Beispiel #1
0
/**
 * The initial step of OpenID authentication responsible for the following:
 *  - Perform discovery on the claimed OpenID.
 *  - If possible, create an association with the Provider's endpoint.
 *  - Create the authentication request.
 *  - Perform the appropriate redirect.
 *
 * @param $claimed_id The OpenID to authenticate
 * @param $return_to The endpoint to return to from the OpenID Provider
 */
function openid_begin($claimed_id, $return_to = '', $form_values = array())
{
    $claimed_id = _openid_normalize($claimed_id);
    $services = openid_discovery($claimed_id);
    if (count($services) == 0) {
        echo 'Sorry, that is not a valid OpenID. Please ensure you have spelled your ID correctly.';
        return;
    }
    $op_endpoint = $services[0]['uri'];
    // Store the discovered endpoint in the session (so we don't have to rediscover).
    $_SESSION['openid_op_endpoint'] = $op_endpoint;
    // Store the claimed_id in the session (for handling delegation).
    $_SESSION['openid_claimed_id'] = $claimed_id;
    // Store the login form values so we can pass them to
    // user_exteral_login later.
    $_SESSION['openid_user_login_values'] = $form_values;
    // If bcmath is present, then create an association
    $assoc_handle = '';
    if (function_exists('bcadd')) {
        $assoc_handle = openid_association($op_endpoint);
    }
    // Now that there is an association created, move on
    // to request authentication from the IdP
    $identity = !empty($services[0]['delegate']) ? $services[0]['delegate'] : $claimed_id;
    if (isset($services[0]['types']) && is_array($services[0]['types']) && in_array(OPENID_NS_2_0 . '/server', $services[0]['types'])) {
        $identity = 'http://openid.net/identifier_select/2.0';
    }
    $authn_request = openid_authentication_request($claimed_id, $identity, $return_to, $assoc_handle, $services[0]['version']);
    if ($services[0]['version'] == 2) {
        echo openid_redirect($op_endpoint, $authn_request);
    } else {
        echo openid_redirect_http($op_endpoint, $authn_request);
    }
}
Beispiel #2
0
/**
 * Start the OpenID authentication process.
 *
 * @param string $claimed_url claimed OpenID URL
 * @param string $action OpenID action being performed
 * @param string $finish_url stored in user session for later redirect
 * @uses apply_filters() Calls 'openid_auth_request_extensions' to gather extensions to be attached to auth request
 */
function openid_start_login($claimed_url, $action, $finish_url = null)
{
    if (empty($claimed_url)) {
        return;
    }
    // do nothing.
    $auth_request = openid_begin_consumer($claimed_url);
    if (null === $auth_request) {
        openid_status('error');
        openid_message(sprintf(__('Could not discover an OpenID identity server endpoint at the url: %s', 'openid'), htmlentities($claimed_url)));
        return;
    }
    @session_start();
    $_SESSION['openid_action'] = $action;
    $_SESSION['openid_finish_url'] = $finish_url;
    $extensions = apply_filters('openid_auth_request_extensions', array(), $auth_request);
    foreach ($extensions as $e) {
        if (is_a($e, 'Auth_OpenID_Extension')) {
            $auth_request->addExtension($e);
        }
    }
    $return_to = openid_service_url('consumer', 'login_post');
    $return_to = apply_filters('openid_return_to', $return_to);
    $trust_root = openid_trust_root($return_to);
    openid_redirect($auth_request, $trust_root, $return_to);
    exit(0);
}
Beispiel #3
0
 /**
  * Generate an authentication response
  *
  * @param 
  */
 function openid_provider_authentication_response($request)
 {
     //global $user;
     // If the user is not yet logged in, redirect to the login page before continuing.
     $user = api_session::get('user');
     if (!$user) {
         //$_SESSION['openid_provider']['request'] = $request;
         // Set in endpoint method
         // api_session::set('openid_request', $request);
         $this->openid_redirect_http('/login');
     }
     // Determine the realm (openid.trust_root in 1.x)
     $realm = empty($request['openid.realm']) ? $request['openid.trust_root'] : $request['openid.realm'];
     // Check if realm is OK?
     if (!$this->check_realm($realm)) {
         throw new Exception("Realm not ok");
         $this->openid_redirect_http('/error');
     }
     // Check for a directed identity request.
     if ($request['openid.identity'] == 'http://specs.openid.net/auth/2.0/identifier_select') {
         //$identity = url(openid_provider_user_url($user->uid), array('absolute' => TRUE));
         $identity = 'http://local.openid_provider/user/' . $user['id'] . '/identity';
     } else {
         $identity = $request['openid.identity'];
         if ($identity != url(openid_provider_user_url($user['id']), array('absolute' => TRUE))) {
             $response = openid_provider_authentication_error($request['openid.mode']);
             openid_redirect($request['openid.return_to'], $response);
         }
     }
     $response = array('openid.ns' => OPENID_NS_2_0, 'openid.mode' => 'id_res', 'openid.op_endpoint' => 'http://local.openid_provider/openid/provider', 'openid.identity' => $identity, 'openid.claimed_id' => $identity, 'openid.return_to' => $request['openid.return_to'], 'openid.response_nonce' => $this->openid_provider_nonce(), 'openid.assoc_handle' => $request['openid.assoc_handle'], 'openid.sreg.nickname' => $user['username'], 'openid.sreg.email' => $user['email']);
     // Is the RP requesting Immediate or Indirect mode?
     if ($request['openid.mode'] == 'checkid_immediate') {
         // TODO
     }
     $parts = parse_url($request['openid.return_to']);
     if (isset($parts['query'])) {
         $query = $parts['query'];
         $q = $this->openid_get_params($query);
         foreach ($q as $key => $val) {
             $response[$key] = $val;
         }
     }
     // calling hook_openid so we can do response parsing and send any pertinent data back to the user
     // TODO ???? //$response = array_merge($response, module_invoke_all('openid_provider', 'response', $response, $request));
     // Skipping trust step, if the realm is ok then its trusted.
     $rp = $this->openid_provider_rp_load($user['id'], $realm);
     if (empty($rp)) {
         echo "Create rp";
         $this->openid_provider_rp_save($user['id'], $realm, TRUE);
     }
     $rp = $this->openid_provider_rp_load($user['id'], $realm);
     echo "\nrp: ";
     print_r($rp);
     echo "\n";
     if ($rp) {
         //$rp->auto_release) {
         $response = $this->openid_provider_sign($response);
         //$this->openid_provider_rp_save($user['id'], $realm, TRUE);
         return $this->openid_redirect_http($response['openid.return_to'], $response);
     } else {
         // Unset global post variable, otherwise FAPI will assume it has been
         // submitted against openid_provider_form.
         unset($_POST);
         //return drupal_get_form('openid_provider_form', $response, $realm);
         //$this->openid_redirect_http('/trust');
         throw new Exception("Association error");
     }
 }