1185 lines
39 KiB
PHP
1185 lines
39 KiB
PHP
<?php
|
|
|
|
/**
|
|
* This module documents the main interface with the OpenID consumer
|
|
* library. The only part of the library which has to be used and
|
|
* isn't documented in full here is the store required to create an
|
|
* Auth_OpenID_Consumer instance. More on the abstract store type and
|
|
* concrete implementations of it that are provided in the
|
|
* documentation for the Auth_OpenID_Consumer constructor.
|
|
*
|
|
* OVERVIEW
|
|
*
|
|
* The OpenID identity verification process most commonly uses the
|
|
* following steps, as visible to the user of this library:
|
|
*
|
|
* 1. The user enters their OpenID into a field on the consumer's
|
|
* site, and hits a login button.
|
|
* 2. The consumer site discovers the user's OpenID server using the
|
|
* YADIS protocol.
|
|
* 3. The consumer site sends the browser a redirect to the identity
|
|
* server. This is the authentication request as described in
|
|
* the OpenID specification.
|
|
* 4. The identity server's site sends the browser a redirect back
|
|
* to the consumer site. This redirect contains the server's
|
|
* response to the authentication request.
|
|
*
|
|
* The most important part of the flow to note is the consumer's site
|
|
* must handle two separate HTTP requests in order to perform the full
|
|
* identity check.
|
|
*
|
|
* LIBRARY DESIGN
|
|
*
|
|
* This consumer library is designed with that flow in mind. The goal
|
|
* is to make it as easy as possible to perform the above steps
|
|
* securely.
|
|
*
|
|
* At a high level, there are two important parts in the consumer
|
|
* library. The first important part is this module, which contains
|
|
* the interface to actually use this library. The second is the
|
|
* Auth_OpenID_Interface class, which describes the interface to use
|
|
* if you need to create a custom method for storing the state this
|
|
* library needs to maintain between requests.
|
|
*
|
|
* In general, the second part is less important for users of the
|
|
* library to know about, as several implementations are provided
|
|
* which cover a wide variety of situations in which consumers may use
|
|
* the library.
|
|
*
|
|
* This module contains a class, Auth_OpenID_Consumer, with methods
|
|
* corresponding to the actions necessary in each of steps 2, 3, and 4
|
|
* described in the overview. Use of this library should be as easy
|
|
* as creating an Auth_OpenID_Consumer instance and calling the
|
|
* methods appropriate for the action the site wants to take.
|
|
*
|
|
* STORES AND DUMB MODE
|
|
*
|
|
* OpenID is a protocol that works best when the consumer site is able
|
|
* to store some state. This is the normal mode of operation for the
|
|
* protocol, and is sometimes referred to as smart mode. There is
|
|
* also a fallback mode, known as dumb mode, which is available when
|
|
* the consumer site is not able to store state. This mode should be
|
|
* avoided when possible, as it leaves the implementation more
|
|
* vulnerable to replay attacks.
|
|
*
|
|
* The mode the library works in for normal operation is determined by
|
|
* the store that it is given. The store is an abstraction that
|
|
* handles the data that the consumer needs to manage between http
|
|
* requests in order to operate efficiently and securely.
|
|
*
|
|
* Several store implementation are provided, and the interface is
|
|
* fully documented so that custom stores can be used as well. See
|
|
* the documentation for the Auth_OpenID_Consumer class for more
|
|
* information on the interface for stores. The implementations that
|
|
* are provided allow the consumer site to store the necessary data in
|
|
* several different ways, including several SQL databases and normal
|
|
* files on disk.
|
|
*
|
|
* There is an additional concrete store provided that puts the system
|
|
* in dumb mode. This is not recommended, as it removes the library's
|
|
* ability to stop replay attacks reliably. It still uses time-based
|
|
* checking to make replay attacks only possible within a small
|
|
* window, but they remain possible within that window. This store
|
|
* should only be used if the consumer site has no way to retain data
|
|
* between requests at all.
|
|
*
|
|
* IMMEDIATE MODE
|
|
*
|
|
* In the flow described above, the user may need to confirm to the
|
|
* lidentity server that it's ok to authorize his or her identity.
|
|
* The server may draw pages asking for information from the user
|
|
* before it redirects the browser back to the consumer's site. This
|
|
* is generally transparent to the consumer site, so it is typically
|
|
* ignored as an implementation detail.
|
|
*
|
|
* There can be times, however, where the consumer site wants to get a
|
|
* response immediately. When this is the case, the consumer can put
|
|
* the library in immediate mode. In immediate mode, there is an
|
|
* extra response possible from the server, which is essentially the
|
|
* server reporting that it doesn't have enough information to answer
|
|
* the question yet. In addition to saying that, the identity server
|
|
* provides a URL to which the user can be sent to provide the needed
|
|
* information and let the server finish handling the original
|
|
* request.
|
|
*
|
|
* USING THIS LIBRARY
|
|
*
|
|
* Integrating this library into an application is usually a
|
|
* relatively straightforward process. The process should basically
|
|
* follow this plan:
|
|
*
|
|
* Add an OpenID login field somewhere on your site. When an OpenID
|
|
* is entered in that field and the form is submitted, it should make
|
|
* a request to the your site which includes that OpenID URL.
|
|
*
|
|
* First, the application should instantiate the Auth_OpenID_Consumer
|
|
* class using the store of choice (Auth_OpenID_FileStore or one of
|
|
* the SQL-based stores). If the application has any sort of session
|
|
* framework that provides per-client state management, a dict-like
|
|
* object to access the session should be passed as the optional
|
|
* second parameter. (The default behavior is to use PHP's standard
|
|
* session machinery.)
|
|
*
|
|
* Next, the application should call the Auth_OpenID_Consumer object's
|
|
* 'begin' method. This method takes the OpenID URL. The 'begin'
|
|
* method returns an Auth_OpenID_AuthRequest object.
|
|
*
|
|
* Next, the application should call the 'redirectURL' method of the
|
|
* Auth_OpenID_AuthRequest object. The 'return_to' URL parameter is
|
|
* the URL that the OpenID server will send the user back to after
|
|
* attempting to verify his or her identity. The 'trust_root' is the
|
|
* URL (or URL pattern) that identifies your web site to the user when
|
|
* he or she is authorizing it. Send a redirect to the resulting URL
|
|
* to the user's browser.
|
|
*
|
|
* That's the first half of the authentication process. The second
|
|
* half of the process is done after the user's ID server sends the
|
|
* user's browser a redirect back to your site to complete their
|
|
* login.
|
|
*
|
|
* When that happens, the user will contact your site at the URL given
|
|
* as the 'return_to' URL to the Auth_OpenID_AuthRequest::redirectURL
|
|
* call made above. The request will have several query parameters
|
|
* added to the URL by the identity server as the information
|
|
* necessary to finish the request.
|
|
*
|
|
* Lastly, instantiate an Auth_OpenID_Consumer instance as above and
|
|
* call its 'complete' method, passing in all the received query
|
|
* arguments.
|
|
*
|
|
* There are multiple possible return types possible from that
|
|
* method. These indicate the whether or not the login was successful,
|
|
* and include any additional information appropriate for their type.
|
|
*
|
|
* PHP versions 4 and 5
|
|
*
|
|
* LICENSE: See the COPYING file included in this distribution.
|
|
*
|
|
* @package OpenID
|
|
* @author JanRain, Inc. <openid@janrain.com>
|
|
* @copyright 2005 Janrain, Inc.
|
|
* @license http://www.gnu.org/copyleft/lesser.html LGPL
|
|
*/
|
|
|
|
/**
|
|
* Require utility classes and functions for the consumer.
|
|
*/
|
|
require_once "Auth/OpenID.php";
|
|
require_once "Auth/OpenID/HMACSHA1.php";
|
|
require_once "Auth/OpenID/Association.php";
|
|
require_once "Auth/OpenID/CryptUtil.php";
|
|
require_once "Auth/OpenID/DiffieHellman.php";
|
|
require_once "Auth/OpenID/KVForm.php";
|
|
require_once "Auth/OpenID/Discover.php";
|
|
require_once "Services/Yadis/Manager.php";
|
|
require_once "Services/Yadis/XRI.php";
|
|
|
|
/**
|
|
* This is the status code returned when the complete method returns
|
|
* successfully.
|
|
*/
|
|
define('Auth_OpenID_SUCCESS', 'success');
|
|
|
|
/**
|
|
* Status to indicate cancellation of OpenID authentication.
|
|
*/
|
|
define('Auth_OpenID_CANCEL', 'cancel');
|
|
|
|
/**
|
|
* This is the status code completeAuth returns when the value it
|
|
* received indicated an invalid login.
|
|
*/
|
|
define('Auth_OpenID_FAILURE', 'failure');
|
|
|
|
/**
|
|
* This is the status code completeAuth returns when the
|
|
* {@link Auth_OpenID_Consumer} instance is in immediate mode, and the
|
|
* identity server sends back a URL to send the user to to complete his
|
|
* or her login.
|
|
*/
|
|
define('Auth_OpenID_SETUP_NEEDED', 'setup needed');
|
|
|
|
/**
|
|
* This is the status code beginAuth returns when the page fetched
|
|
* from the entered OpenID URL doesn't contain the necessary link tags
|
|
* to function as an identity page.
|
|
*/
|
|
define('Auth_OpenID_PARSE_ERROR', 'parse error');
|
|
|
|
/**
|
|
* This is the characters that the nonces are made from.
|
|
*/
|
|
define('Auth_OpenID_DEFAULT_NONCE_CHRS',"abcdefghijklmnopqrstuvwxyz" .
|
|
"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789");
|
|
|
|
/**
|
|
* An OpenID consumer implementation that performs discovery and does
|
|
* session management. See the Consumer.php file documentation for
|
|
* more information.
|
|
*
|
|
* @package OpenID
|
|
*/
|
|
class Auth_OpenID_Consumer {
|
|
|
|
/**
|
|
* @access private
|
|
*/
|
|
var $session_key_prefix = "_openid_consumer_";
|
|
|
|
/**
|
|
* @access private
|
|
*/
|
|
var $_token_suffix = "last_token";
|
|
|
|
/**
|
|
* Initialize a Consumer instance.
|
|
*
|
|
* You should create a new instance of the Consumer object with
|
|
* every HTTP request that handles OpenID transactions.
|
|
*
|
|
* @param Auth_OpenID_OpenIDStore $store This must be an object
|
|
* that implements the interface in {@link
|
|
* Auth_OpenID_OpenIDStore}. Several concrete implementations are
|
|
* provided, to cover most common use cases. For stores backed by
|
|
* MySQL, PostgreSQL, or SQLite, see the {@link
|
|
* Auth_OpenID_SQLStore} class and its sublcasses. For a
|
|
* filesystem-backed store, see the {@link Auth_OpenID_FileStore}
|
|
* module. As a last resort, if it isn't possible for the server
|
|
* to store state at all, an instance of {@link
|
|
* Auth_OpenID_DumbStore} can be used.
|
|
*
|
|
* @param mixed session An object which implements the interface
|
|
* of the Services_Yadis_Session class. Particularly, this object
|
|
* is expected to have these methods: get($key), set($key,
|
|
* $value), and del($key). This defaults to a session object
|
|
* which wraps PHP's native session machinery. You should only
|
|
* need to pass something here if you have your own sessioning
|
|
* implementation.
|
|
*/
|
|
function Auth_OpenID_Consumer(&$store, $session = null)
|
|
{
|
|
if ($session === null) {
|
|
$session = new Services_Yadis_PHPSession();
|
|
}
|
|
|
|
$this->session =& $session;
|
|
$this->consumer = new Auth_OpenID_GenericConsumer($store);
|
|
$this->_token_key = $this->session_key_prefix . $this->_token_suffix;
|
|
}
|
|
|
|
/**
|
|
* Start the OpenID authentication process. See steps 1-2 in the
|
|
* overview at the top of this file.
|
|
*
|
|
* @param User_url: Identity URL given by the user. This method
|
|
* performs a textual transformation of the URL to try and make
|
|
* sure it is normalized. For example, a user_url of example.com
|
|
* will be normalized to http://example.com/ normalizing and
|
|
* resolving any redirects the server might issue.
|
|
*
|
|
* @return Auth_OpenID_AuthRequest $auth_request An object
|
|
* containing the discovered information will be returned, with a
|
|
* method for building a redirect URL to the server, as described
|
|
* in step 3 of the overview. This object may also be used to add
|
|
* extension arguments to the request, using its 'addExtensionArg'
|
|
* method.
|
|
*/
|
|
function begin($user_url)
|
|
{
|
|
$discoverMethod = '_Auth_OpenID_discoverServiceList';
|
|
$openid_url = $user_url;
|
|
|
|
if (Services_Yadis_identifierScheme($user_url) == 'XRI') {
|
|
$discoverMethod = '_Auth_OpenID_discoverXRIServiceList';
|
|
} else {
|
|
$openid_url = Auth_OpenID::normalizeUrl($user_url);
|
|
}
|
|
|
|
$disco = new Services_Yadis_Discovery($this->session,
|
|
$openid_url,
|
|
$this->session_key_prefix);
|
|
// Set the 'stale' attribute of the manager. If discovery
|
|
// fails in a fatal way, the stale flag will cause the manager
|
|
// to be cleaned up next time discovery is attempted.
|
|
|
|
$m = $disco->getManager();
|
|
$loader = new Services_Yadis_ManagerLoader();
|
|
|
|
if ($m) {
|
|
if ($m->stale) {
|
|
$disco->destroyManager();
|
|
} else {
|
|
$m->stale = true;
|
|
$disco->session->set($disco->session_key,
|
|
serialize($loader->toSession($m)));
|
|
}
|
|
}
|
|
|
|
$endpoint = $disco->getNextService($discoverMethod,
|
|
$this->consumer->fetcher);
|
|
|
|
// Reset the 'stale' attribute of the manager.
|
|
$m =& $disco->getManager();
|
|
if ($m) {
|
|
$m->stale = false;
|
|
$disco->session->set($disco->session_key,
|
|
serialize($loader->toSession($m)));
|
|
}
|
|
|
|
if ($endpoint === null) {
|
|
return null;
|
|
} else {
|
|
return $this->beginWithoutDiscovery($endpoint);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Start OpenID verification without doing OpenID server
|
|
* discovery. This method is used internally by Consumer.begin
|
|
* after discovery is performed, and exists to provide an
|
|
* interface for library users needing to perform their own
|
|
* discovery.
|
|
*
|
|
* @param Auth_OpenID_ServiceEndpoint $endpoint an OpenID service
|
|
* endpoint descriptor.
|
|
*
|
|
* @return Auth_OpenID_AuthRequest $auth_request An OpenID
|
|
* authentication request object.
|
|
*/
|
|
function &beginWithoutDiscovery($endpoint)
|
|
{
|
|
$loader = new Auth_OpenID_ServiceEndpointLoader();
|
|
$auth_req = $this->consumer->begin($endpoint);
|
|
$this->session->set($this->_token_key,
|
|
$loader->toSession($auth_req->endpoint));
|
|
return $auth_req;
|
|
}
|
|
|
|
/**
|
|
* Called to interpret the server's response to an OpenID
|
|
* request. It is called in step 4 of the flow described in the
|
|
* consumer overview.
|
|
*
|
|
* @param array $query An array of the query parameters (key =>
|
|
* value pairs) for this HTTP request.
|
|
*
|
|
* @return Auth_OpenID_ConsumerResponse $response A instance of an
|
|
* Auth_OpenID_ConsumerResponse subclass. The type of response is
|
|
* indicated by the status attribute, which will be one of
|
|
* SUCCESS, CANCEL, FAILURE, or SETUP_NEEDED.
|
|
*/
|
|
function complete($query)
|
|
{
|
|
$query = Auth_OpenID::fixArgs($query);
|
|
|
|
$loader = new Auth_OpenID_ServiceEndpointLoader();
|
|
$endpoint_data = $this->session->get($this->_token_key);
|
|
$endpoint =
|
|
$loader->fromSession($endpoint_data);
|
|
|
|
if ($endpoint === null) {
|
|
$response = new Auth_OpenID_FailureResponse(null,
|
|
'No session state found');
|
|
} else {
|
|
$response = $this->consumer->complete($query, $endpoint);
|
|
$this->session->del($this->_token_key);
|
|
}
|
|
|
|
if (in_array($response->status, array(Auth_OpenID_SUCCESS,
|
|
Auth_OpenID_CANCEL))) {
|
|
if ($response->identity_url !== null) {
|
|
$disco = new Services_Yadis_Discovery($this->session,
|
|
$response->identity_url,
|
|
$this->session_key_prefix);
|
|
$disco->cleanup();
|
|
}
|
|
}
|
|
|
|
return $response;
|
|
}
|
|
}
|
|
|
|
class Auth_OpenID_DiffieHellmanConsumerSession {
|
|
var $session_type = 'DH-SHA1';
|
|
|
|
function Auth_OpenID_DiffieHellmanConsumerSession($dh = null)
|
|
{
|
|
if ($dh === null) {
|
|
$dh = new Auth_OpenID_DiffieHellman();
|
|
}
|
|
|
|
$this->dh = $dh;
|
|
}
|
|
|
|
function getRequest()
|
|
{
|
|
$math =& Auth_OpenID_getMathLib();
|
|
|
|
$cpub = $math->longToBase64($this->dh->public);
|
|
|
|
$args = array('openid.dh_consumer_public' => $cpub);
|
|
|
|
if (!$this->dh->usingDefaultValues()) {
|
|
$args = array_merge($args, array(
|
|
'openid.dh_modulus' =>
|
|
$math->longToBase64($this->dh->mod),
|
|
'openid.dh_gen' =>
|
|
$math->longToBase64($this->dh->gen)));
|
|
}
|
|
|
|
return $args;
|
|
}
|
|
|
|
function extractSecret($response)
|
|
{
|
|
if (!array_key_exists('dh_server_public', $response)) {
|
|
return null;
|
|
}
|
|
|
|
if (!array_key_exists('enc_mac_key', $response)) {
|
|
return null;
|
|
}
|
|
|
|
$math =& Auth_OpenID_getMathLib();
|
|
$spub = $math->base64ToLong($response['dh_server_public']);
|
|
$enc_mac_key = base64_decode($response['enc_mac_key']);
|
|
|
|
return $this->dh->xorSecret($spub, $enc_mac_key);
|
|
}
|
|
}
|
|
|
|
class Auth_OpenID_PlainTextConsumerSession {
|
|
var $session_type = null;
|
|
|
|
function getRequest()
|
|
{
|
|
return array();
|
|
}
|
|
|
|
function extractSecret($response)
|
|
{
|
|
if (!array_key_exists('mac_key', $response)) {
|
|
return null;
|
|
}
|
|
|
|
return base64_decode($response['mac_key']);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* This class is the interface to the OpenID consumer logic.
|
|
* Instances of it maintain no per-request state, so they can be
|
|
* reused (or even used by multiple threads concurrently) as needed.
|
|
*
|
|
* @package OpenID
|
|
* @access private
|
|
*/
|
|
class Auth_OpenID_GenericConsumer {
|
|
/**
|
|
* This consumer's store object.
|
|
*/
|
|
var $store;
|
|
|
|
/**
|
|
* @access private
|
|
*/
|
|
var $_use_assocs;
|
|
|
|
/**
|
|
* This is the number of characters in the generated nonce for
|
|
* each transaction.
|
|
*/
|
|
var $nonce_len = 8;
|
|
|
|
/**
|
|
* What characters are allowed in nonces
|
|
*/
|
|
var $nonce_chrs = Auth_OpenID_DEFAULT_NONCE_CHRS;
|
|
|
|
/**
|
|
* This method initializes a new {@link Auth_OpenID_Consumer}
|
|
* instance to access the library.
|
|
*
|
|
* @param Auth_OpenID_OpenIDStore $store This must be an object
|
|
* that implements the interface in {@link Auth_OpenID_OpenIDStore}.
|
|
* Several concrete implementations are provided, to cover most common use
|
|
* cases. For stores backed by MySQL, PostgreSQL, or SQLite, see
|
|
* the {@link Auth_OpenID_SQLStore} class and its sublcasses. For a
|
|
* filesystem-backed store, see the {@link Auth_OpenID_FileStore} module.
|
|
* As a last resort, if it isn't possible for the server to store
|
|
* state at all, an instance of {@link Auth_OpenID_DumbStore} can be used.
|
|
*
|
|
* @param bool $immediate This is an optional boolean value. It
|
|
* controls whether the library uses immediate mode, as explained
|
|
* in the module description. The default value is False, which
|
|
* disables immediate mode.
|
|
*/
|
|
function Auth_OpenID_GenericConsumer(&$store)
|
|
{
|
|
$this->store =& $store;
|
|
$this->_use_assocs =
|
|
!(defined('Auth_OpenID_NO_MATH_SUPPORT') ||
|
|
($this->store && $this->store->isDumb()));
|
|
|
|
$this->fetcher = Services_Yadis_Yadis::getHTTPFetcher();
|
|
}
|
|
|
|
function begin($service_endpoint)
|
|
{
|
|
$nonce = $this->_createNonce();
|
|
$assoc = $this->_getAssociation($service_endpoint->server_url);
|
|
$r = new Auth_OpenID_AuthRequest($assoc, $service_endpoint);
|
|
$r->return_to_args['nonce'] = $nonce;
|
|
return $r;
|
|
}
|
|
|
|
function complete($query, $endpoint)
|
|
{
|
|
$mode = Auth_OpenID::arrayGet($query, 'openid.mode',
|
|
'<no mode specified>');
|
|
|
|
if ($mode == Auth_OpenID_CANCEL) {
|
|
return new Auth_OpenID_CancelResponse($endpoint);
|
|
} else if ($mode == 'error') {
|
|
$error = Auth_OpenID::arrayGet($query, 'openid.error');
|
|
return new Auth_OpenID_FailureResponse($endpoint, $error);
|
|
} else if ($mode == 'id_res') {
|
|
if ($endpoint->identity_url === null) {
|
|
return new Auth_OpenID_FailureResponse($identity_url,
|
|
"No session state found");
|
|
}
|
|
|
|
$response = $this->_doIdRes($query, $endpoint);
|
|
|
|
if ($response === null) {
|
|
return new Auth_OpenID_FailureResponse($endpoint,
|
|
"HTTP request failed");
|
|
}
|
|
if ($response->status == Auth_OpenID_SUCCESS) {
|
|
return $this->_checkNonce($response,
|
|
Auth_OpenID::arrayGet($query,
|
|
'nonce'));
|
|
} else {
|
|
return $response;
|
|
}
|
|
} else {
|
|
return new Auth_OpenID_FailureResponse($endpoint,
|
|
sprintf("Invalid openid.mode '%s'",
|
|
$mode));
|
|
}
|
|
}
|
|
|
|
/**
|
|
* @access private
|
|
*/
|
|
function _doIdRes($query, $endpoint)
|
|
{
|
|
$user_setup_url = Auth_OpenID::arrayGet($query,
|
|
'openid.user_setup_url');
|
|
|
|
if ($user_setup_url !== null) {
|
|
return new Auth_OpenID_SetupNeededResponse($endpoint,
|
|
$user_setup_url);
|
|
}
|
|
|
|
$return_to = Auth_OpenID::arrayGet($query, 'openid.return_to', null);
|
|
$server_id2 = Auth_OpenID::arrayGet($query, 'openid.identity', null);
|
|
$assoc_handle = Auth_OpenID::arrayGet($query,
|
|
'openid.assoc_handle', null);
|
|
|
|
if (($return_to === null) ||
|
|
($server_id2 === null) ||
|
|
($assoc_handle === null)) {
|
|
return new Auth_OpenID_FailureResponse($endpoint,
|
|
"Missing required field");
|
|
}
|
|
|
|
if ($endpoint->getServerID() != $server_id2) {
|
|
return new Auth_OpenID_FailureResponse($endpoint,
|
|
"Server ID (delegate) mismatch");
|
|
}
|
|
|
|
$signed = Auth_OpenID::arrayGet($query, 'openid.signed');
|
|
|
|
$assoc = $this->store->getAssociation($endpoint->server_url,
|
|
$assoc_handle);
|
|
|
|
if ($assoc === null) {
|
|
// It's not an association we know about. Dumb mode is
|
|
// our only possible path for recovery.
|
|
if ($this->_checkAuth($query, $endpoint->server_url)) {
|
|
return new Auth_OpenID_SuccessResponse($endpoint, $query,
|
|
$signed);
|
|
} else {
|
|
return new Auth_OpenID_FailureResponse($endpoint,
|
|
"Server denied check_authentication");
|
|
}
|
|
}
|
|
|
|
if ($assoc->getExpiresIn() <= 0) {
|
|
$msg = sprintf("Association with %s expired",
|
|
$endpoint->server_url);
|
|
return new Auth_OpenID_FailureResponse($endpoint, $msg);
|
|
}
|
|
|
|
// Check the signature
|
|
$sig = Auth_OpenID::arrayGet($query, 'openid.sig', null);
|
|
if (($sig === null) ||
|
|
($signed === null)) {
|
|
return new Auth_OpenID_FailureResponse($endpoint,
|
|
"Missing argument signature");
|
|
}
|
|
|
|
$signed_list = explode(",", $signed);
|
|
|
|
//Fail if the identity field is present but not signed
|
|
if (($endpoint->identity_url !== null) &&
|
|
(!in_array('identity', $signed_list))) {
|
|
$msg = '"openid.identity" not signed';
|
|
return new Auth_OpenID_FailureResponse($endpoint, $msg);
|
|
}
|
|
|
|
$v_sig = $assoc->signDict($signed_list, $query);
|
|
|
|
if ($v_sig != $sig) {
|
|
return new Auth_OpenID_FailureResponse($endpoint,
|
|
"Bad signature");
|
|
}
|
|
|
|
return Auth_OpenID_SuccessResponse::fromQuery($endpoint,
|
|
$query, $signed);
|
|
}
|
|
|
|
/**
|
|
* @access private
|
|
*/
|
|
function _checkAuth($query, $server_url)
|
|
{
|
|
$request = $this->_createCheckAuthRequest($query);
|
|
if ($request === null) {
|
|
return false;
|
|
}
|
|
|
|
$response = $this->_makeKVPost($request, $server_url);
|
|
if ($response == null) {
|
|
return false;
|
|
}
|
|
|
|
return $this->_processCheckAuthResponse($response, $server_url);
|
|
}
|
|
|
|
/**
|
|
* @access private
|
|
*/
|
|
function _createCheckAuthRequest($query)
|
|
{
|
|
$signed = Auth_OpenID::arrayGet($query, 'openid.signed', null);
|
|
if ($signed === null) {
|
|
return null;
|
|
}
|
|
|
|
$whitelist = array('assoc_handle', 'sig',
|
|
'signed', 'invalidate_handle');
|
|
|
|
$signed = array_merge(explode(",", $signed), $whitelist);
|
|
|
|
$check_args = array();
|
|
|
|
foreach ($query as $key => $value) {
|
|
if (in_array(substr($key, 7), $signed)) {
|
|
$check_args[$key] = $value;
|
|
}
|
|
}
|
|
|
|
$check_args['openid.mode'] = 'check_authentication';
|
|
return $check_args;
|
|
}
|
|
|
|
/**
|
|
* @access private
|
|
*/
|
|
function _processCheckAuthResponse($response, $server_url)
|
|
{
|
|
$is_valid = Auth_OpenID::arrayGet($response, 'is_valid', 'false');
|
|
|
|
$invalidate_handle = Auth_OpenID::arrayGet($response,
|
|
'invalidate_handle');
|
|
|
|
if ($invalidate_handle !== null) {
|
|
$this->store->removeAssociation($server_url,
|
|
$invalidate_handle);
|
|
}
|
|
|
|
if ($is_valid == 'true') {
|
|
return true;
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* @access private
|
|
*/
|
|
function _makeKVPost($args, $server_url)
|
|
{
|
|
$mode = $args['openid.mode'];
|
|
|
|
$pairs = array();
|
|
foreach ($args as $k => $v) {
|
|
$v = urlencode($v);
|
|
$pairs[] = "$k=$v";
|
|
}
|
|
|
|
$body = implode("&", $pairs);
|
|
|
|
$resp = $this->fetcher->post($server_url, $body);
|
|
|
|
if ($resp === null) {
|
|
return null;
|
|
}
|
|
|
|
$response = Auth_OpenID_KVForm::toArray($resp->body);
|
|
|
|
if ($resp->status == 400) {
|
|
return null;
|
|
} else if ($resp->status != 200) {
|
|
return null;
|
|
}
|
|
|
|
return $response;
|
|
}
|
|
|
|
/**
|
|
* @access private
|
|
*/
|
|
function _checkNonce($response, $nonce)
|
|
{
|
|
$parsed_url = parse_url($response->getReturnTo());
|
|
$query_str = @$parsed_url['query'];
|
|
$query = array();
|
|
parse_str($query_str, $query);
|
|
|
|
$found = false;
|
|
|
|
foreach ($query as $k => $v) {
|
|
if ($k == 'nonce') {
|
|
if ($v != $nonce) {
|
|
return new Auth_OpenID_FailureResponse($response,
|
|
"Nonce mismatch");
|
|
} else {
|
|
$found = true;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
if (!$found) {
|
|
return new Auth_OpenID_FailureResponse($response,
|
|
sprintf("Nonce missing from return_to: %s",
|
|
$response->getReturnTo()));
|
|
}
|
|
|
|
if (!$this->store->useNonce($nonce)) {
|
|
return new Auth_OpenID_FailureResponse($response,
|
|
"Nonce missing from store");
|
|
}
|
|
|
|
return $response;
|
|
}
|
|
|
|
/**
|
|
* @access private
|
|
*/
|
|
function _createNonce()
|
|
{
|
|
$nonce = Auth_OpenID_CryptUtil::randomString($this->nonce_len,
|
|
$this->nonce_chrs);
|
|
$this->store->storeNonce($nonce);
|
|
return $nonce;
|
|
}
|
|
|
|
/**
|
|
* @access protected
|
|
*/
|
|
function _createDiffieHellman()
|
|
{
|
|
return new Auth_OpenID_DiffieHellman();
|
|
}
|
|
|
|
/**
|
|
* @access private
|
|
*/
|
|
function _getAssociation($server_url)
|
|
{
|
|
if (!$this->_use_assocs) {
|
|
return null;
|
|
}
|
|
|
|
$assoc = $this->store->getAssociation($server_url);
|
|
|
|
if (($assoc === null) ||
|
|
($assoc->getExpiresIn() <= 0)) {
|
|
|
|
$parts = $this->_createAssociateRequest($server_url);
|
|
|
|
if ($parts === null) {
|
|
return null;
|
|
}
|
|
|
|
list($assoc_session, $args) = $parts;
|
|
|
|
$response = $this->_makeKVPost($args, $server_url);
|
|
|
|
if ($response === null) {
|
|
$assoc = null;
|
|
} else {
|
|
$assoc = $this->_parseAssociation($response, $assoc_session,
|
|
$server_url);
|
|
}
|
|
}
|
|
|
|
return $assoc;
|
|
}
|
|
|
|
function _createAssociateRequest($server_url)
|
|
{
|
|
$parts = parse_url($server_url);
|
|
|
|
if ($parts === false) {
|
|
return null;
|
|
}
|
|
|
|
if (array_key_exists('scheme', $parts)) {
|
|
$proto = $parts['scheme'];
|
|
} else {
|
|
$proto = 'http';
|
|
}
|
|
|
|
if ($proto == 'https') {
|
|
$assoc_session = new Auth_OpenID_PlainTextConsumerSession();
|
|
} else {
|
|
$assoc_session = new Auth_OpenID_DiffieHellmanConsumerSession();
|
|
}
|
|
|
|
$args = array(
|
|
'openid.mode' => 'associate',
|
|
'openid.assoc_type' => 'HMAC-SHA1');
|
|
|
|
if ($assoc_session->session_type !== null) {
|
|
$args['openid.session_type'] = $assoc_session->session_type;
|
|
}
|
|
|
|
$args = array_merge($args, $assoc_session->getRequest());
|
|
return array($assoc_session, $args);
|
|
}
|
|
|
|
/**
|
|
* @access private
|
|
*/
|
|
function _parseAssociation($results, $assoc_session, $server_url)
|
|
{
|
|
$required_keys = array('assoc_type', 'assoc_handle',
|
|
'expires_in');
|
|
|
|
foreach ($required_keys as $key) {
|
|
if (!array_key_exists($key, $results)) {
|
|
return null;
|
|
}
|
|
}
|
|
|
|
$assoc_type = $results['assoc_type'];
|
|
$assoc_handle = $results['assoc_handle'];
|
|
$expires_in_str = $results['expires_in'];
|
|
|
|
if ($assoc_type != 'HMAC-SHA1') {
|
|
return null;
|
|
}
|
|
|
|
$expires_in = intval($expires_in_str);
|
|
|
|
if ($expires_in <= 0) {
|
|
return null;
|
|
}
|
|
|
|
$session_type = Auth_OpenID::arrayGet($results, 'session_type');
|
|
if ($session_type != $assoc_session->session_type) {
|
|
if ($session_type === null) {
|
|
$assoc_session = new Auth_OpenID_PlainTextConsumerSession();
|
|
} else {
|
|
return null;
|
|
}
|
|
}
|
|
|
|
$secret = $assoc_session->extractSecret($results);
|
|
|
|
if (!$secret) {
|
|
return null;
|
|
}
|
|
|
|
$assoc = Auth_OpenID_Association::fromExpiresIn(
|
|
$expires_in, $assoc_handle, $secret, $assoc_type);
|
|
$this->store->storeAssociation($server_url, $assoc);
|
|
|
|
return $assoc;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* This class represents an authentication request from a consumer to
|
|
* an OpenID server.
|
|
*
|
|
* @package OpenID
|
|
*/
|
|
class Auth_OpenID_AuthRequest {
|
|
|
|
/**
|
|
* Initialize an authentication request with the specified token,
|
|
* association, and endpoint.
|
|
*
|
|
* Users of this library should not create instances of this
|
|
* class. Instances of this class are created by the library when
|
|
* needed.
|
|
*/
|
|
function Auth_OpenID_AuthRequest($assoc, $endpoint)
|
|
{
|
|
$this->assoc = $assoc;
|
|
$this->endpoint = $endpoint;
|
|
$this->extra_args = array();
|
|
$this->return_to_args = array();
|
|
}
|
|
|
|
/**
|
|
* Add an extension argument to this OpenID authentication
|
|
* request.
|
|
*
|
|
* Use caution when adding arguments, because they will be
|
|
* URL-escaped and appended to the redirect URL, which can easily
|
|
* get quite long.
|
|
*
|
|
* @param string $namespace The namespace for the extension. For
|
|
* example, the simple registration extension uses the namespace
|
|
* 'sreg'.
|
|
*
|
|
* @param string $key The key within the extension namespace. For
|
|
* example, the nickname field in the simple registration
|
|
* extension's key is 'nickname'.
|
|
*
|
|
* @param string $value The value to provide to the server for
|
|
* this argument.
|
|
*/
|
|
function addExtensionArg($namespace, $key, $value)
|
|
{
|
|
$arg_name = implode('.', array('openid', $namespace, $key));
|
|
$this->extra_args[$arg_name] = $value;
|
|
}
|
|
|
|
/**
|
|
* Compute the appropriate redirection URL for this request based
|
|
* on a specified trust root and return-to.
|
|
*
|
|
* @param string $trust_root The trust root URI for your
|
|
* application.
|
|
*
|
|
* @param string$ $return_to The return-to URL to be used when the
|
|
* OpenID server redirects the user back to your site.
|
|
*
|
|
* @return string $redirect_url The resulting redirect URL that
|
|
* you should send to the user agent.
|
|
*/
|
|
function redirectURL($trust_root, $return_to, $immediate=false)
|
|
{
|
|
if ($immediate) {
|
|
$mode = 'checkid_immediate';
|
|
} else {
|
|
$mode = 'checkid_setup';
|
|
}
|
|
|
|
$return_to = Auth_OpenID::appendArgs($return_to, $this->return_to_args);
|
|
|
|
$redir_args = array(
|
|
'openid.mode' => $mode,
|
|
'openid.identity' => $this->endpoint->getServerID(),
|
|
'openid.return_to' => $return_to,
|
|
'openid.trust_root' => $trust_root);
|
|
|
|
if ($this->assoc) {
|
|
$redir_args['openid.assoc_handle'] = $this->assoc->handle;
|
|
}
|
|
|
|
$redir_args = array_merge($redir_args, $this->extra_args);
|
|
|
|
return Auth_OpenID::appendArgs($this->endpoint->server_url,
|
|
$redir_args);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* The base class for responses from the Auth_OpenID_Consumer.
|
|
*
|
|
* @package OpenID
|
|
*/
|
|
class Auth_OpenID_ConsumerResponse {
|
|
var $status = null;
|
|
}
|
|
|
|
/**
|
|
* A response with a status of Auth_OpenID_SUCCESS. Indicates that
|
|
* this request is a successful acknowledgement from the OpenID server
|
|
* that the supplied URL is, indeed controlled by the requesting
|
|
* agent. This has three relevant attributes:
|
|
*
|
|
* identity_url - The identity URL that has been authenticated
|
|
*
|
|
* signed_args - The arguments in the server's response that were
|
|
* signed and verified.
|
|
*
|
|
* status - Auth_OpenID_SUCCESS.
|
|
*
|
|
* @package OpenID
|
|
*/
|
|
class Auth_OpenID_SuccessResponse extends Auth_OpenID_ConsumerResponse {
|
|
var $status = Auth_OpenID_SUCCESS;
|
|
|
|
/**
|
|
* @access private
|
|
*/
|
|
function Auth_OpenID_SuccessResponse($endpoint, $signed_args)
|
|
{
|
|
$this->endpoint = $endpoint;
|
|
$this->identity_url = $endpoint->identity_url;
|
|
$this->signed_args = $signed_args;
|
|
}
|
|
|
|
/**
|
|
* @access private
|
|
*/
|
|
function fromQuery($endpoint, $query, $signed)
|
|
{
|
|
$signed_args = array();
|
|
foreach (explode(",", $signed) as $field_name) {
|
|
$field_name = 'openid.' . $field_name;
|
|
$signed_args[$field_name] = Auth_OpenID::arrayGet($query,
|
|
$field_name, '');
|
|
}
|
|
return new Auth_OpenID_SuccessResponse($endpoint, $signed_args);
|
|
}
|
|
|
|
/**
|
|
* Extract signed extension data from the server's response.
|
|
*
|
|
* @param string $prefix The extension namespace from which to
|
|
* extract the extension data.
|
|
*/
|
|
function extensionResponse($prefix)
|
|
{
|
|
$response = array();
|
|
$prefix = sprintf('openid.%s.', $prefix);
|
|
$prefix_len = strlen($prefix);
|
|
foreach ($this->signed_args as $k => $v) {
|
|
if (strpos($k, $prefix) === 0) {
|
|
$response_key = substr($k, $prefix_len);
|
|
$response[$response_key] = $v;
|
|
}
|
|
}
|
|
|
|
return $response;
|
|
}
|
|
|
|
/**
|
|
* Get the openid.return_to argument from this response.
|
|
*
|
|
* This is useful for verifying that this request was initiated by
|
|
* this consumer.
|
|
*
|
|
* @return string $return_to The return_to URL supplied to the
|
|
* server on the initial request, or null if the response did not
|
|
* contain an 'openid.return_to' argument.
|
|
*/
|
|
function getReturnTo()
|
|
{
|
|
return Auth_OpenID::arrayGet($this->signed_args, 'openid.return_to');
|
|
}
|
|
}
|
|
|
|
/**
|
|
* A response with a status of Auth_OpenID_FAILURE. Indicates that the
|
|
* OpenID protocol has failed. This could be locally or remotely
|
|
* triggered. This has three relevant attributes:
|
|
*
|
|
* identity_url - The identity URL for which authentication was
|
|
* attempted, if it can be determined. Otherwise, null.
|
|
*
|
|
* message - A message indicating why the request failed, if one is
|
|
* supplied. Otherwise, null.
|
|
*
|
|
* status - Auth_OpenID_FAILURE.
|
|
*
|
|
* @package OpenID
|
|
*/
|
|
class Auth_OpenID_FailureResponse extends Auth_OpenID_ConsumerResponse {
|
|
var $status = Auth_OpenID_FAILURE;
|
|
|
|
function Auth_OpenID_FailureResponse($endpoint, $message = null)
|
|
{
|
|
$this->endpoint = $endpoint;
|
|
if ($endpoint !== null) {
|
|
$this->identity_url = $endpoint->identity_url;
|
|
} else {
|
|
$this->identity_url = null;
|
|
}
|
|
$this->message = $message;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* A response with a status of Auth_OpenID_CANCEL. Indicates that the
|
|
* user cancelled the OpenID authentication request. This has two
|
|
* relevant attributes:
|
|
*
|
|
* identity_url - The identity URL for which authentication was
|
|
* attempted, if it can be determined. Otherwise, null.
|
|
*
|
|
* status - Auth_OpenID_SUCCESS.
|
|
*
|
|
* @package OpenID
|
|
*/
|
|
class Auth_OpenID_CancelResponse extends Auth_OpenID_ConsumerResponse {
|
|
var $status = Auth_OpenID_CANCEL;
|
|
|
|
function Auth_OpenID_CancelResponse($endpoint)
|
|
{
|
|
$this->endpoint = $endpoint;
|
|
$this->identity_url = $endpoint->identity_url;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* A response with a status of Auth_OpenID_SETUP_NEEDED. Indicates
|
|
* that the request was in immediate mode, and the server is unable to
|
|
* authenticate the user without further interaction.
|
|
*
|
|
* identity_url - The identity URL for which authentication was
|
|
* attempted.
|
|
*
|
|
* setup_url - A URL that can be used to send the user to the server
|
|
* to set up for authentication. The user should be redirected in to
|
|
* the setup_url, either in the current window or in a new browser
|
|
* window.
|
|
*
|
|
* status - Auth_OpenID_SETUP_NEEDED.
|
|
*
|
|
* @package OpenID
|
|
*/
|
|
class Auth_OpenID_SetupNeededResponse extends Auth_OpenID_ConsumerResponse {
|
|
var $status = Auth_OpenID_SETUP_NEEDED;
|
|
|
|
function Auth_OpenID_SetupNeededResponse($endpoint,
|
|
$setup_url = null)
|
|
{
|
|
$this->endpoint = $endpoint;
|
|
$this->identity_url = $endpoint->identity_url;
|
|
$this->setup_url = $setup_url;
|
|
}
|
|
}
|
|
|
|
?>
|