/** * Processes a positive authentication response. * * @param Boolean $valid True if the request has already been authenticated */ function processPositiveResponse($valid) { Logger::log('Positive response: identity = %s, expected = %s', $_REQUEST['openid_identity'], $_SESSION['openid']['claimedId']); if (!URLBuilder::isValidReturnToURL($_REQUEST['openid_return_to'])) { Logger::log('Return_to check failed: %s, URL: %s', $_REQUEST['openid_return_to'], URLBuilder::getCurrentURL(true)); error('diffreturnto', 'The identity provider stated return URL was ' . $_REQUEST['openid_return_to'] . ' but it actually seems to be ' . URLBuilder::getCurrentURL()); } $id = $_REQUEST[isset($_REQUEST['openid_claimed_id']) ? 'openid_claimed_id' : 'openid_identity']; if (!URLBuilder::isSameURL($id, $_SESSION['openid']['claimedId']) && !URLBuilder::isSameURL($id, $_SESSION['openid']['opLocalId'])) { if ($_SESSION['openid']['claimedId'] == 'http://specs.openid.net/auth/2.0/identifier_select') { $disc = new Discoverer($_REQUEST['openid_claimed_id'], false); if ($disc->hasServer($_SESSION['openid']['endpointUrl'])) { $_SESSION['openid']['identity'] = $_REQUEST['openid_identity']; $_SESSION['openid']['opLocalId'] = $_REQUEST['openid_claimed_id']; } else { error('diffid', 'The OP at ' . $_SESSION['openid']['endpointUrl'] . ' is attmpting to claim ' . $_REQUEST['openid_claimed_id'] . ' but ' . ($disc->getEndpointUrl() == null ? 'that isn\'t a valid identifier' : 'that identifier only authorises ' . $disc->getEndpointUrl())); } } else { error('diffid', 'Identity provider validated wrong identity. Expected it to ' . 'validate ' . $_SESSION['openid']['claimedId'] . ' but it ' . 'validated ' . $id); } } resetRequests(true); if (!$valid) { $dumbauth = true; if (KEYMANAGER) { try { Logger::log('Attempting to authenticate using association...'); $valid = KeyManager::authenticate($_SESSION['openid']['endpointUrl'], $_REQUEST); $dumbauth = false; } catch (Exception $ex) { // Ignore it - try dumb auth } } if ($dumbauth) { Logger::log('Attempting to authenticate using dumb auth...'); $valid = KeyManager::dumbAuthenticate(); } } $_SESSION['openid']['validated'] = $valid; if (!$valid) { Logger::log('Validation failed!'); error('noauth', 'Provider didn\'t authenticate response'); } Processor::callHandlers(); URLBuilder::redirect(); }