function check()
{
$this->config->load('openid');
$request_to = site_url($this->config->item('openid_request_to'));
$this->openid->set_request_to($request_to);
$response = $this->openid->getResponse();
switch ($response->status) {
case Auth_OpenID_CANCEL:
$data['msg'] = $this->lang->line('openid_cancel');
break;
case Auth_OpenID_FAILURE:
$data['error'] = $this->_set_message('openid_failure', $response->message);
break;
case Auth_OpenID_SUCCESS:
$openid = $response->getDisplayIdentifier();
$esc_identity = htmlspecialchars($openid, ENT_QUOTES);
$data['success'] = $this->_set_message('openid_success', array($esc_identity, $esc_identity), array('%s', '%t'));
if ($response->endpoint->canonicalID) {
$data['success'] .= $this->_set_message('openid_canonical', $response->endpoint->canonicalID);
}
$sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response);
$sreg = $sreg_resp->contents();
foreach ($sreg as $key => $value) {
$data['success'] .= $this->_set_message('openid_content', array($key, $value), array('%s', '%t'));
}
$pape_resp = Auth_OpenID_PAPE_Response::fromSuccessResponse($response);
if ($pape_resp) {
if ($pape_resp->auth_policies) {
$data['success'] .= $this->lang->line('openid_pape_policies_affected');
foreach ($pape_resp->auth_policies as $uri) {
$data['success'] .= "<li><tt>{$uri}</tt></li>";
}
$data['success'] .= "</ul>";
} else {
$data['success'] .= $this->lang->line('openid_pape_not_affected');
}
if (isset($pape_resp->auth_age) && $pape_resp->auth_age) {
$data['success'] .= $this->_set_message('openid_auth_age', $pape_resp->auth_age);
}
if ($pape_resp->nist_auth_level) {
$data['success'] .= $this->_set_message('openid_nist_level', $pape_resp->nist_auth_level);
}
} else {
$data['success'] .= $this->lang->line('openid_pape_noresponse');
}
break;
}
$data['pape_policy_uris'] = array(PAPE_AUTH_MULTI_FACTOR_PHYSICAL, PAPE_AUTH_MULTI_FACTOR, PAPE_AUTH_PHISHING_RESISTANT);
// echo "nickname: $nickname";
// echo "esc_identity: $esc_identity";
$this->load->view('view_openid', $data);
}
/**
* Create an Auth_OpenID_PAPE_Response object from a successful
* OpenID library response.
*
* @param success_response $success_response A SuccessResponse
* from Auth_OpenID_Consumer::complete()
*
* @returns: A provider authentication policy response from the
* data that was supplied with the id_res response.
*/
static function fromSuccessResponse($success_response)
{
$obj = new Auth_OpenID_PAPE_Response();
// PAPE requires that the args be signed.
$args = $success_response->getSignedNS(Auth_OpenID_PAPE_NS_URI);
if ($args === null || $args === array()) {
return null;
}
$result = $obj->parseExtensionArgs($args);
if ($result === false) {
return null;
} else {
return $obj;
}
}
function run()
{
$consumer = getConsumer();
// Complete the authentication process using the server's
// response.
$return_to = getReturnTo();
$response = $consumer->complete($return_to);
// Check the response status.
if ($response->status == Auth_OpenID_CANCEL) {
// This means the authentication was cancelled.
$msg = 'Verification cancelled.';
} else {
if ($response->status == Auth_OpenID_FAILURE) {
// Authentication failed; display the error message.
$msg = "OpenID authentication failed: " . $response->message;
} else {
if ($response->status == Auth_OpenID_SUCCESS) {
// This means the authentication succeeded; extract the
// identity URL and Simple Registration data (if it was
// returned).
$openid = $response->getDisplayIdentifier();
$esc_identity = escape($openid);
$google = strpos($openid, "google.com");
$success = sprintf('You have successfully verified ' . '<a href="%s">%s</a> as your identity.', $esc_identity, $esc_identity);
if ($response->endpoint->canonicalID) {
$escaped_canonicalID = escape($response->endpoint->canonicalID);
$success .= ' (XRI CanonicalID: ' . $escaped_canonicalID . ') ';
}
$sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response);
$sreg = $sreg_resp->contents();
if (@$sreg['email']) {
$success .= " You also returned '" . escape($sreg['email']) . "' as your email.";
}
if (@$sreg['nickname']) {
$success .= " Your nickname is '" . escape($sreg['nickname']) . "'.";
}
if (@$sreg['fullname']) {
$success .= " Your fullname is '" . escape($sreg['fullname']) . "'.";
}
$pape_resp = Auth_OpenID_PAPE_Response::fromSuccessResponse($response);
if ($pape_resp) {
if ($pape_resp->auth_policies) {
$success .= "<p>The following PAPE policies affected the authentication:</p><ul>";
foreach ($pape_resp->auth_policies as $uri) {
$escaped_uri = escape($uri);
$success .= "<li><tt>{$escaped_uri}</tt></li>";
}
$success .= "</ul>";
} else {
$success .= "<p>No PAPE policies affected the authentication.</p>";
}
if ($pape_resp->auth_age) {
$age = escape($pape_resp->auth_age);
$success .= "<p>The authentication age returned by the " . "server is: <tt>" . $age . "</tt></p>";
}
if ($pape_resp->nist_auth_level) {
$auth_level = escape($pape_resp->nist_auth_level);
$success .= "<p>The NIST auth level returned by the " . "server is: <tt>" . $auth_level . "</tt></p>";
}
} else {
$success .= "<p>No PAPE response was sent by the provider.</p>";
}
}
}
}
include 'index.php';
}
$response_state = sprintf('OpenID authentication succeeded: <a href="%s">%s</a>', $openid, $openid);
echo "<h1>RESPONSE</h1>";
var_dump($response);
echo "<br /><br />";
if ($response->endpoint->canonicalID) {
$response_state .= '<br />XRI CanonicalID Included: ' . htmlentities($response->endpoint->canonicalID);
}
//display sreg return data if available
$response_sreg = Auth_OpenID_SRegResponse::fromSuccessResponse($response)->contents();
echo "<h1>SReg</h1>";
var_dump(Auth_OpenID_SRegResponse::fromSuccessResponse($response));
foreach ($response_sreg as $item => $value) {
$response_state .= "<br />SReg returned <b>{$item}</b> with the value: <b>{$value}</b>";
}
//display pape policy return data if available
$response_pape = Auth_OpenID_PAPE_Response::fromSuccessResponse($response);
if ($response_pape) {
//pape policies affected by authentication
if ($response_pape->auth_policies) {
$response_state .= "<br />PAPE returned policies which affected the authentication:";
foreach ($response_pape->auth_policies as $uri) {
$response_state .= '- ' . htmlentities($uri);
}
}
//server authentication age
if ($response_pape->auth_age) {
$response_state .= "<br />PAPE returned server authentication age with the value: " . htmlentities($response_pape->auth_age);
}
//nist authentication level
if ($response_pape->nist_auth_level) {
$response_state .= "<br />PAPE returned server NIST auth level with the value: " . htmlentities($response_pape->nist_auth_level);
function test_fromSuccessResponse()
{
$openid_req_msg = Auth_OpenID_Message::fromOpenIDArgs(array('mode' => 'id_res', 'ns' => Auth_OpenID_OPENID2_NS, 'ns.pape' => Auth_OpenID_PAPE_NS_URI, 'auth_policies' => implode(' ', array(PAPE_AUTH_MULTI_FACTOR, PAPE_AUTH_PHISHING_RESISTANT)), 'auth_time' => '2008-03-02T12:34:56Z'));
$signed_stuff = array('auth_policies' => implode(' ', array(PAPE_AUTH_MULTI_FACTOR, PAPE_AUTH_PHISHING_RESISTANT)), 'auth_time' => '2008-03-02T12:34:56Z');
$oid_req = new PAPE_DummySuccessResponse($openid_req_msg, $signed_stuff);
$req = Auth_OpenID_PAPE_Response::fromSuccessResponse($oid_req);
$this->assertEquals(array(PAPE_AUTH_MULTI_FACTOR, PAPE_AUTH_PHISHING_RESISTANT), $req->auth_policies);
$this->assertEquals('2008-03-02T12:34:56Z', $req->auth_time);
}
function run()
{
$consumer = getConsumer();
// Complete the authentication process using the server's
// response.
$return_to = getReturnTo();
$response = $consumer->complete($return_to);
// Check the response status.
if ($response->status == Auth_OpenID_CANCEL) {
// This means the authentication was cancelled.
$msg = 'Verification cancelled.';
} else {
if ($response->status == Auth_OpenID_FAILURE) {
// Authentication failed; display the error message.
$msg = "OpenID authentication failed: " . $response->message;
} else {
if ($response->status == Auth_OpenID_SUCCESS) {
// This means the authentication succeeded; extract the
// identity URL and Simple Registration data (if it was
// returned).
$openid = $response->getDisplayIdentifier();
$esc_identity = escape($openid);
$user = new OpenIDUser();
$user->id = escape($response->endpoint->claimed_id);
$success = sprintf('You have successfully verified ' . '<a href="%s">%s</a> as your identity.', $esc_identity, $esc_identity);
if ($response->endpoint->canonicalID) {
$escaped_canonicalID = escape($response->endpoint->canonicalID);
$success .= ' (XRI CanonicalID: ' . $escaped_canonicalID . ') ';
if (empty($user->id)) {
$user->id = $escaped_cononicalID;
}
}
$sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response);
$sreg = $sreg_resp->contents();
//use whichever one we find.
if (@$sreg['fullname'] && empty($user->name)) {
$user->name = escape($sreg['fullname']);
}
if (@$sreg['nickname'] && empty($user->name)) {
$user->name = escape($sreg['nickname']);
}
if (@$sreg['email'] && empty($user->name)) {
$user->name = escape($sreg['email']);
}
if (empty($user->name)) {
$user->name = 'Anonymous';
}
$pape_resp = Auth_OpenID_PAPE_Response::fromSuccessResponse($response);
if ($pape_resp) {
if ($pape_resp->auth_policies) {
$success .= "<p>The following PAPE policies affected the authentication:</p><ul>";
foreach ($pape_resp->auth_policies as $uri) {
$escaped_uri = escape($uri);
$success .= "<li><tt>{$escaped_uri}</tt></li>";
}
$success .= "</ul>";
} else {
$success .= "<p>No PAPE policies affected the authentication.</p>";
}
if ($pape_resp->auth_age) {
$age = escape($pape_resp->auth_age);
$success .= "<p>The authentication age returned by the " . "server is: <tt>" . $age . "</tt></p>";
}
if ($pape_resp->nist_auth_level) {
$auth_level = escape($pape_resp->nist_auth_level);
$success .= "<p>The NIST auth level returned by the " . "server is: <tt>" . $auth_level . "</tt></p>";
}
} else {
$success .= "<p>No PAPE response was sent by the provider.</p>";
}
}
}
}
if ($user != null) {
$_SESSION['user'] = serialize($user);
}
header('Location: /');
}
private function _processPape(Auth_OpenID_PAPE_Request $papeRequest, $response)
{
if (($image = $this->user->getImage()) && @$_COOKIE['image']) {
$cidSupportedPolicies = array(PAPE_AUTH_PHISHING_RESISTANT);
if ($RPPreferredTypes = $papeRequest->preferredTypes($cidSupportedPolicies)) {
$this->user->getLastLoginUtc();
$papeResponse = new Auth_OpenID_PAPE_Response($cidSupportedPolicies, $this->user->getLastLoginUtc());
$papeResponse->toMessage($response->fields);
}
}
}
public static function analyzeOpenidResponse($return_to, $server_url = "")
{
self::doIncludes();
$idData = $idData["data"] = array();
$_GET = $_REQUEST;
// Janrain bugfix (?)
// ------------------------------------------
// Assemble OpenId response, for debug purposes
//echo "<br>REQUEST=";debug::rrr();
//echo "<br>GET=";debug::rr($_GET);
unset($_SESSION["openid_response"]);
$txt = "";
foreach ($_GET as $key => $val) {
if (preg_match("/^openid_(.*)\$/", $key, $res)) {
$txt .= " openid." . str_replace("_", ".", $res[1]) . " = '" . $val . "'\r\n";
}
}
$_SESSION["openid_response"] = $txt;
// ------------------------------------------
// The second half of the process is done after the user's ID server sends
// the user's browser a redirect back to your site to complete their
// login.
//
// When that happens, the user will contact your site at the URL given
// as the 'return_to' URL to the Auth_OpenID_AuthRequest::redirectURL
// call made above. The request will have several query parameters
// added to the URL by the identity server as the information
// necessary to finish the request.
//if (OPENIDDEBUG) echo "<h3>IN analyzeOpenidResponse</h3>";
// ------------------------------------------
// (4) Instantiate an Auth_OpenID_Consumer instance as above
$AOstore = self::getStore();
// essentially: $AOstore = new Auth_OpenID_FileStore("/tmp");
$AOconsumer = new Auth_OpenID_Consumer($AOstore);
//new GApps_OpenID_Discovery($AOconsumer); // If want GoogleApps OP support
// ------------------------------------------
// (5) Call its 'complete' method of the Auth_OpenID_Consumer instance, passing
// in all the received query arguments from the server's response.
// The result $AOconsumerResponse is an instance of the Auth_OpenID_ConsumerResponse class
$AOconsumerResponse = $AOconsumer->complete($return_to);
/*
debug::rr($AOconsumerResponse);
echo gettype($_SESSION["_yadis_services__openid_consumer_"]);
echo gettype($_SESSION["_yadis_services__openid_consumer_"]["endpoint"]);
echo gettype($_SESSION["_yadis_services__openid_consumer_"]["_current"]);
var_dump($_SESSION["_yadis_services__openid_consumer_"]["_current"]->server_url);
if (isset($_SESSION["_yadis_services__openid_consumer_"]["endpoint"]["server_url"])) {
$server_url = $_SESSION["_yadis_services__openid_consumer_"]["endpoint"]["server_url"];
} else
if (isset($_SESSION["_yadis_services__openid_consumer_"]["_current"]->server_url)) {
$server_url = $_SESSION["_yadis_services__openid_consumer_"]["_current"]->server_url;
} else {
$server_url = "";
}
// $server_url =
*/
//echo "<br>getAssociation= [$server_url]";debug::rr($AOstore->getAssociation($server_url));
//echo "<br>_yadis_services__openid_consumer_ = ";debug::rr(unserialize($_SESSION["_yadis_services__openid_consumer_"]));
//echo "<br>_openid_consumer_last_token = ";debug::rr($_SESSION["_openid_consumer_last_token"]);
/*
Output from $AOstore->getAssociation($server_url):
Auth_OpenID_Association Object
(
[SIG_LENGTH] => 20
[assoc_keys] => Array
(
[0] => version
[1] => handle
[2] => secret
[3] => issued
[4] => lifetime
[5] => assoc_type
)
[_macs] => Array
(
[HMAC-SHA1] => Auth_OpenID_HMACSHA1
[HMAC-SHA256] => Auth_OpenID_HMACSHA256
)
[handle] => 24a50fd087db11e2b793002655277584
[secret] => �dc��GY,�Y�|��"
[issued] => 1362738606
[lifetime] => 86398
[assoc_type] => HMAC-SHA1
)
*/
// ------------------------------------------
// (6) There are multiple possible return types possible from that
// method. These indicate the whether or not the login was successful,
// and include any additional information appropriate for their type.
if ($AOconsumerResponse->status == Auth_OpenID_CANCEL) {
// This means the authentication was cancelled
return "<strong>OpenID authentication was cancelled</strong>";
} else {
if ($AOconsumerResponse->status == Auth_OpenID_FAILURE) {
// Authentication failed; display the error message
if (isset($_SESSION["openid_last_valid_identifier"])) {
unset($_SESSION["openid_last_valid_identifier"]);
}
$error_org = htmlspecialchars($AOconsumerResponse->message);
$error_public = "";
if (strpos($error_org, "Bad signature") !== false && strpos($error_org, "Nonce already") !== false) {
$error_public = "Please try again";
}
if (IS_TESTSERVER) {
$error = ":<br>" . $error_org . (!empty($error_public) ? " (" . $error_public . ")" : "");
} else {
$error = !empty($error_public) ? ":<br>" . $error_public : "";
}
// Panic error recovery
if (strpos($error_org, "Bad signature") !== false || strpos($error_org, "No mode set") !== false) {
//if (isset($_SESSION["openid_identifier"])) unset($_SESSION["openid_identifier"]); // NOP!
self::cleanStore();
//echo "clean";
}
return "<strong>OpenID authentication failed</strong>" . $error;
} else {
if ($AOconsumerResponse->status == Auth_OpenID_SUCCESS) {
// This means the authentication succeeded; extract the
// identity URL and Simple Registration data (if it was
// returned).
// ---------------------
// RETURN THE DISPLAY IDENTIFIER FOR THIS RESPONSE
//
// The display identifier is related to the Claimed Identifier, but the
// two are not always identical. The display identifier is something the
// user should recognize as what they entered, whereas the response's
// claimed identifier (in the identity_url attribute) may have extra
// information for better persistence.
//
// URLs will be stripped of their fragments for display. XRIs will
// display the human-readable identifier (i-name) instead of the
// persistent identifier (i-number).
//
// Use the display identifier in your user interface. Use
// identity_url for querying your database or authorization server.
$idData["display_identifyer"] = htmlentities($AOconsumerResponse->getDisplayIdentifier());
if (@$AOconsumerResponse->endpoint->canonicalID) {
$idData["xri_canonical_id"] = htmlentities($AOconsumerResponse->endpoint->canonicalID);
}
//TODO: fragile
if (!empty($idData["display_identifyer"])) {
$_SESSION["openid_last_valid_identifier"] = $idData["display_identifyer"];
}
// ---------------------
// ANALYZE SIMPLE REGISTRATION EXTENSIONS
//
// http://openid.net/specs/openid-simple-registration-extension-1_0.html
//
// This extension allows you to retrieve nine commonly requested pieces of
// information: nickname, email, fullname, dob (date of birth), gender, postcode,
// country, language, and timezone.
//
// Please be aware that some OpenID providers (for example, Google) don't support SReg.
$idData["sreg"] = array();
$AOsregResponse = Auth_OpenID_SRegResponse::fromSuccessResponse($AOconsumerResponse);
$sregArr = $AOsregResponse->contents();
if (is_array($sregArr)) {
foreach ($sregArr as $key => $val) {
$idData["sreg"][$key] = htmlentities($val);
$idData["data"][$key][] = htmlentities($val);
}
}
// ---------------------
// ANALYZE ATTRIBUTE EXCHANGE
//
// http://openid.net/specs/openid-attribute-exchange-1_0.html
//
// Attribute Exchange allows you to retrieve identity information from the OpenID provider,
// if supported. http://www.axschema.org/types contains a list with possible attribute names,
// though only a small subset is usually supported by the OpenID providers.
$idData["ax"] = array();
$AOaxResponse = Auth_OpenID_AX_FetchResponse::fromSuccessResponse($AOconsumerResponse);
if ($AOaxResponse) {
$axArr = $AOaxResponse->data;
if (is_array($axArr)) {
foreach ($axArr as $key => $vals) {
foreach (array("axschema.org", "openid.net/schema", "schema.openid.net") as $schema) {
$key = str_replace("http://" . $schema . "/", "", $key);
}
$idData["ax"][$key] = array();
if (is_array($vals)) {
foreach ($vals as $val) {
$idData["ax"][$key][] = htmlentities($val);
}
}
}
}
if (!empty($idData["ax"]["namePerson/friendly"])) {
foreach ($idData["ax"]["namePerson/friendly"] as $value) {
$idData["data"]["nickname"][] = $value;
}
}
if (!empty($idData["ax"]["contact/internet/email"])) {
foreach ($idData["ax"]["contact/internet/email"] as $value) {
$idData["data"]["email"][] = $value;
}
}
//TODO: fragile
$fullname = (!empty($idData["ax"]["namePerson/prefix"][0]) ? $idData["ax"]["namePerson/prefix"][0] : "") . (!empty($idData["ax"]["namePerson/first"][0]) ? $idData["ax"]["namePerson/first"][0] : "") . (!empty($idData["ax"]["namePerson/middle"][0]) ? $idData["ax"]["namePerson/middle"][0] : "") . (!empty($idData["ax"]["namePerson/last"][0]) ? $idData["ax"]["namePerson/last"][0] : "") . (!empty($idData["ax"]["namePerson/suffix"][0]) ? $idData["ax"]["namePerson/suffix"][0] : "");
if (!empty($fullname)) {
$idData["data"]["fullname"][] = $fullname;
}
if (!empty($idData["ax"]["media/image"])) {
$idData["data"]["image"] = $idData["ax"]["media/image"];
}
if (!empty($idData["ax"]["person/guid"])) {
$idData["data"]["guid"] = $idData["ax"]["person/guid"];
}
if (!empty($idData["ax"]["birthDate/birthYear"][0]) && !empty($idData["ax"]["birthDate/birthMonth"][0]) && !empty($idData["ax"]["birthDate/birthday"][0])) {
$idData["data"]["dob"][] = $idData["ax"]["birthDate/birthYear"][0] . "-" . $idData["ax"]["birthDate/birthMonth"][0] . "-" . $idData["ax"]["birthDate/birthday"][0];
}
if (!empty($idData["ax"]["gender"])) {
foreach ($idData["ax"]["gender"] as $value) {
$idData["data"]["gender"][] = $value;
}
}
if (!empty($idData["ax"]["contact/postalcode/home"])) {
// There are other variants
foreach ($idData["ax"]["contact/postalcode/home"] as $value) {
$idData["data"]["postcode"][] = $value;
}
}
if (!empty($idData["ax"]["contact/country/home"])) {
// There are other variants
foreach ($idData["ax"]["contact/country/home"] as $value) {
$idData["data"]["country"][] = $value;
}
}
if (!empty($idData["ax"]["language/pref"])) {
foreach ($idData["ax"]["language/pref"] as $value) {
$idData["data"]["language"][] = $value;
}
}
if (!empty($idData["ax"]["timezone"])) {
foreach ($idData["ax"]["timezone"] as $value) {
$idData["data"]["timezone"][] = $value;
}
}
}
/*
// http://code.42dh.com/openid/
class UsersController extends AppController {
public $components = array('Openid');
public function login() {
$realm = 'http://'.$_SERVER['HTTP_HOST'];
$returnTo = $realm . '/users/login';
if ($this->request->isPost() && !$this->Openid->isOpenIDResponse()) {
$this->makeOpenIDRequest($this->data['OpenidUrl']['openid'], $returnTo, $realm);
} elseif ($this->Openid->isOpenIDResponse()) {
$this->handleOpenIDResponse($returnTo);
}
}
private function makeOpenIDRequest($openid, $returnTo, $realm) {
// some OpenID providers (e.g. MyOpenID) use 'schema.openid.net' instead of 'axschema.org'
$attributes[] = Auth_OpenID_AX_AttrInfo::make('http://axschema.org/namePerson', 1, true, 'fullname');
$this->Openid->authenticate($openid, $returnTo, $realm, array('ax' => $attributes));
}
private function handleOpenIDResponse($returnTo) {
$AOconsumerResponse = $this->Openid->getResponse($returnTo);
if ($AOconsumerResponse->status == Auth_OpenID_SUCCESS) {
$axResponse = Auth_OpenID_AX_FetchResponse::fromSuccessResponse($AOconsumerResponse);
if ($axResponse) {
debug($axResponse->get('http://axschema.org/namePerson'));
debug($axResponse->getSingle('http://axschema.org/namePerson'));
}
}
}
}
*/
// ---------------------
// ANALYZE PAPE EXTENSION
//
// http://openid.net/specs/openid-provider-authentication-policy-extension-1_0.html
$idData["pape"] = array();
// Create an Auth_OpenID_PAPE_Response object from a successful OpenID library response.
// Properties: ->auth_policies, ->auth_time, ->nist_auth_level
// Methods: ->getExtensionArgs(), ->fromSuccessResponse()
$AOpapeResponse = Auth_OpenID_PAPE_Response::fromSuccessResponse($AOconsumerResponse);
if ($AOpapeResponse) {
// One or more PAPE authentication policy URIs representing policies that the OP
// satisfied when authenticating the End User. If no policies were met though the
// OP wishes to convey other information in the response, this parameter is
// included with the value of http://schemas.openid.net/pape/policies/2007/06/none
//TODO: if policies have been requested but not used (value='none' or empty array), perhaps an error should be issued?
$pols = $AOpapeResponse->auth_policies;
$idData["pape"]["auth_policies"] = array();
// = "none";
if (is_array($pols)) {
if (count($pols) > 1 || isset($pols[0]) && !preg_match("#none\$#", $pols[0])) {
foreach ($AOpapeResponse->auth_policies as $uri) {
$idData["pape"]["auth_policies"][] = htmlentities($uri);
}
}
}
// The authentication age: the most recent timestamp when the End User has
// actively authenticated to the OP in a manner fitting the asserted policies.
// All times are in the UTC time zone, indicated with a "Z", and with no fractional seconds.
if (@$AOpapeResponse->auth_time) {
$idData["pape"]["auth_time"] = htmlentities($AOpapeResponse->auth_time);
}
// The NIST Assurance Level that corresponds to the authentication method and
// policies employed by the OP when authenticating the End User.
if (@$AOpapeResponse->nist_auth_level) {
$idData["pape"]["nist_auth_level"] = htmlentities($AOpapeResponse->nist_auth_level);
}
// [This fix somewhat duplicates the reading off of class properties above, but
// ensures that also "empty" values are captured.]
$arg = $AOpapeResponse->getExtensionArgs();
if (is_array($arg)) {
foreach ($arg as $key => $val) {
if (!isset($idData["pape"][$key])) {
if ($key == "auth_policies" && preg_match("#none\$#", $val)) {
$idData["pape"][$key] = array();
} else {
$idData["pape"][$key] = htmlentities($val);
}
}
}
}
}
// end pape
}
}
}
return $idData;
}