function do_check_authentication($req) { $handle = $req->get('assoc_handle'); // Last step in dumb mode $assoc = $this->istore->lookup($req->get('assoc_handle'), 'HMAC-SHA1'); if (!$assoc) { // raise ProtocolError('no secret found for %r' % req.assoc_handle) $error = sprintf('no secret found for %r', $req->get('assoc_handle')); // trigger_error( $error, $E_USER_WARNING ); return OpenIDServer::_error_page($error); } $reply = array(); if ($assoc->get_expires_in() > 0) { $token = $req->args; $token['openid.mode'] = 'id_res'; $signed_fields = explode(',', trim($req->get('signed'))); list($ignore, $v_sig) = oidUtil::sign_reply($token, $assoc->secret, $signed_fields); if ($v_sig == $req->get('sig')) { $is_valid = 'true'; // if an invalidate_handle request is present, verify it $invalidate_handle = $req->get('invalidate_handle'); if ($invalidate_handle) { if (!$this->estore->lookup($invalidate_handle, 'HMAC-SHA1')) { $reply['invalidate_handle'] = $invalidate_handle; } } } else { $is_valid = 'false'; } } else { $this->istore->remove($req->get('assoc_handle')); $is_valid = 'false'; } $reply['is_valid'] = $is_valid; return response_page(oidUtil::kvform($reply)); }
function do_id_res($req) { if (!$this->verify_return_to($req->get('return_to'))) { return new InvalidLogin(); } $user_setup_url = $req->get('user_setup_url'); if ($user_setup_url) { return new UserSetupNeeded($user_setup_url); } $server_url = $this->determine_server_url($req); $assoc = $this->assoc_mngr->get_association($server_url, $req->get('assoc_handle')); if (!$assoc) { // No matching association found. I guess we're in dumb mode... $check_args = array(); foreach ($req->args as $k => $v) { if (oidUtil::startsWith($k, 'openid.')) { $check_args[$k] = $v; } } $check_args['openid.mode'] = 'check_authentication'; $post_data = http_build_query($check_args); return new CheckAuthRequired($server_url, $req->get('return_to'), $post_data); } // Check the signature $sig = $req->get('sig'); $signed_fields = explode(',', trim($req->get('signed'))); list($_signed, $v_sig) = oidUtil::sign_reply($req->args, $assoc->secret, $signed_fields); if ($v_sig != $sig) { return new InvalidLogin(); } $vl = new ValidLogin($this, $req->get('identity')); if ($vl->verifyIdentity($req->openid)) { return $vl; } return new InvalidLogin(); }