function handler_openid($page, $login = null)
{
$this->load('openid.inc.php');
$requested_user = User::getSilent($login);
$server = new OpenId();
// Spec §4.1.2: if "openid.mode" is absent, we SHOULD assume that
// the request is not an OpenId message.
if (!$server->IsOpenIdRequest()) {
if ($requested_user) {
$server->RenderDiscoveryPage($page, $requested_user);
return;
} else {
pl_redirect('Xorg/OpenId');
}
exit;
}
// Initializes the OpenId environment from the request.
$server->Initialize();
// In modes 'checkid_immediate' and 'checkid_setup', we need to check
// by ourselves that we want to allow the user to be authenticated.
// Otherwise it can simply be forwarded to the Server object.
if ($server->IsAuthorizationRequest()) {
$authorized = S::logged() && $server->IsUserAuthorized(S::user()) && $server->IsEndpointTrusted(S::user());
if ($authorized) {
// TODO(vzanotti): SReg requests are currently not honored if
// the website is already trusted. We may want to redirect SReg
// requests to /openid/trust, to allow the user to choose.
$server->AnswerRequest(true);
} else {
if ($server->IsImmediateRequest()) {
$server->AnswerRequest(false);
} else {
// The user is currently not authorized to get her authorization
// request approved. Two possibilities:
// * the endpoint is not yet trusted => redirect to openid/trust
// * the user is not logged in => log in the user.
//
// The second case requires a special handling when the request
// was POSTed, as our current log in mechanism does not preserve
// POST arguments.
$openid_args = $server->GetQueryStringForRequest();
if (S::logged()) {
pl_redirect('openid/trust', $openid_args);
} else {
if (Post::has('openid_mode')) {
pl_redirect('openid', $openid_args);
} else {
return PL_DO_AUTH;
}
}
}
}
} else {
$server->HandleRequest();
}
// All requests should have been answered at this point. The best here
// is to get the user back to a safe page.
pl_redirect('');
}
