. * In the flow described above, the user may need to confirm to the * lidentity server that it's ok to authorize his or her identity. * The server may draw pages asking for information from the user * before it redirects the browser back to the consumer's site. This * is generally transparent to the consumer site, so it is typically * ignored as an implementation detail. * There can be times, however, where the consumer site wants to get a * response immediately. When this is the case, the consumer can put * the library in immediate mode. In immediate mode, there is an * extra response possible from the server, which is essentially the * server reporting that it doesn't have enough information to answer * Integrating this library into an application is usually a * relatively straightforward process. The process should basically * Add an OpenID login field somewhere on your site. When an OpenID * is entered in that field and the form is submitted, it should make * a request to the your site which includes that OpenID URL. * First, the application should instantiate the Auth_OpenID_Consumer * class using the store of choice (Auth_OpenID_FileStore or one of * the SQL-based stores). If the application has a custom * session-management implementation, an object implementing the * {@link Auth_Yadis_PHPSession} interface should be passed as the * second parameter. Otherwise, the default uses $_SESSION. * Next, the application should call the Auth_OpenID_Consumer object's * 'begin' method. This method takes the OpenID URL. The 'begin' * method returns an Auth_OpenID_AuthRequest object. * Next, the application should call the 'redirectURL' method of the * Auth_OpenID_AuthRequest object. The 'return_to' URL parameter is * the URL that the OpenID server will send the user back to after * attempting to verify his or her identity. The 'trust_root' is the * URL (or URL pattern) that identifies your web site to the user when * he or she is authorizing it. Send a redirect to the resulting URL * That's the first half of the authentication process. The second * half of the process is done after the user's ID server sends the * user's browser a redirect back to your site to complete their * When that happens, the user will contact your site at the URL given * as the 'return_to' URL to the Auth_OpenID_AuthRequest::redirectURL * call made above. The request will have several query parameters * added to the URL by the identity server as the information * necessary to finish the request. * Lastly, instantiate an Auth_OpenID_Consumer instance as above and * call its 'complete' method, passing in all the received query * There are multiple possible return types possible from that * method. These indicate the whether or not the login was successful, * and include any additional information appropriate for their type. * LICENSE: See the COPYING file included in this distribution. * @author JanRain, Inc. <openid@janrain.com> * @copyright 2005-2008 Janrain, Inc. * @license http://www.apache.org/licenses/LICENSE-2.0 Apache // Do not allow direct access defined( '_JEXEC' ) or die( 'Restricted access' ); * Require utility classes and functions for the consumer. require_once "Auth/OpenID.php"; require_once "Auth/OpenID/Message.php"; require_once "Auth/OpenID/HMAC.php"; require_once "Auth/OpenID/Association.php"; require_once "Auth/OpenID/CryptUtil.php"; require_once "Auth/OpenID/DiffieHellman.php"; require_once "Auth/OpenID/KVForm.php"; require_once "Auth/OpenID/Nonce.php"; require_once "Auth/OpenID/Discover.php"; require_once "Auth/OpenID/URINorm.php"; require_once "Auth/Yadis/Manager.php"; require_once "Auth/Yadis/XRI.php"; * This is the status code returned when the complete method returns define('Auth_OpenID_SUCCESS', 'success'); * Status to indicate cancellation of OpenID authentication. define('Auth_OpenID_CANCEL', 'cancel'); * This is the status code completeAuth returns when the value it * received indicated an invalid login. define('Auth_OpenID_FAILURE', 'failure'); * This is the status code completeAuth returns when the * {@link Auth_OpenID_Consumer} instance is in immediate mode, and the * identity server sends back a URL to send the user to to complete his define('Auth_OpenID_SETUP_NEEDED', 'setup needed'); * This is the status code beginAuth returns when the page fetched * from the entered OpenID URL doesn't contain the necessary link tags * to function as an identity page. define('Auth_OpenID_PARSE_ERROR', 'parse error'); * An OpenID consumer implementation that performs discovery and does * session management. See the Consumer.php file documentation for var $discoverMethod =
'Auth_OpenID_discover'; var $session_key_prefix =
"_openid_consumer_"; var $_token_suffix =
"last_token"; * Initialize a Consumer instance. * You should create a new instance of the Consumer object with * every HTTP request that handles OpenID transactions. * @param Auth_OpenID_OpenIDStore $store This must be an object * that implements the interface in {@link } * Auth_OpenID_OpenIDStore}. Several concrete implementations are * provided, to cover most common use cases. For stores backed by * MySQL, PostgreSQL, or SQLite, see the {@link } * Auth_OpenID_SQLStore} class and its sublcasses. For a * filesystem-backed store, see the {@link Auth_OpenID_FileStore} * module. As a last resort, if it isn't possible for the server * to store state at all, an instance of {@link } * Auth_OpenID_DumbStore} can be used. * @param mixed $session An object which implements the interface * of the {@link Auth_Yadis_PHPSession} class. Particularly, this * object is expected to have these methods: get($key), set($key), * $value), and del($key). This defaults to a session object * which wraps PHP's native session machinery. You should only * need to pass something here if you have your own sessioning * @param str $consumer_cls The name of the class to instantiate * when creating the internal consumer object. This is used for $this->session =
& $session; if ($consumer_cls !==
null) { $this->consumer =
& new $consumer_cls($store); $this->_token_key =
$this->session_key_prefix .
$this->_token_suffix; * Used in testing to define the discovery mechanism. function getDiscoveryObject(&$session, $openid_url, * Start the OpenID authentication process. See steps 1-2 in the * overview at the top of this file. * @param string $user_url Identity URL given by the user. This * method performs a textual transformation of the URL to try and * make sure it is normalized. For example, a user_url of * example.com will be normalized to http://example.com/ * normalizing and resolving any redirects the server might issue. * @param bool $anonymous True if the OpenID request is to be sent * to the server without any identifier information. Use this * when you want to transport data but don't want to do OpenID * authentication with identifiers. * @return Auth_OpenID_AuthRequest $auth_request An object * containing the discovered information will be returned, with a * method for building a redirect URL to the server, as described * in step 3 of the overview. This object may also be used to add * extension arguments to the request, using its 'addExtensionArg' function begin($user_url, $anonymous=
false) $disco =
$this->getDiscoveryObject($this->session, $this->session_key_prefix); // Set the 'stale' attribute of the manager. If discovery // fails in a fatal way, the stale flag will cause the manager // to be cleaned up next time discovery is attempted. $m =
$disco->getManager(); $disco->destroyManager(); $disco->session->set($disco->session_key, $endpoint =
$disco->getNextService($this->discoverMethod, $this->consumer->fetcher); // Reset the 'stale' attribute of the manager. $m =
& $disco->getManager(); $disco->session->set($disco->session_key, if ($endpoint ===
null) { * Start OpenID verification without doing OpenID server * discovery. This method is used internally by Consumer.begin * after discovery is performed, and exists to provide an * interface for library users needing to perform their own * @param Auth_OpenID_ServiceEndpoint $endpoint an OpenID service * @param bool anonymous Set to true if you want to perform OpenID * @return Auth_OpenID_AuthRequest $auth_request An OpenID * authentication request object. $auth_req =
$this->consumer->begin($endpoint); $this->session->set($this->_token_key, $loader->toSession($auth_req->endpoint)); if (!$auth_req->setAnonymous($anonymous)) { "OpenID 1 requests MUST include the identifier " .
* Called to interpret the server's response to an OpenID * request. It is called in step 4 of the flow described in the * @param string $current_url The URL used to invoke the application. * Extract the URL from your application's web * request framework and specify it here to have it checked * against the openid.current_url value in the response. If * the current_url URL check fails, the status of the * completion will be FAILURE. * @param array $query An array of the query parameters (key => * value pairs) for this HTTP request. Defaults to null. If * null, the GET or POST data are automatically gotten from the * PHP environment. It is only useful to override $query for * @return Auth_OpenID_ConsumerResponse $response A instance of an * Auth_OpenID_ConsumerResponse subclass. The type of response is * indicated by the status attribute, which will be one of * SUCCESS, CANCEL, FAILURE, or SETUP_NEEDED. function complete($current_url, $query=
null) if ($current_url &&
!is_string($current_url)) { // This is ugly, but we need to complain loudly when // someone uses the API incorrectly. $query =
Auth_OpenID::getQuery(); $endpoint_data =
$this->session->get($this->_token_key); $loader->fromSession($endpoint_data); $response =
$this->consumer->complete($message, $endpoint, $this->session->del($this->_token_key); if ($response->identity_url !==
null) { $disco =
$this->getDiscoveryObject($this->session, $this->session_key_prefix); * A class implementing HMAC/DH-SHA1 consumer sessions. $dh =
new Auth_OpenID_DiffieHellman(); $math =
& Auth_OpenID_getMathLib(); $cpub =
$math->longToBase64($this->dh->public); $args =
array('dh_consumer_public' =>
$cpub); if (!$this->dh->usingDefaultValues()) { $math->longToBase64($this->dh->mod), $math->longToBase64($this->dh->gen))); $math =
& Auth_OpenID_getMathLib(); return $this->dh->xorSecret($spub, $enc_mac_key, $this->hash_func); * A class implementing HMAC/DH-SHA256 consumer sessions. * A class implementing plaintext consumer sessions. * Returns available session types. 'no-encryption' =>
'Auth_OpenID_PlainTextConsumerSession', 'DH-SHA1' =>
'Auth_OpenID_DiffieHellmanSHA1ConsumerSession', 'DH-SHA256' =>
'Auth_OpenID_DiffieHellmanSHA256ConsumerSession'); * This class is the interface to the OpenID consumer logic. * Instances of it maintain no per-request state, so they can be * reused (or even used by multiple threads concurrently) as needed. var $discoverMethod =
'Auth_OpenID_discover'; * This consumer's store object. var $openid1_nonce_query_arg_name =
'janrain_nonce'; * Another query parameter that gets added to the return_to for * OpenID 1; if the user's session state is lost, use this claimed * identifier to do discovery when verifying the response. * This method initializes a new {@link Auth_OpenID_Consumer} * instance to access the library. * @param Auth_OpenID_OpenIDStore $store This must be an object * that implements the interface in {@link Auth_OpenID_OpenIDStore}. * Several concrete implementations are provided, to cover most common use * cases. For stores backed by MySQL, PostgreSQL, or SQLite, see * the {@link Auth_OpenID_SQLStore} class and its sublcasses. For a * filesystem-backed store, see the {@link Auth_OpenID_FileStore} module. * As a last resort, if it isn't possible for the server to store * state at all, an instance of {@link Auth_OpenID_DumbStore} can be used. * @param bool $immediate This is an optional boolean value. It * controls whether the library uses immediate mode, as explained * in the module description. The default value is False, which * disables immediate mode. $this->_use_assocs =
($this->store ?
true :
false); * Called to begin OpenID authentication using the specified * {@link Auth_OpenID_ServiceEndpoint}. function begin($service_endpoint) $assoc =
$this->_getAssociation($service_endpoint); $r->return_to_args[$this->openid1_nonce_query_arg_name] =
if ($r->message->isOpenID1()) { $r->endpoint->claimed_id; * Given an {@link Auth_OpenID_Message}, {@link } * Auth_OpenID_ServiceEndpoint} and optional return_to URL, * complete OpenID authentication. function complete($message, $endpoint, $return_to) 'cancel' =>
'_complete_cancel', 'error' =>
'_complete_error', 'setup_needed' =>
'_complete_setup_needed', 'id_res' =>
'_complete_id_res', $method =
Auth_OpenID::arrayGet($mode_methods, $mode, array($message, $endpoint, $return_to)); function _completeInvalid($message, &$endpoint, $unused) sprintf("Invalid openid.mode '%s'", $mode)); function _complete_cancel($message, &$endpoint, $unused) function _complete_error($message, &$endpoint, $unused) function _complete_setup_needed($message, &$endpoint, $unused) if (!$message->isOpenID2()) { return $this->_completeInvalid($message, $endpoint); function _complete_id_res($message, &$endpoint, $return_to) if ($this->_checkSetupNeeded($message)) { $endpoint, $user_setup_url); return $this->_doIdRes($message, $endpoint, $return_to); function _checkSetupNeeded($message) // In OpenID 1, we check to see if this is a cancel from // immediate mode by the presence of the user_setup_url if ($message->isOpenID1()) { if ($user_setup_url !==
null) { function _doIdRes($message, $endpoint, $return_to) // Checks for presence of appropriate fields (and checks $result =
$this->_idResCheckForFields($message); if (Auth_OpenID::isFailure($result)) { if (!$this->_checkReturnTo($message, $return_to)) { sprintf("return_to does not match return URL. Expected %s, got %s", // Verify discovery information: $result =
$this->_verifyDiscoveryResults($message, $endpoint); if (Auth_OpenID::isFailure($result)) { $result =
$this->_idResCheckSignature($message, if (Auth_OpenID::isFailure($result)) { $result =
$this->_idResCheckNonce($message, $endpoint); if (Auth_OpenID::isFailure($result)) { if (Auth_OpenID::isFailure($signed_list_str)) { $signed_list =
explode(',', $signed_list_str); $signed_fields =
Auth_OpenID::addPrefix($signed_list, "openid."); function _checkReturnTo($message, $return_to) // Check an OpenID message and its openid.return_to value // against a return_to URL from an application. Return True // on success, False on failure. // Check the openid.return_to args against args in the if (Auth_OpenID::isFailure($result)) { // Check the return_to base URL against the one in the if (Auth_OpenID::isFailure($return_to)) { // If port is absent from both, add it so it's equal in the $return_to_parts['port'] =
null; $msg_return_to_parts['port'] =
null; // If path is absent from both, add it so it's equal in the $return_to_parts['path'] =
null; $msg_return_to_parts['path'] =
null; // The URL scheme, authority, and path MUST be the same foreach (array('scheme', 'host', 'port', 'path') as $component) { // If the url component is absent in either URL, fail. // There should always be a scheme, host, port, and path. if (Auth_OpenID::arrayGet($return_to_parts, $component) !==
Auth_OpenID::arrayGet($msg_return_to_parts, $component)) { function _verifyReturnToArgs($query) // Verify that the arguments in the return_to URL are present in this if (Auth_OpenID::isFailure($return_to)) { // XXX: this should be checked by _idResCheckForFields "Response has no return_to"); $rt_query =
$parsed_url['query']; $q =
Auth_OpenID::parse_str($rt_query); foreach ($q as $rt_key =>
$rt_value) { sprintf("return_to parameter %s absent from query", $rt_key)); $value =
$query[$rt_key]; if ($rt_value !=
$value) { sprintf("parameter %s value %s does not match " .
"return_to value %s", $rt_key, // Make sure all non-OpenID arguments in the response are also // in the signed return_to. foreach ($bare_args as $key =>
$value) { if (Auth_OpenID::arrayGet($q, $key) !=
$value) { sprintf("Parameter %s = %s not in return_to URL", function _idResCheckSignature($message, $server_url) if (Auth_OpenID::isFailure($assoc_handle)) { $assoc =
$this->store->getAssociation($server_url, $assoc_handle); if ($assoc->getExpiresIn() <=
0) { // XXX: It might be a good idea sometimes to re-start // the authentication with a new association. Doing it // automatically opens the possibility for // denial-of-service by a server that just returns // expired associations (or really short-lived 'Association with ' .
$server_url .
' expired'); if (!$assoc->checkMessageSignature($message)) { // It's not an association we know about. Stateless mode // is our only possible path for recovery. XXX - async // framework will not want to block on this call to if (!$this->_checkAuth($message, $server_url)) { "Server denied check_authentication"); function _verifyDiscoveryResults($message, $endpoint=
null) return $this->_verifyDiscoveryResultsOpenID2($message, return $this->_verifyDiscoveryResultsOpenID1($message, function _verifyDiscoveryResultsOpenID1($message, $endpoint) if (($endpoint ===
null) &&
($claimed_id ===
null)) { 'When using OpenID 1, the claimed ID must be supplied, ' .
'either by passing it through as a return_to parameter ' .
'or by using a session, and supplied to the GenericConsumer ' .
'as the argument to complete()'); } else if (($endpoint !==
null) &&
($claimed_id ===
null)) { $claimed_id =
$endpoint->claimed_id; // Restore delegate information from the initiation phase $to_match->claimed_id =
$claimed_id; if ($to_match->local_id ===
null) { "Missing required field openid.identity"); $to_match_1_0 =
$to_match->copy(); if ($endpoint !==
null) { $result =
$this->_verifyDiscoverySingle($endpoint, $to_match); if (is_a($result, 'Auth_OpenID_TypeURIMismatch')) { $result =
$this->_verifyDiscoverySingle($endpoint, if (Auth_OpenID::isFailure($result)) { // oidutil.log("Error attempting to use stored // discovery information: " + str(e)) // oidutil.log("Attempting discovery to // Endpoint is either bad (failed verification) or None return $this->_discoverAndVerify($to_match->claimed_id, array($to_match, $to_match_1_0)); function _verifyDiscoverySingle($endpoint, $to_match) // Every type URI that's in the to_match endpoint has to be // present in the discovered endpoint. foreach ($to_match->type_uris as $type_uri) { if (!$endpoint->usesExtension($type_uri)) { "Required type ".
$type_uri.
" not present"); // Fragments do not influence discovery, so we can't compare a // claimed identifier with a fragment to discovered list
($defragged_claimed_id, $_) =
Auth_OpenID::urldefrag($to_match->claimed_id); if ($defragged_claimed_id !=
$endpoint->claimed_id) { sprintf('Claimed ID does not match (different subjects!), ' .
'Expected %s, got %s', $defragged_claimed_id, if ($to_match->getLocalID() !=
$endpoint->getLocalID()) { sprintf('local_id mismatch. Expected %s, got %s', $to_match->getLocalID(), $endpoint->getLocalID())); // If the server URL is None, this must be an OpenID 1 // response, because op_endpoint is a required parameter in // OpenID 2. In that case, we don't actually care what the // discovered server_url is, because signature checking or // check_auth should take care of that check for us. if ($to_match->server_url ===
null) { "Preferred namespace mismatch (bug)"); } else if ($to_match->server_url !=
$endpoint->server_url) { sprintf('OP Endpoint mismatch. Expected %s, got %s', $to_match->server_url, $endpoint->server_url)); function _verifyDiscoveryResultsOpenID2($message, $endpoint) if ($to_match->server_url ===
null) { "OP Endpoint URL missing"); // claimed_id and identifier must both be present or both be if (($to_match->claimed_id ===
null) &&
($to_match->local_id !==
null)) { 'openid.identity is present without openid.claimed_id'); if (($to_match->claimed_id !==
null) &&
($to_match->local_id ===
null)) { 'openid.claimed_id is present without openid.identity'); if ($to_match->claimed_id ===
null) { // This is a response without identifiers, so there's // really no checking that we can do, so return an // endpoint that's for the specified `openid.op_endpoint' // The claimed ID doesn't match, so we have to do // discovery again. This covers not using sessions, OP // identifier endpoints and responses that didn't match // oidutil.log('No pre-discovered information supplied.') return $this->_discoverAndVerify($to_match->claimed_id, // The claimed ID matches, so we use the endpoint that we // discovered in initiation. This should be the most $result =
$this->_verifyDiscoverySingle($endpoint, $to_match); if (Auth_OpenID::isFailure($result)) { $endpoint =
$this->_discoverAndVerify($to_match->claimed_id, if (Auth_OpenID::isFailure($endpoint)) { // The endpoint we return should have the claimed ID from the // message we just verified, fragment and all. if ($endpoint->claimed_id !=
$to_match->claimed_id) { $endpoint->claimed_id =
$to_match->claimed_id; function _discoverAndVerify($claimed_id, $to_match_endpoints) // oidutil.log('Performing discovery on %s' % (claimed_id,)) sprintf("No OpenID information found at %s", return $this->_verifyDiscoveryServices($claimed_id, $services, function _verifyDiscoveryServices($claimed_id, &$services, &$to_match_endpoints) // Search the services resulting from discovery to find one // that matches the information from the assertion foreach ($services as $endpoint) { foreach ($to_match_endpoints as $to_match_endpoint) { $result =
$this->_verifyDiscoverySingle($endpoint, if (!Auth_OpenID::isFailure($result)) { // It matches, so discover verification has // succeeded. Return this endpoint. sprintf('No matching endpoint found after discovering %s', * Extract the nonce from an OpenID 1 response. Return the nonce * from the BARE_NS since we independently check the return_to * arguments are the same as those in the response message. * See the openid1_nonce_query_arg_name class variable * @returns $nonce The nonce as a string or null function _idResGetNonceOpenID1($message, $endpoint) $this->openid1_nonce_query_arg_name); function _idResCheckNonce($message, $endpoint) if ($message->isOpenID1()) { // This indicates that the nonce was generated by the consumer $nonce =
$this->_idResGetNonceOpenID1($message, $endpoint); $server_url =
$endpoint->server_url; "Nonce missing from response"); "Malformed nonce in response"); list
($timestamp, $salt) =
$parts; if (!$this->store->useNonce($server_url, $timestamp, $salt)) { "Nonce already used or out of range"); function _idResCheckForFields($message) $basic_fields =
array('return_to', 'assoc_handle', 'sig', 'signed'); $basic_sig_fields =
array('return_to', 'identity'); foreach ($require_fields[$message->getOpenIDNamespace()] as $field) { "Missing required field '".
$field.
"'"); if (Auth_OpenID::isFailure($signed_list_str)) { $signed_list =
explode(',', $signed_list_str); foreach ($require_sigs[$message->getOpenIDNamespace()] as $field) { // Field is present and not in signed list "'".
$field.
"' not signed"); function _checkAuth($message, $server_url) $request =
$this->_createCheckAuthRequest($message); $resp_message =
$this->_makeKVPost($request, $server_url); if (($resp_message ===
null) ||
(is_a($resp_message, 'Auth_OpenID_ServerErrorContainer'))) { return $this->_processCheckAuthResponse($resp_message, $server_url); function _createCheckAuthRequest($message) foreach (explode(',', $signed) as $k) { $value =
$message->getAliasedArg($k); $ca_message =
$message->copy(); function _processCheckAuthResponse($response, $server_url) if ($invalidate_handle !==
null) { $this->store->removeAssociation($server_url, if ($is_valid ==
'true') { * Adapt a POST response to a Message. * @param $response Result of a POST to an OpenID endpoint. function _httpResponseToMessage($response, $server_url) // Should this function be named Message.fromHTTPResponse instead? if ($response->status ==
400) { } else if ($response->status !=
200 and $response->status !=
206) { return $response_message; function _makeKVPost($message, $server_url) $body =
$message->toURLEncoded(); $resp =
$this->fetcher->post($server_url, $body); return $this->_httpResponseToMessage($resp, $server_url); function _getAssociation($endpoint) if (!$this->_use_assocs) { $assoc =
$this->store->getAssociation($endpoint->server_url); ($assoc->getExpiresIn() <=
0)) { $assoc =
$this->_negotiateAssociation($endpoint); $this->store->storeAssociation($endpoint->server_url, * Handle ServerErrors resulting from association requests. * @return $result If server replied with an C{unsupported-type} * error, return a tuple of supported C{association_type}, * C{session_type}. Otherwise logs the error and returns null. function _extractSupportedAssociationType(&$server_error, &$endpoint, // Any error message whose code is not 'unsupported-type' // should be considered a total failure. if (($server_error->error_code !=
'unsupported-type') ||
($server_error->message->isOpenID1())) { // The server didn't like the association/session type that we // sent, and it sent us back a message that might tell us how // Extract the session_type and assoc_type from the error if (($assoc_type ===
null) ||
($session_type ===
null)) { } else if (!$this->negotiator->isAllowed($assoc_type, return array($assoc_type, $session_type); function _negotiateAssociation($endpoint) // Get our preferred session/association type from the negotiatior. list
($assoc_type, $session_type) =
$this->negotiator->getAllowedType(); $assoc =
$this->_requestAssociation( $endpoint, $assoc_type, $session_type); if (Auth_OpenID::isFailure($assoc)) { if (is_a($assoc, 'Auth_OpenID_ServerErrorContainer')) { $supportedTypes =
$this->_extractSupportedAssociationType( $why, $endpoint, $assoc_type); if ($supportedTypes !==
null) { list
($assoc_type, $session_type) =
$supportedTypes; // Attempt to create an association from the assoc_type // and session_type that the server told us it $assoc =
$this->_requestAssociation( $endpoint, $assoc_type, $session_type); if (is_a($assoc, 'Auth_OpenID_ServerErrorContainer')) { // Do not keep trying, since it rejected the // association type that it told us to use. // oidutil.log('Server %s refused its suggested association // 'type: session_type=%s, assoc_type=%s' // % (endpoint.server_url, session_type, function _requestAssociation($endpoint, $assoc_type, $session_type) list
($assoc_session, $args) =
$this->_createAssociateRequest( $endpoint, $assoc_type, $session_type); $response_message =
$this->_makeKVPost($args, $endpoint->server_url); if ($response_message ===
null) { // oidutil.log('openid.associate request failed: %s' % (why[0],)) } else if (is_a($response_message, 'Auth_OpenID_ServerErrorContainer')) { return $response_message; return $this->_extractAssociation($response_message, $assoc_session); function _extractAssociation(&$assoc_response, &$assoc_session) // Extract the common fields from the response, raising an // exception if they are not found $assoc_type =
$assoc_response->getArg( if (Auth_OpenID::isFailure($assoc_type)) { $assoc_handle =
$assoc_response->getArg( if (Auth_OpenID::isFailure($assoc_handle)) { // expires_in is a base-10 string. The Python parsing will // accept literals that have whitespace around them and will // accept negative values. Neither of these are really in-spec, // but we think it's OK to accept them. $expires_in_str =
$assoc_response->getArg( if (Auth_OpenID::isFailure($expires_in_str)) { $expires_in =
Auth_OpenID::intval($expires_in_str); if ($expires_in ===
false) { $err =
sprintf("Could not parse expires_in from association ".
"response %s", print_r($assoc_response, true)); // OpenID 1 has funny association session behaviour. if ($assoc_response->isOpenID1()) { $session_type =
$this->_getOpenID1SessionType($assoc_response); $session_type =
$assoc_response->getArg( if (Auth_OpenID::isFailure($session_type)) { if ($assoc_session->session_type !=
$session_type) { if ($assoc_response->isOpenID1() &&
($session_type ==
'no-encryption')) { // In OpenID 1, any association request can result in // a 'no-encryption' association response. Setting // assoc_session to a new no-encryption session should // make the rest of this function work properly for // Any other mismatch, regardless of protocol version // results in the failure of the association session // Make sure assoc_type is valid for session_type if (!in_array($assoc_type, $assoc_session->allowed_assoc_types)) { // Delegate to the association session to extract the secret // from the response, however is appropriate for that session $secret =
$assoc_session->extractSecret($assoc_response); $expires_in, $assoc_handle, $secret, $assoc_type); function _createAssociateRequest($endpoint, $assoc_type, $session_type) $session_type_class =
$this->session_types[$session_type]; $assoc_session =
$session_type_class(); $assoc_session =
new $session_type_class(); 'assoc_type' =>
$assoc_type); if (!$endpoint->compatibilityMode()) { // Leave out the session type if we're in compatibility mode // *and* it's no-encryption. if ((!$endpoint->compatibilityMode()) ||
($assoc_session->session_type !=
'no-encryption')) { $args['session_type'] =
$assoc_session->session_type; $args =
array_merge($args, $assoc_session->getRequest()); return array($assoc_session, $message); * Given an association response message, extract the OpenID 1.X * This function mostly takes care of the 'no-encryption' default * If the association type is plain-text, this function will * @return $typ The association type for this message function _getOpenID1SessionType($assoc_response) // If it's an OpenID 1 message, allow session_type to default // to None (which signifies "no-encryption") // Handle the differences between no-encryption association // respones in OpenID 1 and 2: // no-encryption is not really a valid session type for OpenID // 1, but we'll accept it anyway, while issuing a warning. if ($session_type ==
'no-encryption') { // oidutil.log('WARNING: OpenID server sent "no-encryption"' } else if (($session_type ==
'') ||
($session_type ===
null)) { // Missing or empty session type is the way to flag a // 'no-encryption' response. Change the session type to // 'no-encryption' so that it can be handled in the same // way as OpenID 2 'no-encryption' respones. $session_type =
'no-encryption'; * This class represents an authentication request from a consumer to * Initialize an authentication request with the specified token, * association, and endpoint. * Users of this library should not create instances of this * class. Instances of this class are created by the library when $this->endpoint =
& $endpoint; $this->return_to_args =
array(); $endpoint->preferredNamespace()); $this->_anonymous =
false; * Add an extension to this checkid request. * $extension_request: An object that implements the extension * request interface for adding arguments to an OpenID message. $extension_request->toMessage($this->message); * Add an extension argument to this OpenID authentication * Use caution when adding arguments, because they will be * URL-escaped and appended to the redirect URL, which can easily * @param string $namespace The namespace for the extension. For * example, the simple registration extension uses the namespace * @param string $key The key within the extension namespace. For * example, the nickname field in the simple registration * extension's key is 'nickname'. * @param string $value The value to provide to the server for return $this->message->setArg($namespace, $key, $value); * Set whether this request should be made anonymously. If a * request is anonymous, the identifier will not be sent in the * request. This is only useful if you are making another kind of * request with an extension in this request. * Anonymous requests are not allowed when the request is made if ($is_anonymous &&
$this->message->isOpenID1()) { $this->_anonymous =
$is_anonymous; * Produce a {@link Auth_OpenID_Message} representing this * @param string $realm The URL (or URL pattern) that identifies * your web site to the user when she is authorizing it. * @param string $return_to The URL that the OpenID provider will * send the user back to after attempting to verify her identity. * Not specifying a return_to URL means that the user will not be * returned to the site issuing the request upon its completion. * @param bool $immediate If true, the OpenID provider is to send * back a response immediately, useful for behind-the-scenes * authentication attempts. Otherwise the OpenID provider may * engage the user before providing a response. This is the * default case, as the user may need to provide credentials or * approve the request before a positive response can be sent. function getMessage($realm, $return_to=
null, $immediate=
false) $return_to =
Auth_OpenID::appendArgs($return_to, // '"return_to" is mandatory when //using "checkid_immediate"') "'return_to' is mandatory when using checkid_immediate"); } else if ($this->message->isOpenID1()) { // raise ValueError('"return_to" is // mandatory for OpenID 1 requests') "'return_to' is mandatory for OpenID 1 requests"); } else if ($this->return_to_args) { // raise ValueError('extra "return_to" arguments // were specified, but no return_to was specified') "extra 'return_to' arguments where specified, " .
"but no return_to was specified"); $mode =
'checkid_immediate'; $message =
$this->message->copy(); if ($message->isOpenID1()) { $realm_key =
'trust_root'; 'return_to' =>
$return_to)); if (!$this->_anonymous) { if ($this->endpoint->isOPIdentifier()) { // This will never happen when we're in compatibility // mode, as long as isOPIdentifier() returns False // whenever preferredNamespace() returns OPENID1_NS. $claimed_id =
$request_identity =
$request_identity =
$this->endpoint->getLocalID(); $claimed_id =
$this->endpoint->claimed_id; // This is true for both OpenID 1 and 2 if ($message->isOpenID2()) { $message =
$this->getMessage($realm, $return_to, $immediate); if (Auth_OpenID::isFailure($message)) { return $message->toURL($this->endpoint->server_url); * Get html for a form to submit this request to the IDP. * form_tag_attrs: An array of attributes to be added to the form * tag. 'accept-charset' and 'enctype' have defaults that can be * overridden. If a value is supplied for 'action' or 'method', it function formMarkup($realm, $return_to=
null, $immediate=
false, $message =
$this->getMessage($realm, $return_to, $immediate); if (Auth_OpenID::isFailure($message)) { return $message->toFormMarkup($this->endpoint->server_url, * Get a complete html document that will autosubmit the request * Wraps formMarkup. See the documentation for that function. function htmlMarkup($realm, $return_to=
null, $immediate=
false, $form =
$this->formMarkup($realm, $return_to, $immediate, if (Auth_OpenID::isFailure($form)) { return Auth_OpenID::autoSubmitHTML($form); return $this->endpoint->compatibilityMode(); * The base class for responses from the Auth_OpenID_Consumer. $this->endpoint =
$endpoint; if ($endpoint ===
null) { $this->identity_url =
null; $this->identity_url =
$endpoint->claimed_id; * Return the display identifier for this response. * The display identifier is related to the Claimed Identifier, but the * two are not always identical. The display identifier is something the * user should recognize as what they entered, whereas the response's * claimed identifier (in the identity_url attribute) may have extra * information for better persistence. * URLs will be stripped of their fragments for display. XRIs will * display the human-readable identifier (i-name) instead of the * persistent identifier (i-number). * Use the display identifier in your user interface. Use * identity_url for querying your database or authorization server. if ($this->endpoint !==
null) { return $this->endpoint->getDisplayIdentifier(); * A response with a status of Auth_OpenID_SUCCESS. Indicates that * this request is a successful acknowledgement from the OpenID server * that the supplied URL is, indeed controlled by the requesting * agent. This has three relevant attributes: * claimed_id - The identity URL that has been authenticated * signed_args - The arguments in the server's response that were * status - Auth_OpenID_SUCCESS. function Auth_OpenID_SuccessResponse($endpoint, $message, $signed_args=
null) $this->endpoint =
$endpoint; $this->identity_url =
$endpoint->claimed_id; $this->signed_args =
$signed_args; $this->message =
$message; if ($this->signed_args ===
null) { $this->signed_args =
array(); * Extract signed extension data from the server's response. * @param string $prefix The extension namespace from which to * extract the extension data. return $this->message->getArgs($namespace_uri); return $this->message->isOpenID1(); // Return whether a particular key is signed, regardless of return in_array($this->message->getKey($ns_uri, $ns_key), function getSigned($ns_uri, $ns_key, $default =
null) // Return the specified signed field if available, otherwise if ($this->isSigned($ns_uri, $ns_key)) { return $this->message->getArg($ns_uri, $ns_key, $default); $msg_args =
$this->message->getArgs($ns_uri); if (Auth_OpenID::isFailure($msg_args)) { foreach ($msg_args as $key =>
$value) { * Get the openid.return_to argument from this response. * This is useful for verifying that this request was initiated by * @return string $return_to The return_to URL supplied to the * server on the initial request, or null if the response did not * contain an 'openid.return_to' argument. * A response with a status of Auth_OpenID_FAILURE. Indicates that the * OpenID protocol has failed. This could be locally or remotely * triggered. This has three relevant attributes: * claimed_id - The identity URL for which authentication was * attempted, if it can be determined. Otherwise, null. * message - A message indicating why the request failed, if one is * supplied. Otherwise, null. * status - Auth_OpenID_FAILURE.
