Source code for file /openid/Auth/OpenID/PAPE.php
Documentation is available at PAPE.php
* An implementation of the OpenID Provider Authentication Policy * http://openid.net/developers/specs/ // Do not allow direct access defined( '_JEXEC' ) or die( 'Restricted access' ); require_once "Auth/OpenID/Extension.php"; define('Auth_OpenID_PAPE_NS_URI', "http://specs.openid.net/extensions/pape/1.0"); define('PAPE_AUTH_MULTI_FACTOR_PHYSICAL', 'http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical'); define('PAPE_AUTH_MULTI_FACTOR', 'http://schemas.openid.net/pape/policies/2007/06/multi-factor'); define('PAPE_AUTH_PHISHING_RESISTANT', 'http://schemas.openid.net/pape/policies/2007/06/phishing-resistant'); '^[0-9]{4,4}-[0-9][0-9]-[0-9][0-9]T[0-9][0-9]:[0-9][0-9]:[0-9][0-9]Z$'); * A Provider Authentication Policy request, sent from a relying party * preferred_auth_policies: The authentication policies that * the relying party prefers * max_auth_age: The maximum time, in seconds, that the relying party * wants to allow to have elapsed before the user must re-authenticate var $ns_uri =
Auth_OpenID_PAPE_NS_URI; if ($preferred_auth_policies ===
null) { $preferred_auth_policies =
array(); $this->preferred_auth_policies =
$preferred_auth_policies; $this->max_auth_age =
$max_auth_age; * Add an acceptable authentication policy URI to this request * This method is intended to be used by the relying party to add * acceptable authentication types to the request. * policy_uri: The identifier for the preferred type of if (!in_array($policy_uri, $this->preferred_auth_policies)) { $this->preferred_auth_policies[] =
$policy_uri; 'preferred_auth_policies' =>
implode(' ', $this->preferred_auth_policies) if ($this->max_auth_age !==
null) { $ns_args['max_auth_age'] =
strval($this->max_auth_age); * Instantiate a Request object from the arguments in a checkid_* if ($args ===
null ||
$args ===
array()) { $obj->parseExtensionArgs($args); * Set the state of this request to be that expressed in these * @param args: The PAPE arguments without a namespace // preferred_auth_policies is a space-separated list of policy $this->preferred_auth_policies =
array(); $policies_str =
Auth_OpenID::arrayGet($args, 'preferred_auth_policies'); foreach (explode(' ', $policies_str) as $uri) { if (!in_array($uri, $this->preferred_auth_policies)) { $this->preferred_auth_policies[] =
$uri; // max_auth_age is base-10 integer number of seconds $max_auth_age_str =
Auth_OpenID::arrayGet($args, 'max_auth_age'); $this->max_auth_age =
Auth_OpenID::intval($max_auth_age_str); $this->max_auth_age =
null; * Given a list of authentication policy URIs that a provider * supports, this method returns the subsequence of those types * that are preferred by the relying party. * @param supported_types: A sequence of authentication policy * type URIs that are supported by a provider * @return array The sub-sequence of the supported types that are * preferred by the relying party. This list will be ordered in * the order that the types appear in the supported_types * sequence, and may be empty if the provider does not prefer any * of the supported authentication types. foreach ($supported_types as $st) { if (in_array($st, $this->preferred_auth_policies)) { * A Provider Authentication Policy response, sent from a provider to var $ns_uri =
Auth_OpenID_PAPE_NS_URI; $this->auth_policies =
$auth_policies; $this->auth_policies =
array(); $this->auth_time =
$auth_time; $this->nist_auth_level =
$nist_auth_level; * Add a authentication policy to this response * This method is intended to be used by the provider to add a * policy that the provider conformed to when authenticating the * @param policy_uri: The identifier for the preferred type of if (!in_array($policy_uri, $this->auth_policies)) { $this->auth_policies[] =
$policy_uri; * Create an Auth_OpenID_PAPE_Response object from a successful * OpenID library response. * @param success_response $success_response A SuccessResponse * from Auth_OpenID_Consumer::complete() * @returns: A provider authentication policy response from the * data that was supplied with the id_res response. // PAPE requires that the args be signed. if ($args ===
null ||
$args ===
array()) { $result =
$obj->parseExtensionArgs($args); * Parse the provider authentication policy arguments into the * internal state of this object * @param args: unqualified provider authentication policy * @param strict: Whether to return false when bad data is * @return null The data is parsed into the internal fields of $policies_str =
Auth_OpenID::arrayGet($args, 'auth_policies'); if ($policies_str &&
$policies_str !=
"none") { $this->auth_policies =
explode(" ", $policies_str); $nist_level_str =
Auth_OpenID::arrayGet($args, 'nist_auth_level'); if ($nist_level_str !==
null) { $nist_level =
Auth_OpenID::intval($nist_level_str); if ($nist_level ===
false) { if (0 <=
$nist_level &&
$nist_level <
5) { $this->nist_auth_level =
$nist_level; $auth_time =
Auth_OpenID::arrayGet($args, 'auth_time'); if ($auth_time !==
null) { $this->auth_time =
$auth_time; if (count($this->auth_policies) >
0) { $ns_args['auth_policies'] =
implode(' ', $this->auth_policies); $ns_args['auth_policies'] =
'none'; if ($this->nist_auth_level !==
null) { $ns_args['nist_auth_level'] =
strval($this->nist_auth_level); if ($this->auth_time !==
null) { $ns_args['auth_time'] =
$this->auth_time;
