/**
* Processes id_res requests.
*
* @param Boolean $valid True if the request has already been authenticated
*/
function processIdRes($valid)
{
if (isset($_REQUEST['openid_identity'])) {
if ($_REQUEST['openid_identity'] != $_SESSION['openid']['delegate']) {
openid_error('diffid', 'Identity provider validated wrong identity. Expected it to ' . 'validate ' . $_SESSION['openid']['delegate'] . ' but it ' . 'validated ' . $_REQUEST['openid_identity']);
}
if (!$valid) {
$dumbauth = true;
if (KEYMANAGER) {
try {
$valid = KeyManager::authenticate($_SESSION['openid']['server'], $_REQUEST);
$dumbauth = false;
} catch (Exception $ex) {
// Ignore it - try dumb auth
}
}
if ($dumbauth) {
$valid = KeyManager::dumbAuthenticate();
}
}
$_SESSION['openid']['validated'] = $valid;
if (!$valid) {
openid_error('noauth', 'Provider didn\'t authenticate response');
}
parseSRegResponse();
URLBuilder::redirect();
} else {
if (isset($_REQUEST['openid_user_setup_url'])) {
if (defined('OPENID_IMMEDIATE') && OPENID_IMMEDIATE) {
openid_error('noimmediate', 'Couldn\'t perform immediate auth');
}
$handle = getHandle($_SESSION['openid']['server']);
$url = URLBuilder::buildRequest('setup', $_REQUEST['openid_user_setup_url'], $_SESSION['openid']['delegate'], $_SESSION['openid']['identity'], URLBuilder::getCurrentURL(), $handle);
URLBuilder::doRedirect($url);
}
}
}
/**
* Processes a positive authentication response.
*
* @param Boolean $valid True if the request has already been authenticated
*/
function processPositiveResponse($valid)
{
Logger::log('Positive response: identity = %s, expected = %s', $_REQUEST['openid_identity'], $_SESSION['openid']['claimedId']);
if (!URLBuilder::isValidReturnToURL($_REQUEST['openid_return_to'])) {
Logger::log('Return_to check failed: %s, URL: %s', $_REQUEST['openid_return_to'], URLBuilder::getCurrentURL(true));
error('diffreturnto', 'The identity provider stated return URL was ' . $_REQUEST['openid_return_to'] . ' but it actually seems to be ' . URLBuilder::getCurrentURL());
}
$id = $_REQUEST[isset($_REQUEST['openid_claimed_id']) ? 'openid_claimed_id' : 'openid_identity'];
if (!URLBuilder::isSameURL($id, $_SESSION['openid']['claimedId']) && !URLBuilder::isSameURL($id, $_SESSION['openid']['opLocalId'])) {
if ($_SESSION['openid']['claimedId'] == 'http://specs.openid.net/auth/2.0/identifier_select') {
$disc = new Discoverer($_REQUEST['openid_claimed_id'], false);
if ($disc->hasServer($_SESSION['openid']['endpointUrl'])) {
$_SESSION['openid']['identity'] = $_REQUEST['openid_identity'];
$_SESSION['openid']['opLocalId'] = $_REQUEST['openid_claimed_id'];
} else {
error('diffid', 'The OP at ' . $_SESSION['openid']['endpointUrl'] . ' is attmpting to claim ' . $_REQUEST['openid_claimed_id'] . ' but ' . ($disc->getEndpointUrl() == null ? 'that isn\'t a valid identifier' : 'that identifier only authorises ' . $disc->getEndpointUrl()));
}
} else {
error('diffid', 'Identity provider validated wrong identity. Expected it to ' . 'validate ' . $_SESSION['openid']['claimedId'] . ' but it ' . 'validated ' . $id);
}
}
resetRequests(true);
if (!$valid) {
$dumbauth = true;
if (KEYMANAGER) {
try {
Logger::log('Attempting to authenticate using association...');
$valid = KeyManager::authenticate($_SESSION['openid']['endpointUrl'], $_REQUEST);
$dumbauth = false;
} catch (Exception $ex) {
// Ignore it - try dumb auth
}
}
if ($dumbauth) {
Logger::log('Attempting to authenticate using dumb auth...');
$valid = KeyManager::dumbAuthenticate();
}
}
$_SESSION['openid']['validated'] = $valid;
if (!$valid) {
Logger::log('Validation failed!');
error('noauth', 'Provider didn\'t authenticate response');
}
Processor::callHandlers();
URLBuilder::redirect();
}
