/**
* @access private
*/
function _doIdRes($message, $endpoint, $return_to)
{
// Checks for presence of appropriate fields (and checks
// signed list fields)
$result = $this->_idResCheckForFields($message);
if (Auth_OpenID::isFailure($result)) {
return $result;
}
if (!$this->_checkReturnTo($message, $return_to)) {
return new Auth_OpenID_FailureResponse(null, sprintf("return_to does not match return URL. Expected %s, got %s", $return_to, $message->getArg(Auth_OpenID_OPENID_NS, 'return_to')));
}
// Verify discovery information:
$result = $this->_verifyDiscoveryResults($message, $endpoint);
if (Auth_OpenID::isFailure($result)) {
return $result;
}
$endpoint = $result;
$result = $this->_idResCheckSignature($message, $endpoint->server_url);
if (Auth_OpenID::isFailure($result)) {
return $result;
}
$result = $this->_idResCheckNonce($message, $endpoint);
if (Auth_OpenID::isFailure($result)) {
return $result;
}
$signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS, 'signed', Auth_OpenID_NO_DEFAULT);
if (Auth_OpenID::isFailure($signed_list_str)) {
return $signed_list_str;
}
$signed_list = explode(',', $signed_list_str);
$signed_fields = Auth_OpenID::addPrefix($signed_list, "openid.");
return new Auth_OpenID_SuccessResponse($endpoint, $message, $signed_fields);
}
/**
* @access private
*/
function _doIdRes($message, $endpoint)
{
$signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS, 'signed');
if ($signed_list_str === null) {
return new Auth_OpenID_FailureResponse($endpoint, "Response missing signed list");
}
$signed_list = explode(',', $signed_list_str);
// Checks for presence of appropriate fields (and checks
// signed list fields)
$result = $this->_idResCheckForFields($message, $signed_list);
if (Auth_OpenID::isFailure($result)) {
return $result;
}
// Verify discovery information:
$result = $this->_verifyDiscoveryResults($message, $endpoint);
if (Auth_OpenID::isFailure($result)) {
return $result;
}
$endpoint = $result;
$result = $this->_idResCheckSignature($message, $endpoint->server_url);
if (Auth_OpenID::isFailure($result)) {
return $result;
}
$response_identity = $message->getArg(Auth_OpenID_OPENID_NS, 'identity');
$result = $this->_idResCheckNonce($message, $endpoint);
if (Auth_OpenID::isFailure($result)) {
return $result;
}
$signed_fields = Auth_OpenID::addPrefix($signed_list, "openid.");
return new Auth_OpenID_SuccessResponse($endpoint, $message, $signed_fields);
}
/**
* @access private
*/
function _doIdRes($message, $endpoint, $return_to)
{
// Checks for presence of appropriate fields (and checks
// signed list fields)
$result = $this->_idResCheckForFields($message);
if (Auth_OpenID::isFailure($result)) {
return $result;
}
if (!$this->_checkReturnTo($message, $return_to)) {
return new Auth_OpenID_FailureResponse(null, sprintf("return_to does not match return URL. Expected %s, got %s", $return_to, $message->getArg(Auth_OpenID_OPENID_NS, 'return_to')));
}
// -------------------------------------------------------------
// Block change to original code starts here
//
// @author Stuart Metcalfe <*****@*****.**> on behalf of Canonical
//
// We are using a simplified version of the 'identifier select' feature
// from OpenID 2.0 in OpenID 1.1 requests to authenticate with a fixed
// endpoint (defined in the implementing site's code as
// OPENID_FIXED_ENDPOINT). This allows us to transparently provide SSO
// for multiple sites using OpenID and implement (potentially) multiple
// authentication methods only once on the central server.
if (defined('OPENID_FIXED_ENDPOINT') && $endpoint->claimed_id == Auth_OpenID_IDENTIFIER_SELECT) {
// This is a hack to allow OpenID 2.0 style identifier selection in
// an OpenID 1.x transaction. When this happens, we set the claimed
// and local identity URLs from the response parameters. Normally
// this should be followed up with a check to see if the OP really
// is responsible for the selected ID, but we're skipping it due to
// us trusting the OP.
$identity_url = $message->getArg(Auth_OpenID_OPENID_NS, 'identity');
$endpoint->claimed_id = $identity_url;
$endpoint->local_id = $identity_url;
$message->setArg(Auth_OpenID_BARE_NS, 'openid1_claimed_id', $identity_url);
}
// Block change to original code ends here
// -------------------------------------------------------------
// Verify discovery information:
$result = $this->_verifyDiscoveryResults($message, $endpoint);
if (Auth_OpenID::isFailure($result)) {
return $result;
}
$endpoint = $result;
$result = $this->_idResCheckSignature($message, $endpoint->server_url);
if (Auth_OpenID::isFailure($result)) {
return $result;
}
$result = $this->_idResCheckNonce($message, $endpoint);
if (Auth_OpenID::isFailure($result)) {
return $result;
}
$signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS, 'signed', Auth_OpenID_NO_DEFAULT);
$signed_list = explode(',', $signed_list_str);
$signed_fields = Auth_OpenID::addPrefix($signed_list, "openid.");
return new Auth_OpenID_SuccessResponse($endpoint, $message, $signed_fields);
}
/**
* @access private
*/
function _doIdRes($message, $endpoint, $return_to)
{
// Checks for presence of appropriate fields (and checks
// signed list fields)
$result = $this->_idResCheckForFields($message);
if (Auth_OpenID::isFailure($result)) {
return $result;
}
if (!$this->_checkReturnTo($message, $return_to)) {
$debug = debug_backtrace();
$errline = "\nStack Trace: \n";
foreach ($debug as $etrace) {
if (isset($etrace['file'])) {
$errline .= " file: {$etrace['file']}";
}
if (isset($etrace['line'])) {
$errline .= " line: {$etrace['line']}";
}
if (isset($etrace['function'])) {
$errline .= " fcn: {$etrace['function']}";
}
$errline .= "\n";
}
error_log("lib/openid/Auth/OpenID/Consumer.php::_doIdRes() - auth return_to failure ... {$errline}");
if (empty($return_to)) {
error_log("lib/openid/Auth/OpenID/Consumer.php: Ignoring empty return_to URL.");
} else {
return new Auth_OpenID_FailureResponse(null, sprintf("return_to does not match return URL. Expected %s, got %s", $return_to, $message->getArg(Auth_OpenID_OPENID_NS, 'return_to')));
}
}
// Verify discovery information:
$result = $this->_verifyDiscoveryResults($message, $endpoint);
if (Auth_OpenID::isFailure($result)) {
return $result;
}
$endpoint = $result;
$result = $this->_idResCheckSignature($message, $endpoint->server_url);
if (Auth_OpenID::isFailure($result)) {
return $result;
}
$result = $this->_idResCheckNonce($message, $endpoint);
if (Auth_OpenID::isFailure($result)) {
return $result;
}
$signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS, 'signed', Auth_OpenID_NO_DEFAULT);
if (Auth_OpenID::isFailure($signed_list_str)) {
return $signed_list_str;
}
$signed_list = explode(',', $signed_list_str);
$signed_fields = Auth_OpenID::addPrefix($signed_list, "openid.");
return new Auth_OpenID_SuccessResponse($endpoint, $message, $signed_fields);
}
