/** * Processes a positive authentication response. * * @param Boolean $valid True if the request has already been authenticated */ function processPositiveResponse($valid) { Logger::log('Positive response: identity = %s, expected = %s', $_REQUEST['openid_identity'], $_SESSION['openid']['claimedId']); if (!URLBuilder::isValidReturnToURL($_REQUEST['openid_return_to'])) { Logger::log('Return_to check failed: %s, URL: %s', $_REQUEST['openid_return_to'], URLBuilder::getCurrentURL(true)); error('diffreturnto', 'The identity provider stated return URL was ' . $_REQUEST['openid_return_to'] . ' but it actually seems to be ' . URLBuilder::getCurrentURL()); } $id = $_REQUEST[isset($_REQUEST['openid_claimed_id']) ? 'openid_claimed_id' : 'openid_identity']; if (!URLBuilder::isSameURL($id, $_SESSION['openid']['claimedId']) && !URLBuilder::isSameURL($id, $_SESSION['openid']['opLocalId'])) { if ($_SESSION['openid']['claimedId'] == 'http://specs.openid.net/auth/2.0/identifier_select') { $disc = new Discoverer($_REQUEST['openid_claimed_id'], false); if ($disc->hasServer($_SESSION['openid']['endpointUrl'])) { $_SESSION['openid']['identity'] = $_REQUEST['openid_identity']; $_SESSION['openid']['opLocalId'] = $_REQUEST['openid_claimed_id']; } else { error('diffid', 'The OP at ' . $_SESSION['openid']['endpointUrl'] . ' is attmpting to claim ' . $_REQUEST['openid_claimed_id'] . ' but ' . ($disc->getEndpointUrl() == null ? 'that isn\'t a valid identifier' : 'that identifier only authorises ' . $disc->getEndpointUrl())); } } else { error('diffid', 'Identity provider validated wrong identity. Expected it to ' . 'validate ' . $_SESSION['openid']['claimedId'] . ' but it ' . 'validated ' . $id); } } resetRequests(true); if (!$valid) { $dumbauth = true; if (KEYMANAGER) { try { Logger::log('Attempting to authenticate using association...'); $valid = KeyManager::authenticate($_SESSION['openid']['endpointUrl'], $_REQUEST); $dumbauth = false; } catch (Exception $ex) { // Ignore it - try dumb auth } } if ($dumbauth) { Logger::log('Attempting to authenticate using dumb auth...'); $valid = KeyManager::dumbAuthenticate(); } } $_SESSION['openid']['validated'] = $valid; if (!$valid) { Logger::log('Validation failed!'); error('noauth', 'Provider didn\'t authenticate response'); } Processor::callHandlers(); URLBuilder::redirect(); }
/** * Processes id_res requests. * * @param Boolean $valid True if the request has already been authenticated */ function processIdRes($valid) { if (isset($_REQUEST['openid_identity'])) { if ($_REQUEST['openid_identity'] != $_SESSION['openid']['delegate']) { openid_error('diffid', 'Identity provider validated wrong identity. Expected it to ' . 'validate ' . $_SESSION['openid']['delegate'] . ' but it ' . 'validated ' . $_REQUEST['openid_identity']); } if (!$valid) { $dumbauth = true; if (KEYMANAGER) { try { $valid = KeyManager::authenticate($_SESSION['openid']['server'], $_REQUEST); $dumbauth = false; } catch (Exception $ex) { // Ignore it - try dumb auth } } if ($dumbauth) { $valid = KeyManager::dumbAuthenticate(); } } $_SESSION['openid']['validated'] = $valid; if (!$valid) { openid_error('noauth', 'Provider didn\'t authenticate response'); } parseSRegResponse(); URLBuilder::redirect(); } else { if (isset($_REQUEST['openid_user_setup_url'])) { if (defined('OPENID_IMMEDIATE') && OPENID_IMMEDIATE) { openid_error('noimmediate', 'Couldn\'t perform immediate auth'); } $handle = getHandle($_SESSION['openid']['server']); $url = URLBuilder::buildRequest('setup', $_REQUEST['openid_user_setup_url'], $_SESSION['openid']['delegate'], $_SESSION['openid']['identity'], URLBuilder::getCurrentURL(), $handle); URLBuilder::doRedirect($url); } } }
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE * SOFTWARE. */ session_start(); require '../../urlbuilder.inc.php'; if (isset($_GET['cs'])) { unset($_SESSION['openid']); header('Location: ' . $_SERVER['SCRIPT_NAME']); exit; } $_SESSION['trustroot'] = URLBuilder::getCurrentURL(); if (isset($_POST['openid_url']) || isset($_REQUEST['openid_mode'])) { // Proxy for non-JS users require '../../processor.php'; } else { ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <title>OpenID consumer demonstration</title> <style type="text/css"> input#openid_url { background: url('../../openid.gif') no-repeat; padding-left: 20px; } div { margin: 20px; padding: 5px; }