|
@@ -67,20 +67,22 @@
|
67
|
67
|
$disc = tryDiscovery(OPENID_URL);
|
68
|
68
|
|
69
|
69
|
$_SESSION['openid'] = array(
|
70
|
|
- 'identity' => $disc->getIdentity(),
|
71
|
|
- 'delegate' => $disc->getDelegate(),
|
|
70
|
+ 'identity' => $disc->getClaimedId(),
|
|
71
|
+ 'claimedId' => $disc->getClaimedId(),
|
|
72
|
+ 'endpointUrl' => $disc->getEndpointUrl(),
|
|
73
|
+ 'opLocalId' => $disc->getOpLocalId(),
|
|
74
|
+ 'userSuppliedId' => $disc->getUserSuppliedId(),
|
72
|
75
|
'version' => $disc->getVersion(),
|
73
|
76
|
'validated' => false,
|
74
|
|
- 'server' => $disc->getServer(),
|
75
|
77
|
'nonce' => uniqid(microtime(true), true),
|
76
|
78
|
'requests' => $reqs,
|
77
|
79
|
);
|
78
|
80
|
|
79
|
|
- $handle = getHandle($disc->getServer());
|
|
81
|
+ $handle = getHandle($disc->getEndpointUrl());
|
80
|
82
|
|
81
|
83
|
$url = URLBuilder::buildRequest(defined('OPENID_IMMEDIATE') ? 'immediate' : 'setup',
|
82
|
|
- $disc->getServer(), $disc->getDelegate(),
|
83
|
|
- $disc->getIdentity(), URLBuilder::getCurrentURL(), $handle, $disc->getVersion());
|
|
84
|
+ $disc->getEndpointUrl(), $disc->getOpLocalId(),
|
|
85
|
+ $disc->getClaimedId(), URLBuilder::getCurrentURL(), $handle, $disc->getVersion());
|
84
|
86
|
|
85
|
87
|
URLBuilder::doRedirect($url);
|
86
|
88
|
} else if (isset($_REQUEST['openid_mode'])) {
|
|
@@ -167,7 +169,7 @@
|
167
|
169
|
try {
|
168
|
170
|
$disc = new Discoverer($url);
|
169
|
171
|
|
170
|
|
- if ($disc->getServer() == null) {
|
|
172
|
+ if ($disc->getEndpointUrl() == null) {
|
171
|
173
|
Logger::log('Couldn\'t perform discovery on %s', $url);
|
172
|
174
|
error('notvalid', 'Claimed identity is not a valid identifier');
|
173
|
175
|
}
|
|
@@ -224,10 +226,11 @@
|
224
|
226
|
$valid = false;
|
225
|
227
|
|
226
|
228
|
if (KEYMANAGER && isset($_REQUEST['openid_invalidate_handle'])) {
|
|
229
|
+ Logger::log('Request to invalidate handle received');
|
227
|
230
|
$valid = KeyManager::dumbAuth();
|
228
|
231
|
|
229
|
232
|
if ($valid) {
|
230
|
|
- KeyManager::removeKey($_SESSION['openid']['server'], $_REQUEST['openid_invalidate_handle']);
|
|
233
|
+ KeyManager::removeKey($_SESSION['openid']['endpointUrl'], $_REQUEST['openid_invalidate_handle']);
|
231
|
234
|
} else {
|
232
|
235
|
error('noauth', 'Provider didn\'t authenticate message');
|
233
|
236
|
}
|
|
@@ -258,11 +261,11 @@
|
258
|
261
|
error('noimmediate', 'Couldn\'t perform immediate auth');
|
259
|
262
|
}
|
260
|
263
|
|
261
|
|
- $handle = getHandle($_SESSION['openid']['server']);
|
|
264
|
+ $handle = getHandle($_SESSION['openid']['endpointUrl']);
|
262
|
265
|
|
263
|
266
|
$url = URLBuilder::buildRequest('setup', $_REQUEST['openid_user_setup_url'],
|
264
|
|
- $_SESSION['openid']['delegate'],
|
265
|
|
- $_SESSION['openid']['identity'],
|
|
267
|
+ $_SESSION['openid']['opLocalId'],
|
|
268
|
+ $_SESSION['openid']['claimedId'],
|
266
|
269
|
URLBuilder::getCurrentURL(), $handle);
|
267
|
270
|
|
268
|
271
|
URLBuilder::doRedirect($url);
|
|
@@ -274,32 +277,34 @@
|
274
|
277
|
* @param Boolean $valid True if the request has already been authenticated
|
275
|
278
|
*/
|
276
|
279
|
function processPositiveResponse($valid) {
|
277
|
|
- Logger::log('Positive response: identity = %s, expected = %s', $_REQUEST['openid_identity'], $_SESSION['openid']['identity']);
|
|
280
|
+ Logger::log('Positive response: identity = %s, expected = %s', $_REQUEST['openid_identity'], $_SESSION['openid']['claimedId']);
|
278
|
281
|
|
279
|
|
- if ($_REQUEST['openid_identity'] != $_SESSION['openid']['identity']) {
|
280
|
|
- if ($_SESSION['openid']['identity'] == 'http://specs.openid.net/auth/2.0/identifier_select') {
|
|
282
|
+ if ($_REQUEST['openid_identity'] != $_SESSION['openid']['claimedId']) {
|
|
283
|
+ if ($_SESSION['openid']['claimedId'] == 'http://specs.openid.net/auth/2.0/identifier_select') {
|
281
|
284
|
$disc = new Discoverer($_REQUEST['openid_claimed_id'], false);
|
282
|
|
-
|
283
|
|
- if ($disc->hasServer($_SESSION['openid']['server'])) {
|
|
285
|
+
|
|
286
|
+ if ($disc->hasServer($_SESSION['openid']['endpointUrl'])) {
|
284
|
287
|
$_SESSION['openid']['identity'] = $_REQUEST['openid_identity'];
|
285
|
|
- $_SESSION['openid']['delegate'] = $_REQUEST['openid_claimed_id'];
|
286
|
|
- resetRequests(true);
|
|
288
|
+ $_SESSION['openid']['opLocalId'] = $_REQUEST['openid_claimed_id'];
|
287
|
289
|
} else {
|
288
|
|
- error('diffid', 'The OP at ' . $_SESSION['openid']['server'] . ' is attmpting to claim ' . $_REQUEST['openid_claimed_id'] . ' but ' . ($disc->getServer() == null ? 'that isn\'t a valid identifier' : 'that identifier only authorises ' . $disc->getServer()));
|
|
290
|
+ error('diffid', 'The OP at ' . $_SESSION['openid']['endpointUrl'] . ' is attmpting to claim ' . $_REQUEST['openid_claimed_id'] . ' but ' . ($disc->getEndpointUrl() == null ? 'that isn\'t a valid identifier' : 'that identifier only authorises ' . $disc->getClaimedId()));
|
289
|
291
|
}
|
290
|
292
|
} else {
|
291
|
293
|
error('diffid', 'Identity provider validated wrong identity. Expected it to '
|
292
|
|
- . 'validate ' . $_SESSION['openid']['delegate'] . ' but it '
|
|
294
|
+ . 'validate ' . $_SESSION['openid']['opLocalId'] . ' but it '
|
293
|
295
|
. 'validated ' . $_REQUEST['openid_identity']);
|
294
|
296
|
}
|
295
|
297
|
}
|
296
|
298
|
|
|
299
|
+ resetRequests(true);
|
|
300
|
+
|
297
|
301
|
if (!$valid) {
|
298
|
302
|
$dumbauth = true;
|
299
|
303
|
|
300
|
304
|
if (KEYMANAGER) {
|
301
|
305
|
try {
|
302
|
|
- $valid = KeyManager::authenticate($_SESSION['openid']['server'], $_REQUEST);
|
|
306
|
+ Logger::log('Attempting to authenticate using association...');
|
|
307
|
+ $valid = KeyManager::authenticate($_SESSION['openid']['endpointUrl'], $_REQUEST);
|
303
|
308
|
$dumbauth = false;
|
304
|
309
|
} catch (Exception $ex) {
|
305
|
310
|
// Ignore it - try dumb auth
|
|
@@ -307,6 +312,7 @@
|
307
|
312
|
}
|
308
|
313
|
|
309
|
314
|
if ($dumbauth) {
|
|
315
|
+ Logger::log('Attempting to authenticate using dumb auth...');
|
310
|
316
|
$valid = KeyManager::dumbAuthenticate();
|
311
|
317
|
}
|
312
|
318
|
}
|
|
@@ -314,7 +320,8 @@
|
314
|
320
|
$_SESSION['openid']['validated'] = $valid;
|
315
|
321
|
|
316
|
322
|
if (!$valid) {
|
317
|
|
- error('noauth', 'Provider didn\'t authenticate response');
|
|
323
|
+ Logger::log('Validation failed!');
|
|
324
|
+ error('noauth', 'Provider didn\'t authenticate response');
|
318
|
325
|
}
|
319
|
326
|
|
320
|
327
|
parseSRegResponse();
|