function handler_openid($page, $login = null) { $this->load('openid.inc.php'); $requested_user = User::getSilent($login); $server = new OpenId(); // Spec §4.1.2: if "openid.mode" is absent, we SHOULD assume that // the request is not an OpenId message. if (!$server->IsOpenIdRequest()) { if ($requested_user) { $server->RenderDiscoveryPage($page, $requested_user); return; } else { pl_redirect('Xorg/OpenId'); } exit; } // Initializes the OpenId environment from the request. $server->Initialize(); // In modes 'checkid_immediate' and 'checkid_setup', we need to check // by ourselves that we want to allow the user to be authenticated. // Otherwise it can simply be forwarded to the Server object. if ($server->IsAuthorizationRequest()) { $authorized = S::logged() && $server->IsUserAuthorized(S::user()) && $server->IsEndpointTrusted(S::user()); if ($authorized) { // TODO(vzanotti): SReg requests are currently not honored if // the website is already trusted. We may want to redirect SReg // requests to /openid/trust, to allow the user to choose. $server->AnswerRequest(true); } else { if ($server->IsImmediateRequest()) { $server->AnswerRequest(false); } else { // The user is currently not authorized to get her authorization // request approved. Two possibilities: // * the endpoint is not yet trusted => redirect to openid/trust // * the user is not logged in => log in the user. // // The second case requires a special handling when the request // was POSTed, as our current log in mechanism does not preserve // POST arguments. $openid_args = $server->GetQueryStringForRequest(); if (S::logged()) { pl_redirect('openid/trust', $openid_args); } else { if (Post::has('openid_mode')) { pl_redirect('openid', $openid_args); } else { return PL_DO_AUTH; } } } } } else { $server->HandleRequest(); } // All requests should have been answered at this point. The best here // is to get the user back to a safe page. pl_redirect(''); }