public function prepareResponse(OpenIdRequest $request, OpenIdResponse $response, ResponseContext $context)
{
try {
$simple_reg_request = new OpenIdSREGRequest($request->getMessage());
if (!$simple_reg_request->isValid()) {
return;
}
$response->addParam(self::paramNamespace(), self::NamespaceUrl);
$attributes = $simple_reg_request->getRequiredAttributes();
$opt_attributes = $simple_reg_request->getOptionalAttributes();
$attributes = array_merge($attributes, $opt_attributes);
$user = $this->auth_service->getCurrentUser();
foreach ($attributes as $attr => $value) {
$context->addSignParam(self::param($attr));
if ($attr == self::Email) {
$response->addParam(self::param($attr), $user->getEmail());
}
if ($attr == self::Country) {
$response->addParam(self::param($attr), $user->getCountry());
}
if ($attr == self::Nickname || $attr == self::FullName) {
$response->addParam(self::param($attr), $user->getFullName());
}
if ($attr == self::Language) {
$response->addParam(self::param($attr), $user->getLanguage());
}
}
} catch (Exception $ex) {
$this->log_service->error($ex);
}
}
/**
* @param ResponseContext $context
* @param $macAlg
* @param $secret
* @param OpenIdPositiveAssertionResponse $response
*/
public static function build(ResponseContext $context, $macAlg, $secret, OpenIdPositiveAssertionResponse &$response)
{
//do signing ...
$signed = '';
$data = '';
$params = $context->getSignParams();
foreach ($params as $key) {
if (strpos($key, 'openid.') == 0) {
$val = $response[$key];
$key = substr($key, strlen('openid.'));
if (!empty($signed)) {
$signed .= ',';
}
$signed .= $key;
$data .= $key . ':' . $val . "\n";
}
}
$signed .= ',signed';
$data .= 'signed:' . $signed . "\n";
$sig = base64_encode(OpenIdCryptoHelper::computeHMAC($macAlg, $data, $secret));
$response->setSigned($signed);
$response->setSig($sig);
}
public function prepareResponse(OpenIdRequest $request, OpenIdResponse $response, ResponseContext $context)
{
try {
$ax_request = new OpenIdAXRequest($request->getMessage());
if (!$ax_request->isValid()) {
return;
}
$response->addParam(self::paramNamespace(), self::NamespaceUrl);
$response->addParam(self::param(self::Mode), self::FetchResponse);
$context->addSignParam(self::param(self::Mode));
$attributes = $ax_request->getRequiredAttributes();
$user = $this->auth_service->getCurrentUser();
foreach ($attributes as $attr) {
$response->addParam(self::param(self::Type) . "." . $attr, self::$available_properties[$attr]);
$context->addSignParam(self::param(self::Type) . "." . $attr);
$context->addSignParam(self::param(self::Value) . "." . $attr);
if ($attr == "email") {
$response->addParam(self::param(self::Value) . "." . $attr, $user->getEmail());
}
if ($attr == "country") {
$response->addParam(self::param(self::Value) . "." . $attr, $user->getCountry());
}
if ($attr == "firstname") {
$response->addParam(self::param(self::Value) . "." . $attr, $user->getFirstName());
}
if ($attr == "lastname") {
$response->addParam(self::param(self::Value) . "." . $attr, $user->getLastName());
}
if ($attr == "language") {
$response->addParam(self::param(self::Value) . "." . $attr, $user->getLanguage());
}
}
} catch (Exception $ex) {
$this->log_service->error($ex);
}
}
/**
* Create Positive Identity Assertion
* implements http://openid.net/specs/openid-authentication-2_0.html#positive_assertions
* @return OpenIdPositiveAssertionResponse
* @throws InvalidAssociationTypeException
*/
private function doAssertion()
{
$currentUser = $this->auth_service->getCurrentUser();
$context = new ResponseContext();
//initial signature params
$context->addSignParam(OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_OpEndpoint));
$context->addSignParam(OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Realm));
$context->addSignParam(OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_ReturnTo));
$context->addSignParam(OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Nonce));
$context->addSignParam(OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_AssocHandle));
$context->addSignParam(OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_ClaimedId));
$context->addSignParam(OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Identity));
$op_endpoint = $this->server_configuration_service->getOPEndpointURL();
$identity = $this->server_configuration_service->getUserIdentityEndpointURL($currentUser->getIdentifier());
$nonce = $this->nonce_service->generateNonce();
$realm = $this->current_request->getRealm();
$response = new OpenIdPositiveAssertionResponse($op_endpoint, $identity, $identity, $this->current_request->getReturnTo(), $nonce->getRawFormat(), $realm);
foreach ($this->extensions as $ext) {
$ext->prepareResponse($this->current_request, $response, $context);
}
//check former assoc handle...
if (is_null($assoc_handle = $this->current_request->getAssocHandle()) || is_null($association = $this->association_service->getAssociation($assoc_handle))) {
//create private association ...
$association = $this->association_service->addAssociation(AssociationFactory::getInstance()->buildPrivateAssociation($realm, $this->server_configuration_service->getConfigValue("Private.Association.Lifetime")));
$response->setAssocHandle($association->getHandle());
if (!empty($assoc_handle)) {
$response->setInvalidateHandle($assoc_handle);
}
} else {
if ($association->getType() != IAssociation::TypeSession) {
throw new InvalidAssociationTypeException(OpenIdErrorMessages::InvalidAssociationTypeMessage);
}
$response->setAssocHandle($assoc_handle);
}
//create signature ...
OpenIdSignatureBuilder::build($context, $association->getMacFunction(), $association->getSecret(), $response);
/*
* To prevent replay attacks, the OP MUST NOT issue more than one verification response for each
* authentication response it had previously issued. An authentication response and its matching
* verification request may be identified by their "openid.response_nonce" values.
* so associate $nonce with signature and realm
*/
$this->nonce_service->associateNonce($nonce, $response->getSig(), $realm);
//do cleaning ...
$this->memento_service->clearCurrentRequest();
$this->auth_service->clearUserAuthorizationResponse();
return $response;
}
/**
* @param OpenIdRequest $request
* @param OpenIdResponse $response
* @param ResponseContext $context
* @return mixed|void
*/
public function prepareResponse(OpenIdRequest $request, OpenIdResponse $response, ResponseContext $context)
{
try {
$oauth2_request = new OpenIdOAuth2Request($request->getMessage());
if (!$oauth2_request->isValid()) {
return;
}
//get auth code
$oauth2_msg = new OAuth2Message(array(OAuth2Protocol::OAuth2Protocol_ClientId => $oauth2_request->getClientId(), OAuth2Protocol::OAuth2Protocol_Scope => $oauth2_request->getScope(), OAuth2Protocol::OAuth2Protocol_RedirectUri => $request->getParam(OpenIdProtocol::OpenIDProtocol_ReturnTo), OAuth2Protocol::OAuth2Protocol_State => $oauth2_request->getState(), OAuth2Protocol::OAuth2Protocol_Approval_Prompt => $oauth2_request->getApprovalPrompt(), OAuth2Protocol::OAuth2Protocol_AccessType => $oauth2_request->getAccessType(), OAuth2Protocol::OAuth2Protocol_ResponseType => OAuth2Protocol::OAuth2Protocol_ResponseType_Code));
// do oauth2 Authorization Code Grant 1st step (get auth code to exchange for an access token)
// http://tools.ietf.org/html/rfc6749#section-4.1
$oauth2_response = $this->oauth2_protocol->authorize(new OAuth2AuthorizationRequest($oauth2_msg));
if (get_class($oauth2_response) == 'oauth2\\responses\\OAuth2AuthorizationResponse') {
//add namespace
$response->addParam(self::paramNamespace(), self::NamespaceUrl);
$context->addSignParam(self::paramNamespace());
//add auth code
$response->addParam(self::param(self::RequestToken), $oauth2_response->getAuthCode());
$context->addSignParam(self::param(self::RequestToken));
//add requested scope
$response->addParam(self::param(self::Scope), $oauth2_response->getScope());
$context->addSignParam(self::param(self::Scope));
//add state
$response->addParam(self::param(self::State), $oauth2_request->getState());
$context->addSignParam(self::param(self::State));
}
} catch (Exception $ex) {
$this->log_service->error($ex);
$this->checkpoint_service->trackException($ex);
//http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html#AuthResp
/*
* To note that the OAuth Authorization was declined or not valid, the Combined Provider SHALL only
* respond with the parameter "openid.ns.oauth".
*/
//add namespace
$response->addParam(self::paramNamespace(), self::NamespaceUrl);
$context->addSignParam(self::paramNamespace());
}
}
