Öffentliche Methoden | |
Auth_OpenID_GenericConsumer (&$store) | |
begin ($service_endpoint) | |
complete ($message, $endpoint, $return_to) | |
_completeInvalid ($message, &$endpoint, $unused) | |
_complete_cancel ($message, &$endpoint, $unused) | |
_complete_error ($message, &$endpoint, $unused) | |
_complete_setup_needed ($message, &$endpoint, $unused) | |
_complete_id_res ($message, &$endpoint, $return_to) | |
_checkSetupNeeded ($message) | |
_doIdRes ($message, $endpoint, $return_to) | |
_checkReturnTo ($message, $return_to) | |
_verifyReturnToArgs ($query) | |
_idResCheckSignature ($message, $server_url) | |
_verifyDiscoveryResults ($message, $endpoint=null) | |
_verifyDiscoveryResultsOpenID1 ($message, $endpoint) | |
_verifyDiscoverySingle ($endpoint, $to_match) | |
_verifyDiscoveryResultsOpenID2 ($message, $endpoint) | |
_discoverAndVerify ($claimed_id, $to_match_endpoints) | |
_verifyDiscoveryServices ($claimed_id, &$services, &$to_match_endpoints) | |
_idResGetNonceOpenID1 ($message, $endpoint) | |
_idResCheckNonce ($message, $endpoint) | |
_idResCheckForFields ($message) | |
_checkAuth ($message, $server_url) | |
_createCheckAuthRequest ($message) | |
_processCheckAuthResponse ($response, $server_url) | |
_httpResponseToMessage ($response, $server_url) | |
_makeKVPost ($message, $server_url) | |
_getAssociation ($endpoint) | |
_extractSupportedAssociationType (&$server_error, &$endpoint, $assoc_type) | |
_negotiateAssociation ($endpoint) | |
_requestAssociation ($endpoint, $assoc_type, $session_type) | |
_extractAssociation (&$assoc_response, &$assoc_session) | |
_createAssociateRequest ($endpoint, $assoc_type, $session_type) | |
_getOpenID1SessionType ($assoc_response) | |
Datenfelder | |
$discoverMethod = 'Auth_OpenID_discover' | |
$store | |
$_use_assocs | |
$openid1_nonce_query_arg_name = 'janrain_nonce' | |
$openid1_return_to_identifier_name = 'openid1_claimed_id' |
Definiert in Zeile 568 der Datei Consumer.php.
_checkAuth | ( | $ | message, | |
$ | server_url | |||
) |
private
Definiert in Zeile 1334 der Datei Consumer.php.
01335 { 01336 $request = $this->_createCheckAuthRequest($message); 01337 if ($request === null) { 01338 return false; 01339 } 01340 01341 $resp_message = $this->_makeKVPost($request, $server_url); 01342 if (($resp_message === null) || 01343 (is_a($resp_message, 'Auth_OpenID_ServerErrorContainer'))) { 01344 return false; 01345 } 01346 01347 return $this->_processCheckAuthResponse($resp_message, $server_url); 01348 }
_checkReturnTo | ( | $ | message, | |
$ | return_to | |||
) |
private
Definiert in Zeile 813 der Datei Consumer.php.
00814 { 00815 // Check an OpenID message and its openid.return_to value 00816 // against a return_to URL from an application. Return True 00817 // on success, False on failure. 00818 00819 // Check the openid.return_to args against args in the 00820 // original message. 00821 $result = Auth_OpenID_GenericConsumer::_verifyReturnToArgs( 00822 $message->toPostArgs()); 00823 if (Auth_OpenID::isFailure($result)) { 00824 return false; 00825 } 00826 00827 // Check the return_to base URL against the one in the 00828 // message. 00829 $msg_return_to = $message->getArg(Auth_OpenID_OPENID_NS, 00830 'return_to'); 00831 if (Auth_OpenID::isFailure($return_to)) { 00832 // XXX log me 00833 return false; 00834 } 00835 00836 $return_to_parts = parse_url(Auth_OpenID_urinorm($return_to)); 00837 $msg_return_to_parts = parse_url(Auth_OpenID_urinorm($msg_return_to)); 00838 00839 // If port is absent from both, add it so it's equal in the 00840 // check below. 00841 if ((!array_key_exists('port', $return_to_parts)) && 00842 (!array_key_exists('port', $msg_return_to_parts))) { 00843 $return_to_parts['port'] = null; 00844 $msg_return_to_parts['port'] = null; 00845 } 00846 00847 // If path is absent from both, add it so it's equal in the 00848 // check below. 00849 if ((!array_key_exists('path', $return_to_parts)) && 00850 (!array_key_exists('path', $msg_return_to_parts))) { 00851 $return_to_parts['path'] = null; 00852 $msg_return_to_parts['path'] = null; 00853 } 00854 00855 // The URL scheme, authority, and path MUST be the same 00856 // between the two URLs. 00857 foreach (array('scheme', 'host', 'port', 'path') as $component) { 00858 // If the url component is absent in either URL, fail. 00859 // There should always be a scheme, host, port, and path. 00860 if (!array_key_exists($component, $return_to_parts)) { 00861 return false; 00862 } 00863 00864 if (!array_key_exists($component, $msg_return_to_parts)) { 00865 return false; 00866 } 00867 00868 if (Auth_OpenID::arrayGet($return_to_parts, $component) !== 00869 Auth_OpenID::arrayGet($msg_return_to_parts, $component)) { 00870 return false; 00871 } 00872 } 00873 00874 return true; 00875 }
_checkSetupNeeded | ( | $ | message | ) |
private
Definiert in Zeile 738 der Datei Consumer.php.
00739 { 00740 // In OpenID 1, we check to see if this is a cancel from 00741 // immediate mode by the presence of the user_setup_url 00742 // parameter. 00743 if ($message->isOpenID1()) { 00744 $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS, 00745 'user_setup_url'); 00746 if ($user_setup_url !== null) { 00747 return true; 00748 } 00749 } 00750 00751 return false; 00752 }
_complete_cancel | ( | $ | message, | |
&$ | endpoint, | |||
$ | unused | |||
) |
private
Definiert in Zeile 687 der Datei Consumer.php.
00688 { 00689 return new Auth_OpenID_CancelResponse($endpoint); 00690 }
_complete_error | ( | $ | message, | |
&$ | endpoint, | |||
$ | unused | |||
) |
private
Definiert in Zeile 695 der Datei Consumer.php.
00696 { 00697 $error = $message->getArg(Auth_OpenID_OPENID_NS, 'error'); 00698 $contact = $message->getArg(Auth_OpenID_OPENID_NS, 'contact'); 00699 $reference = $message->getArg(Auth_OpenID_OPENID_NS, 'reference'); 00700 00701 return new Auth_OpenID_FailureResponse($endpoint, $error, 00702 $contact, $reference); 00703 }
_complete_id_res | ( | $ | message, | |
&$ | endpoint, | |||
$ | return_to | |||
) |
private
Definiert in Zeile 722 der Datei Consumer.php.
00723 { 00724 $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS, 00725 'user_setup_url'); 00726 00727 if ($this->_checkSetupNeeded($message)) { 00728 return new Auth_OpenID_SetupNeededResponse( 00729 $endpoint, $user_setup_url); 00730 } else { 00731 return $this->_doIdRes($message, $endpoint, $return_to); 00732 } 00733 }
_complete_setup_needed | ( | $ | message, | |
&$ | endpoint, | |||
$ | unused | |||
) |
private
Definiert in Zeile 708 der Datei Consumer.php.
00709 { 00710 if (!$message->isOpenID2()) { 00711 return $this->_completeInvalid($message, $endpoint); 00712 } 00713 00714 $user_setup_url = $message->getArg(Auth_OpenID_OPENID2_NS, 00715 'user_setup_url'); 00716 return new Auth_OpenID_SetupNeededResponse($endpoint, $user_setup_url); 00717 }
_completeInvalid | ( | $ | message, | |
&$ | endpoint, | |||
$ | unused | |||
) |
private
Definiert in Zeile 675 der Datei Consumer.php.
00676 { 00677 $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode', 00678 '<No mode set>'); 00679 00680 return new Auth_OpenID_FailureResponse($endpoint, 00681 sprintf("Invalid openid.mode '%s'", $mode)); 00682 }
_createAssociateRequest | ( | $ | endpoint, | |
$ | assoc_type, | |||
$ | session_type | |||
) |
private
Definiert in Zeile 1661 der Datei Consumer.php.
01662 { 01663 if (array_key_exists($session_type, $this->session_types)) { 01664 $session_type_class = $this->session_types[$session_type]; 01665 01666 if (is_callable($session_type_class)) { 01667 $assoc_session = $session_type_class(); 01668 } else { 01669 $assoc_session = new $session_type_class(); 01670 } 01671 } else { 01672 return null; 01673 } 01674 01675 $args = array( 01676 'mode' => 'associate', 01677 'assoc_type' => $assoc_type); 01678 01679 if (!$endpoint->compatibilityMode()) { 01680 $args['ns'] = Auth_OpenID_OPENID2_NS; 01681 } 01682 01683 // Leave out the session type if we're in compatibility mode 01684 // *and* it's no-encryption. 01685 if ((!$endpoint->compatibilityMode()) || 01686 ($assoc_session->session_type != 'no-encryption')) { 01687 $args['session_type'] = $assoc_session->session_type; 01688 } 01689 01690 $args = array_merge($args, $assoc_session->getRequest()); 01691 $message = Auth_OpenID_Message::fromOpenIDArgs($args); 01692 return array($assoc_session, $message); 01693 }
_createCheckAuthRequest | ( | $ | message | ) |
private
Definiert in Zeile 1353 der Datei Consumer.php.
01354 { 01355 $signed = $message->getArg(Auth_OpenID_OPENID_NS, 'signed'); 01356 if ($signed) { 01357 foreach (explode(',', $signed) as $k) { 01358 $value = $message->getAliasedArg($k); 01359 if ($value === null) { 01360 return null; 01361 } 01362 } 01363 } 01364 $ca_message = $message->copy(); 01365 $ca_message->setArg(Auth_OpenID_OPENID_NS, 'mode', 01366 'check_authentication'); 01367 return $ca_message; 01368 }
_discoverAndVerify | ( | $ | claimed_id, | |
$ | to_match_endpoints | |||
) |
private
Definiert in Zeile 1179 der Datei Consumer.php.
01180 { 01181 // oidutil.log('Performing discovery on %s' % (claimed_id,)) 01182 list($unused, $services) = call_user_func($this->discoverMethod, 01183 $claimed_id, 01184 $this->fetcher); 01185 01186 if (!$services) { 01187 return new Auth_OpenID_FailureResponse(null, 01188 sprintf("No OpenID information found at %s", 01189 $claimed_id)); 01190 } 01191 01192 return $this->_verifyDiscoveryServices($claimed_id, $services, 01193 $to_match_endpoints); 01194 }
_doIdRes | ( | $ | message, | |
$ | endpoint, | |||
$ | return_to | |||
) |
private
Definiert in Zeile 757 der Datei Consumer.php.
00758 { 00759 // Checks for presence of appropriate fields (and checks 00760 // signed list fields) 00761 $result = $this->_idResCheckForFields($message); 00762 00763 if (Auth_OpenID::isFailure($result)) { 00764 return $result; 00765 } 00766 00767 if (!$this->_checkReturnTo($message, $return_to)) { 00768 return new Auth_OpenID_FailureResponse(null, 00769 sprintf("return_to does not match return URL. Expected %s, got %s", 00770 $return_to, 00771 $message->getArg(Auth_OpenID_OPENID_NS, 'return_to'))); 00772 } 00773 00774 // Verify discovery information: 00775 $result = $this->_verifyDiscoveryResults($message, $endpoint); 00776 00777 if (Auth_OpenID::isFailure($result)) { 00778 return $result; 00779 } 00780 00781 $endpoint = $result; 00782 00783 $result = $this->_idResCheckSignature($message, 00784 $endpoint->server_url); 00785 00786 if (Auth_OpenID::isFailure($result)) { 00787 return $result; 00788 } 00789 00790 $result = $this->_idResCheckNonce($message, $endpoint); 00791 00792 if (Auth_OpenID::isFailure($result)) { 00793 return $result; 00794 } 00795 00796 $signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS, 'signed', 00797 Auth_OpenID_NO_DEFAULT); 00798 if (Auth_OpenID::isFailure($signed_list_str)) { 00799 return $signed_list_str; 00800 } 00801 $signed_list = explode(',', $signed_list_str); 00802 00803 $signed_fields = Auth_OpenID::addPrefix($signed_list, "openid."); 00804 00805 return new Auth_OpenID_SuccessResponse($endpoint, $message, 00806 $signed_fields); 00807 00808 }
_extractAssociation | ( | &$ | assoc_response, | |
&$ | assoc_session | |||
) |
private
Definiert in Zeile 1569 der Datei Consumer.php.
01570 { 01571 // Extract the common fields from the response, raising an 01572 // exception if they are not found 01573 $assoc_type = $assoc_response->getArg( 01574 Auth_OpenID_OPENID_NS, 'assoc_type', 01575 Auth_OpenID_NO_DEFAULT); 01576 01577 if (Auth_OpenID::isFailure($assoc_type)) { 01578 return $assoc_type; 01579 } 01580 01581 $assoc_handle = $assoc_response->getArg( 01582 Auth_OpenID_OPENID_NS, 'assoc_handle', 01583 Auth_OpenID_NO_DEFAULT); 01584 01585 if (Auth_OpenID::isFailure($assoc_handle)) { 01586 return $assoc_handle; 01587 } 01588 01589 // expires_in is a base-10 string. The Python parsing will 01590 // accept literals that have whitespace around them and will 01591 // accept negative values. Neither of these are really in-spec, 01592 // but we think it's OK to accept them. 01593 $expires_in_str = $assoc_response->getArg( 01594 Auth_OpenID_OPENID_NS, 'expires_in', 01595 Auth_OpenID_NO_DEFAULT); 01596 01597 if (Auth_OpenID::isFailure($expires_in_str)) { 01598 return $expires_in_str; 01599 } 01600 01601 $expires_in = Auth_OpenID::intval($expires_in_str); 01602 if ($expires_in === false) { 01603 01604 $err = sprintf("Could not parse expires_in from association ". 01605 "response %s", print_r($assoc_response, true)); 01606 return new Auth_OpenID_FailureResponse(null, $err); 01607 } 01608 01609 // OpenID 1 has funny association session behaviour. 01610 if ($assoc_response->isOpenID1()) { 01611 $session_type = $this->_getOpenID1SessionType($assoc_response); 01612 } else { 01613 $session_type = $assoc_response->getArg( 01614 Auth_OpenID_OPENID2_NS, 'session_type', 01615 Auth_OpenID_NO_DEFAULT); 01616 01617 if (Auth_OpenID::isFailure($session_type)) { 01618 return $session_type; 01619 } 01620 } 01621 01622 // Session type mismatch 01623 if ($assoc_session->session_type != $session_type) { 01624 if ($assoc_response->isOpenID1() && 01625 ($session_type == 'no-encryption')) { 01626 // In OpenID 1, any association request can result in 01627 // a 'no-encryption' association response. Setting 01628 // assoc_session to a new no-encryption session should 01629 // make the rest of this function work properly for 01630 // that case. 01631 $assoc_session = new Auth_OpenID_PlainTextConsumerSession(); 01632 } else { 01633 // Any other mismatch, regardless of protocol version 01634 // results in the failure of the association session 01635 // altogether. 01636 return null; 01637 } 01638 } 01639 01640 // Make sure assoc_type is valid for session_type 01641 if (!in_array($assoc_type, $assoc_session->allowed_assoc_types)) { 01642 return null; 01643 } 01644 01645 // Delegate to the association session to extract the secret 01646 // from the response, however is appropriate for that session 01647 // type. 01648 $secret = $assoc_session->extractSecret($assoc_response); 01649 01650 if ($secret === null) { 01651 return null; 01652 } 01653 01654 return Auth_OpenID_Association::fromExpiresIn( 01655 $expires_in, $assoc_handle, $secret, $assoc_type); 01656 }
_extractSupportedAssociationType | ( | &$ | server_error, | |
&$ | endpoint, | |||
$ | assoc_type | |||
) |
Handle ServerErrors resulting from association requests.
Definiert in Zeile 1464 der Datei Consumer.php.
01466 { 01467 // Any error message whose code is not 'unsupported-type' 01468 // should be considered a total failure. 01469 if (($server_error->error_code != 'unsupported-type') || 01470 ($server_error->message->isOpenID1())) { 01471 return null; 01472 } 01473 01474 // The server didn't like the association/session type that we 01475 // sent, and it sent us back a message that might tell us how 01476 // to handle it. 01477 01478 // Extract the session_type and assoc_type from the error 01479 // message 01480 $assoc_type = $server_error->message->getArg(Auth_OpenID_OPENID_NS, 01481 'assoc_type'); 01482 01483 $session_type = $server_error->message->getArg(Auth_OpenID_OPENID_NS, 01484 'session_type'); 01485 01486 if (($assoc_type === null) || ($session_type === null)) { 01487 return null; 01488 } else if (!$this->negotiator->isAllowed($assoc_type, 01489 $session_type)) { 01490 return null; 01491 } else { 01492 return array($assoc_type, $session_type); 01493 } 01494 }
_getAssociation | ( | $ | endpoint | ) |
private
Definiert in Zeile 1433 der Datei Consumer.php.
01434 { 01435 if (!$this->_use_assocs) { 01436 return null; 01437 } 01438 01439 $assoc = $this->store->getAssociation($endpoint->server_url); 01440 01441 if (($assoc === null) || 01442 ($assoc->getExpiresIn() <= 0)) { 01443 01444 $assoc = $this->_negotiateAssociation($endpoint); 01445 01446 if ($assoc !== null) { 01447 $this->store->storeAssociation($endpoint->server_url, 01448 $assoc); 01449 } 01450 } 01451 01452 return $assoc; 01453 }
_getOpenID1SessionType | ( | $ | assoc_response | ) |
Given an association response message, extract the OpenID 1.X session type.
This function mostly takes care of the 'no-encryption' default behavior in OpenID 1.
If the association type is plain-text, this function will return 'no-encryption'
private
Definiert in Zeile 1708 der Datei Consumer.php.
01709 { 01710 // If it's an OpenID 1 message, allow session_type to default 01711 // to None (which signifies "no-encryption") 01712 $session_type = $assoc_response->getArg(Auth_OpenID_OPENID1_NS, 01713 'session_type'); 01714 01715 // Handle the differences between no-encryption association 01716 // respones in OpenID 1 and 2: 01717 01718 // no-encryption is not really a valid session type for OpenID 01719 // 1, but we'll accept it anyway, while issuing a warning. 01720 if ($session_type == 'no-encryption') { 01721 // oidutil.log('WARNING: OpenID server sent "no-encryption"' 01722 // 'for OpenID 1.X') 01723 } else if (($session_type == '') || ($session_type === null)) { 01724 // Missing or empty session type is the way to flag a 01725 // 'no-encryption' response. Change the session type to 01726 // 'no-encryption' so that it can be handled in the same 01727 // way as OpenID 2 'no-encryption' respones. 01728 $session_type = 'no-encryption'; 01729 } 01730 01731 return $session_type; 01732 }
_httpResponseToMessage | ( | $ | response, | |
$ | server_url | |||
) |
Adapt a POST response to a Message.
$response | Result of a POST to an OpenID endpoint. |
Definiert in Zeile 1400 der Datei Consumer.php.
01401 { 01402 // Should this function be named Message.fromHTTPResponse instead? 01403 $response_message = Auth_OpenID_Message::fromKVForm($response->body); 01404 01405 if ($response->status == 400) { 01406 return Auth_OpenID_ServerErrorContainer::fromMessage( 01407 $response_message); 01408 } else if ($response->status != 200 and $response->status != 206) { 01409 return null; 01410 } 01411 01412 return $response_message; 01413 }
_idResCheckForFields | ( | $ | message | ) |
private
Definiert in Zeile 1281 der Datei Consumer.php.
01282 { 01283 $basic_fields = array('return_to', 'assoc_handle', 'sig', 'signed'); 01284 $basic_sig_fields = array('return_to', 'identity'); 01285 01286 $require_fields = array( 01287 Auth_OpenID_OPENID2_NS => array_merge($basic_fields, 01288 array('op_endpoint')), 01289 01290 Auth_OpenID_OPENID1_NS => array_merge($basic_fields, 01291 array('identity')) 01292 ); 01293 01294 $require_sigs = array( 01295 Auth_OpenID_OPENID2_NS => array_merge($basic_sig_fields, 01296 array('response_nonce', 01297 'claimed_id', 01298 'assoc_handle', 01299 'op_endpoint')), 01300 Auth_OpenID_OPENID1_NS => array_merge($basic_sig_fields, 01301 array('nonce')) 01302 ); 01303 01304 foreach ($require_fields[$message->getOpenIDNamespace()] as $field) { 01305 if (!$message->hasKey(Auth_OpenID_OPENID_NS, $field)) { 01306 return new Auth_OpenID_FailureResponse(null, 01307 "Missing required field '".$field."'"); 01308 } 01309 } 01310 01311 $signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS, 01312 'signed', 01313 Auth_OpenID_NO_DEFAULT); 01314 if (Auth_OpenID::isFailure($signed_list_str)) { 01315 return $signed_list_str; 01316 } 01317 $signed_list = explode(',', $signed_list_str); 01318 01319 foreach ($require_sigs[$message->getOpenIDNamespace()] as $field) { 01320 // Field is present and not in signed list 01321 if ($message->hasKey(Auth_OpenID_OPENID_NS, $field) && 01322 (!in_array($field, $signed_list))) { 01323 return new Auth_OpenID_FailureResponse(null, 01324 "'".$field."' not signed"); 01325 } 01326 } 01327 01328 return null; 01329 }
_idResCheckNonce | ( | $ | message, | |
$ | endpoint | |||
) |
private
Definiert in Zeile 1243 der Datei Consumer.php.
01244 { 01245 if ($message->isOpenID1()) { 01246 // This indicates that the nonce was generated by the consumer 01247 $nonce = $this->_idResGetNonceOpenID1($message, $endpoint); 01248 $server_url = ''; 01249 } else { 01250 $nonce = $message->getArg(Auth_OpenID_OPENID2_NS, 01251 'response_nonce'); 01252 01253 $server_url = $endpoint->server_url; 01254 } 01255 01256 if ($nonce === null) { 01257 return new Auth_OpenID_FailureResponse($endpoint, 01258 "Nonce missing from response"); 01259 } 01260 01261 $parts = Auth_OpenID_splitNonce($nonce); 01262 01263 if ($parts === null) { 01264 return new Auth_OpenID_FailureResponse($endpoint, 01265 "Malformed nonce in response"); 01266 } 01267 01268 list($timestamp, $salt) = $parts; 01269 01270 if (!$this->store->useNonce($server_url, $timestamp, $salt)) { 01271 return new Auth_OpenID_FailureResponse($endpoint, 01272 "Nonce already used or out of range"); 01273 } 01274 01275 return null; 01276 }
_idResCheckSignature | ( | $ | message, | |
$ | server_url | |||
) |
private
Definiert in Zeile 937 der Datei Consumer.php.
00938 { 00939 $assoc_handle = $message->getArg(Auth_OpenID_OPENID_NS, 00940 'assoc_handle'); 00941 if (Auth_OpenID::isFailure($assoc_handle)) { 00942 return $assoc_handle; 00943 } 00944 00945 $assoc = $this->store->getAssociation($server_url, $assoc_handle); 00946 00947 if ($assoc) { 00948 if ($assoc->getExpiresIn() <= 0) { 00949 // XXX: It might be a good idea sometimes to re-start 00950 // the authentication with a new association. Doing it 00951 // automatically opens the possibility for 00952 // denial-of-service by a server that just returns 00953 // expired associations (or really short-lived 00954 // associations) 00955 return new Auth_OpenID_FailureResponse(null, 00956 'Association with ' . $server_url . ' expired'); 00957 } 00958 00959 if (!$assoc->checkMessageSignature($message)) { 00960 return new Auth_OpenID_FailureResponse(null, 00961 "Bad signature"); 00962 } 00963 } else { 00964 // It's not an association we know about. Stateless mode 00965 // is our only possible path for recovery. XXX - async 00966 // framework will not want to block on this call to 00967 // _checkAuth. 00968 if (!$this->_checkAuth($message, $server_url)) { 00969 return new Auth_OpenID_FailureResponse(null, 00970 "Server denied check_authentication"); 00971 } 00972 } 00973 00974 return null; 00975 }
_idResGetNonceOpenID1 | ( | $ | message, | |
$ | endpoint | |||
) |
Extract the nonce from an OpenID 1 response. Return the nonce from the BARE_NS since we independently check the return_to arguments are the same as those in the response message.
See the openid1_nonce_query_arg_name class variable
Definiert in Zeile 1234 der Datei Consumer.php.
01235 { 01236 return $message->getArg(Auth_OpenID_BARE_NS, 01237 $this->openid1_nonce_query_arg_name); 01238 }
_makeKVPost | ( | $ | message, | |
$ | server_url | |||
) |
private
Definiert in Zeile 1418 der Datei Consumer.php.
01419 { 01420 $body = $message->toURLEncoded(); 01421 $resp = $this->fetcher->post($server_url, $body); 01422 01423 if ($resp === null) { 01424 return null; 01425 } 01426 01427 return $this->_httpResponseToMessage($resp, $server_url); 01428 }
_negotiateAssociation | ( | $ | endpoint | ) |
private
Definiert in Zeile 1499 der Datei Consumer.php.
01500 { 01501 // Get our preferred session/association type from the negotiatior. 01502 list($assoc_type, $session_type) = $this->negotiator->getAllowedType(); 01503 01504 $assoc = $this->_requestAssociation( 01505 $endpoint, $assoc_type, $session_type); 01506 01507 if (Auth_OpenID::isFailure($assoc)) { 01508 return null; 01509 } 01510 01511 if (is_a($assoc, 'Auth_OpenID_ServerErrorContainer')) { 01512 $why = $assoc; 01513 01514 $supportedTypes = $this->_extractSupportedAssociationType( 01515 $why, $endpoint, $assoc_type); 01516 01517 if ($supportedTypes !== null) { 01518 list($assoc_type, $session_type) = $supportedTypes; 01519 01520 // Attempt to create an association from the assoc_type 01521 // and session_type that the server told us it 01522 // supported. 01523 $assoc = $this->_requestAssociation( 01524 $endpoint, $assoc_type, $session_type); 01525 01526 if (is_a($assoc, 'Auth_OpenID_ServerErrorContainer')) { 01527 // Do not keep trying, since it rejected the 01528 // association type that it told us to use. 01529 // oidutil.log('Server %s refused its suggested association 01530 // 'type: session_type=%s, assoc_type=%s' 01531 // % (endpoint.server_url, session_type, 01532 // assoc_type)) 01533 return null; 01534 } else { 01535 return $assoc; 01536 } 01537 } else { 01538 return null; 01539 } 01540 } else { 01541 return $assoc; 01542 } 01543 }
_processCheckAuthResponse | ( | $ | response, | |
$ | server_url | |||
) |
private
Definiert in Zeile 1373 der Datei Consumer.php.
01374 { 01375 $is_valid = $response->getArg(Auth_OpenID_OPENID_NS, 'is_valid', 01376 'false'); 01377 01378 $invalidate_handle = $response->getArg(Auth_OpenID_OPENID_NS, 01379 'invalidate_handle'); 01380 01381 if ($invalidate_handle !== null) { 01382 $this->store->removeAssociation($server_url, 01383 $invalidate_handle); 01384 } 01385 01386 if ($is_valid == 'true') { 01387 return true; 01388 } 01389 01390 return false; 01391 }
_requestAssociation | ( | $ | endpoint, | |
$ | assoc_type, | |||
$ | session_type | |||
) |
private
Definiert in Zeile 1548 der Datei Consumer.php.
01549 { 01550 list($assoc_session, $args) = $this->_createAssociateRequest( 01551 $endpoint, $assoc_type, $session_type); 01552 01553 $response_message = $this->_makeKVPost($args, $endpoint->server_url); 01554 01555 if ($response_message === null) { 01556 // oidutil.log('openid.associate request failed: %s' % (why[0],)) 01557 return null; 01558 } else if (is_a($response_message, 01559 'Auth_OpenID_ServerErrorContainer')) { 01560 return $response_message; 01561 } 01562 01563 return $this->_extractAssociation($response_message, $assoc_session); 01564 }
_verifyDiscoveryResults | ( | $ | message, | |
$ | endpoint = null | |||
) |
private
Definiert in Zeile 980 der Datei Consumer.php.
00981 { 00982 if ($message->getOpenIDNamespace() == Auth_OpenID_OPENID2_NS) { 00983 return $this->_verifyDiscoveryResultsOpenID2($message, 00984 $endpoint); 00985 } else { 00986 return $this->_verifyDiscoveryResultsOpenID1($message, 00987 $endpoint); 00988 } 00989 }
_verifyDiscoveryResultsOpenID1 | ( | $ | message, | |
$ | endpoint | |||
) |
private
Definiert in Zeile 994 der Datei Consumer.php.
00995 { 00996 $claimed_id = $message->getArg(Auth_OpenID_BARE_NS, 00997 $this->openid1_return_to_identifier_name); 00998 00999 if (($endpoint === null) && ($claimed_id === null)) { 01000 return new Auth_OpenID_FailureResponse($endpoint, 01001 'When using OpenID 1, the claimed ID must be supplied, ' . 01002 'either by passing it through as a return_to parameter ' . 01003 'or by using a session, and supplied to the GenericConsumer ' . 01004 'as the argument to complete()'); 01005 } else if (($endpoint !== null) && ($claimed_id === null)) { 01006 $claimed_id = $endpoint->claimed_id; 01007 } 01008 01009 $to_match = new Auth_OpenID_ServiceEndpoint(); 01010 $to_match->type_uris = array(Auth_OpenID_TYPE_1_1); 01011 $to_match->local_id = $message->getArg(Auth_OpenID_OPENID1_NS, 01012 'identity'); 01013 01014 // Restore delegate information from the initiation phase 01015 $to_match->claimed_id = $claimed_id; 01016 01017 if ($to_match->local_id === null) { 01018 return new Auth_OpenID_FailureResponse($endpoint, 01019 "Missing required field openid.identity"); 01020 } 01021 01022 $to_match_1_0 = $to_match->copy(); 01023 $to_match_1_0->type_uris = array(Auth_OpenID_TYPE_1_0); 01024 01025 if ($endpoint !== null) { 01026 $result = $this->_verifyDiscoverySingle($endpoint, $to_match); 01027 01028 if (is_a($result, 'Auth_OpenID_TypeURIMismatch')) { 01029 $result = $this->_verifyDiscoverySingle($endpoint, 01030 $to_match_1_0); 01031 } 01032 01033 if (Auth_OpenID::isFailure($result)) { 01034 // oidutil.log("Error attempting to use stored 01035 // discovery information: " + str(e)) 01036 // oidutil.log("Attempting discovery to 01037 // verify endpoint") 01038 } else { 01039 return $endpoint; 01040 } 01041 } 01042 01043 // Endpoint is either bad (failed verification) or None 01044 return $this->_discoverAndVerify($to_match->claimed_id, 01045 array($to_match, $to_match_1_0)); 01046 }
_verifyDiscoveryResultsOpenID2 | ( | $ | message, | |
$ | endpoint | |||
) |
private
Definiert in Zeile 1103 der Datei Consumer.php.
01104 { 01105 $to_match = new Auth_OpenID_ServiceEndpoint(); 01106 $to_match->type_uris = array(Auth_OpenID_TYPE_2_0); 01107 $to_match->claimed_id = $message->getArg(Auth_OpenID_OPENID2_NS, 01108 'claimed_id'); 01109 01110 $to_match->local_id = $message->getArg(Auth_OpenID_OPENID2_NS, 01111 'identity'); 01112 01113 $to_match->server_url = $message->getArg(Auth_OpenID_OPENID2_NS, 01114 'op_endpoint'); 01115 01116 if ($to_match->server_url === null) { 01117 return new Auth_OpenID_FailureResponse($endpoint, 01118 "OP Endpoint URL missing"); 01119 } 01120 01121 // claimed_id and identifier must both be present or both be 01122 // absent 01123 if (($to_match->claimed_id === null) && 01124 ($to_match->local_id !== null)) { 01125 return new Auth_OpenID_FailureResponse($endpoint, 01126 'openid.identity is present without openid.claimed_id'); 01127 } 01128 01129 if (($to_match->claimed_id !== null) && 01130 ($to_match->local_id === null)) { 01131 return new Auth_OpenID_FailureResponse($endpoint, 01132 'openid.claimed_id is present without openid.identity'); 01133 } 01134 01135 if ($to_match->claimed_id === null) { 01136 // This is a response without identifiers, so there's 01137 // really no checking that we can do, so return an 01138 // endpoint that's for the specified `openid.op_endpoint' 01139 return Auth_OpenID_ServiceEndpoint::fromOPEndpointURL( 01140 $to_match->server_url); 01141 } 01142 01143 if (!$endpoint) { 01144 // The claimed ID doesn't match, so we have to do 01145 // discovery again. This covers not using sessions, OP 01146 // identifier endpoints and responses that didn't match 01147 // the original request. 01148 // oidutil.log('No pre-discovered information supplied.') 01149 return $this->_discoverAndVerify($to_match->claimed_id, 01150 array($to_match)); 01151 } else { 01152 01153 // The claimed ID matches, so we use the endpoint that we 01154 // discovered in initiation. This should be the most 01155 // common case. 01156 $result = $this->_verifyDiscoverySingle($endpoint, $to_match); 01157 01158 if (Auth_OpenID::isFailure($result)) { 01159 $endpoint = $this->_discoverAndVerify($to_match->claimed_id, 01160 array($to_match)); 01161 if (Auth_OpenID::isFailure($endpoint)) { 01162 return $endpoint; 01163 } 01164 } 01165 } 01166 01167 // The endpoint we return should have the claimed ID from the 01168 // message we just verified, fragment and all. 01169 if ($endpoint->claimed_id != $to_match->claimed_id) { 01170 $endpoint->claimed_id = $to_match->claimed_id; 01171 } 01172 01173 return $endpoint; 01174 }
_verifyDiscoveryServices | ( | $ | claimed_id, | |
&$ | services, | |||
&$ | to_match_endpoints | |||
) |
private
Definiert in Zeile 1199 der Datei Consumer.php.
01201 { 01202 // Search the services resulting from discovery to find one 01203 // that matches the information from the assertion 01204 01205 foreach ($services as $endpoint) { 01206 foreach ($to_match_endpoints as $to_match_endpoint) { 01207 $result = $this->_verifyDiscoverySingle($endpoint, 01208 $to_match_endpoint); 01209 01210 if (!Auth_OpenID::isFailure($result)) { 01211 // It matches, so discover verification has 01212 // succeeded. Return this endpoint. 01213 return $endpoint; 01214 } 01215 } 01216 } 01217 01218 return new Auth_OpenID_FailureResponse(null, 01219 sprintf('No matching endpoint found after discovering %s', 01220 $claimed_id)); 01221 }
_verifyDiscoverySingle | ( | $ | endpoint, | |
$ | to_match | |||
) |
private
Definiert in Zeile 1051 der Datei Consumer.php.
01052 { 01053 // Every type URI that's in the to_match endpoint has to be 01054 // present in the discovered endpoint. 01055 foreach ($to_match->type_uris as $type_uri) { 01056 if (!$endpoint->usesExtension($type_uri)) { 01057 return new Auth_OpenID_TypeURIMismatch($endpoint, 01058 "Required type ".$type_uri." not present"); 01059 } 01060 } 01061 01062 // Fragments do not influence discovery, so we can't compare a 01063 // claimed identifier with a fragment to discovered 01064 // information. 01065 list($defragged_claimed_id, $_) = 01066 Auth_OpenID::urldefrag($to_match->claimed_id); 01067 01068 if ($defragged_claimed_id != $endpoint->claimed_id) { 01069 return new Auth_OpenID_FailureResponse($endpoint, 01070 sprintf('Claimed ID does not match (different subjects!), ' . 01071 'Expected %s, got %s', $defragged_claimed_id, 01072 $endpoint->claimed_id)); 01073 } 01074 01075 if ($to_match->getLocalID() != $endpoint->getLocalID()) { 01076 return new Auth_OpenID_FailureResponse($endpoint, 01077 sprintf('local_id mismatch. Expected %s, got %s', 01078 $to_match->getLocalID(), $endpoint->getLocalID())); 01079 } 01080 01081 // If the server URL is None, this must be an OpenID 1 01082 // response, because op_endpoint is a required parameter in 01083 // OpenID 2. In that case, we don't actually care what the 01084 // discovered server_url is, because signature checking or 01085 // check_auth should take care of that check for us. 01086 if ($to_match->server_url === null) { 01087 if ($to_match->preferredNamespace() != Auth_OpenID_OPENID1_NS) { 01088 return new Auth_OpenID_FailureResponse($endpoint, 01089 "Preferred namespace mismatch (bug)"); 01090 } 01091 } else if ($to_match->server_url != $endpoint->server_url) { 01092 return new Auth_OpenID_FailureResponse($endpoint, 01093 sprintf('OP Endpoint mismatch. Expected %s, got %s', 01094 $to_match->server_url, $endpoint->server_url)); 01095 } 01096 01097 return null; 01098 }
_verifyReturnToArgs | ( | $ | query | ) |
private
Definiert in Zeile 880 der Datei Consumer.php.
00881 { 00882 // Verify that the arguments in the return_to URL are present in this 00883 // response. 00884 00885 $message = Auth_OpenID_Message::fromPostArgs($query); 00886 $return_to = $message->getArg(Auth_OpenID_OPENID_NS, 'return_to'); 00887 00888 if (Auth_OpenID::isFailure($return_to)) { 00889 return $return_to; 00890 } 00891 // XXX: this should be checked by _idResCheckForFields 00892 if (!$return_to) { 00893 return new Auth_OpenID_FailureResponse(null, 00894 "Response has no return_to"); 00895 } 00896 00897 $parsed_url = parse_url($return_to); 00898 00899 $q = array(); 00900 if (array_key_exists('query', $parsed_url)) { 00901 $rt_query = $parsed_url['query']; 00902 $q = Auth_OpenID::parse_str($rt_query); 00903 } 00904 00905 foreach ($q as $rt_key => $rt_value) { 00906 if (!array_key_exists($rt_key, $query)) { 00907 return new Auth_OpenID_FailureResponse(null, 00908 sprintf("return_to parameter %s absent from query", $rt_key)); 00909 } else { 00910 $value = $query[$rt_key]; 00911 if ($rt_value != $value) { 00912 return new Auth_OpenID_FailureResponse(null, 00913 sprintf("parameter %s value %s does not match " . 00914 "return_to value %s", $rt_key, 00915 $value, $rt_value)); 00916 } 00917 } 00918 } 00919 00920 // Make sure all non-OpenID arguments in the response are also 00921 // in the signed return_to. 00922 $bare_args = $message->getArgs(Auth_OpenID_BARE_NS); 00923 foreach ($bare_args as $key => $value) { 00924 if (Auth_OpenID::arrayGet($q, $key) != $value) { 00925 return new Auth_OpenID_FailureResponse(null, 00926 sprintf("Parameter %s = %s not in return_to URL", 00927 $key, $value)); 00928 } 00929 } 00930 00931 return true; 00932 }
Auth_OpenID_GenericConsumer | ( | &$ | store | ) |
This method initializes a new Auth_OpenID_Consumer instance to access the library.
Auth_OpenID_OpenIDStore | $store This must be an object that implements the interface in Auth_OpenID_OpenIDStore. Several concrete implementations are provided, to cover most common use cases. For stores backed by MySQL, PostgreSQL, or SQLite, see the Auth_OpenID_SQLStore class and its sublcasses. For a filesystem-backed store, see the Auth_OpenID_FileStore module. As a last resort, if it isn't possible for the server to store state at all, an instance of Auth_OpenID_DumbStore can be used. | |
bool | $immediate This is an optional boolean value. It controls whether the library uses immediate mode, as explained in the module description. The default value is False, which disables immediate mode. |
Definiert in Zeile 614 der Datei Consumer.php.
00615 { 00616 $this->store =& $store; 00617 $this->negotiator =& Auth_OpenID_getDefaultNegotiator(); 00618 $this->_use_assocs = ($this->store ? true : false); 00619 00620 $this->fetcher = Auth_Yadis_Yadis::getHTTPFetcher(); 00621 00622 $this->session_types = Auth_OpenID_getAvailableSessionTypes(); 00623 }
begin | ( | $ | service_endpoint | ) |
Called to begin OpenID authentication using the specified Auth_OpenID_ServiceEndpoint.
private
Definiert in Zeile 631 der Datei Consumer.php.
00632 { 00633 $assoc = $this->_getAssociation($service_endpoint); 00634 $r = new Auth_OpenID_AuthRequest($service_endpoint, $assoc); 00635 $r->return_to_args[$this->openid1_nonce_query_arg_name] = 00636 Auth_OpenID_mkNonce(); 00637 00638 if ($r->message->isOpenID1()) { 00639 $r->return_to_args[$this->openid1_return_to_identifier_name] = 00640 $r->endpoint->claimed_id; 00641 } 00642 00643 return $r; 00644 }
complete | ( | $ | message, | |
$ | endpoint, | |||
$ | return_to | |||
) |
Given an Auth_OpenID_Message, Auth_OpenID_ServiceEndpoint and optional return_to URL, complete OpenID authentication.
private
Definiert in Zeile 653 der Datei Consumer.php.
00654 { 00655 $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode', 00656 '<no mode set>'); 00657 00658 $mode_methods = array( 00659 'cancel' => '_complete_cancel', 00660 'error' => '_complete_error', 00661 'setup_needed' => '_complete_setup_needed', 00662 'id_res' => '_complete_id_res', 00663 ); 00664 00665 $method = Auth_OpenID::arrayGet($mode_methods, $mode, 00666 '_completeInvalid'); 00667 00668 return call_user_func_array(array(&$this, $method), 00669 array($message, $endpoint, $return_to)); 00670 }
$_use_assocs |
private
Definiert in Zeile 582 der Datei Consumer.php.
$discoverMethod = 'Auth_OpenID_discover' |
private
Definiert in Zeile 572 der Datei Consumer.php.
$openid1_nonce_query_arg_name = 'janrain_nonce' |
private
Definiert in Zeile 587 der Datei Consumer.php.
$openid1_return_to_identifier_name = 'openid1_claimed_id' |
Another query parameter that gets added to the return_to for OpenID 1; if the user's session state is lost, use this claimed identifier to do discovery when verifying the response.
Definiert in Zeile 594 der Datei Consumer.php.
$store |
This consumer's store object.
Definiert in Zeile 577 der Datei Consumer.php.
Copyright © 2003 - 2009 MyOOS [Shopsystem]. All rights reserved. MyOOS [Shopsystem] is Free Software released under the GNU/GPL License. Webmaster: info@r23.de (Impressum) |
|