|
|
|
|
@ -1,4 +1,5 @@ |
|
|
|
|
<?php |
|
|
|
|
|
|
|
|
|
/* For licensing terms, see /license.txt */ |
|
|
|
|
/** |
|
|
|
|
* OpenID login method |
|
|
|
|
@ -12,14 +13,23 @@ |
|
|
|
|
/** |
|
|
|
|
* Initialisation |
|
|
|
|
*/ |
|
|
|
|
require_once dirname(__FILE__).'../../inc/conf/auth.conf.php'; |
|
|
|
|
require_once api_get_path(CONFIGURATION_PATH) . 'auth.conf.php'; |
|
|
|
|
|
|
|
|
|
require_once 'openid.lib.php'; |
|
|
|
|
require_once 'xrds.lib.php'; |
|
|
|
|
|
|
|
|
|
function openid_form() |
|
|
|
|
{ |
|
|
|
|
return '<div class="menusection"><span class="menusectioncaption">'.get_lang('OpenIdAuthentication').'</span><form name="openid_login" method="post"><label for="openid_url">'.get_lang('OpenIDURL').' <a href="main/auth/openid/whatis.php" title="'.get_lang('OpenIDWhatIs').'">'.Display::return_icon('info3.gif',get_lang('Info')).'</a></label><input type="text" id="openid_url" name="openid_url" style="background: url(main/img/openid_small_logo.png) no-repeat; background-color: #fff; background-position: 0 50%; padding-left:18px;" value="http://"></input><input type="submit" name="openid_login" value="'.get_lang('Enter').'" /><br /><br /></form></div>'; |
|
|
|
|
function openid_form() { |
|
|
|
|
//get_lang('OpenIdAuthentication') |
|
|
|
|
$form = new FormValidator('openid_login', 'post', null, null, array('class' => 'form-vertical form_login')); |
|
|
|
|
$form->addElement('text', 'openid_url', array(get_lang('OpenIDURL'), Display::url(get_lang('OpenIDWhatIs'), 'main/auth/openid/whatis.php')), array('class' => 'openid_input')); |
|
|
|
|
$form->addElement('button', 'submit', get_lang('Login')); |
|
|
|
|
return $form->return_form(); |
|
|
|
|
/* |
|
|
|
|
return '<label for="openid_url">'.get_lang('OpenIDURL').' <a href="main/auth/openid/whatis.php" title="'.get_lang('OpenIDWhatIs').'">'.Display::return_icon('info3.gif',get_lang('Info')).'</a></label> |
|
|
|
|
<input type="text" id="openid_url" name="openid_url" style="background: url(main/img/openid_small_logo.png) no-repeat; background-color: #fff; background-position: 0 50%; padding-left:18px;" value="http://"></input> |
|
|
|
|
* <input type="submit" name="openid_login" value="'.get_lang('Enter').'" /><br /><br /></form></div>'; |
|
|
|
|
* |
|
|
|
|
*/ |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
/** |
|
|
|
|
@ -32,17 +42,14 @@ function openid_form() |
|
|
|
|
* @param $claimed_id The OpenID to authenticate |
|
|
|
|
* @param $return_to The endpoint to return to from the OpenID Provider |
|
|
|
|
*/ |
|
|
|
|
function openid_begin($claimed_id, $return_to = '', $form_values = array()) |
|
|
|
|
{ |
|
|
|
|
function openid_begin($claimed_id, $return_to = '', $form_values = array()) { |
|
|
|
|
|
|
|
|
|
$claimed_id = _openid_normalize($claimed_id); |
|
|
|
|
|
|
|
|
|
$services = openid_discovery($claimed_id); |
|
|
|
|
if (count($services) == 0) { |
|
|
|
|
echo 'Sorry, that is not a valid OpenID. Please ensure you have spelled your ID correctly.'; |
|
|
|
|
return; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
$op_endpoint = $services[0]['uri']; |
|
|
|
|
// Store the discovered endpoint in the session (so we don't have to rediscover). |
|
|
|
|
$_SESSION['openid_op_endpoint'] = $op_endpoint; |
|
|
|
|
@ -57,7 +64,6 @@ function openid_begin($claimed_id, $return_to = '', $form_values = array()) |
|
|
|
|
if (function_exists('bcadd')) { |
|
|
|
|
$assoc_handle = openid_association($op_endpoint); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
// Now that there is an association created, move on |
|
|
|
|
// to request authentication from the IdP |
|
|
|
|
$identity = (!empty($services[0]['delegate'])) ? $services[0]['delegate'] : $claimed_id; |
|
|
|
|
@ -65,11 +71,9 @@ function openid_begin($claimed_id, $return_to = '', $form_values = array()) |
|
|
|
|
$identity = 'http://openid.net/identifier_select/2.0'; |
|
|
|
|
} |
|
|
|
|
$authn_request = openid_authentication_request($claimed_id, $identity, $return_to, $assoc_handle, $services[0]['version']); |
|
|
|
|
|
|
|
|
|
if ($services[0]['version'] == 2) { |
|
|
|
|
openid_redirect($op_endpoint, $authn_request); |
|
|
|
|
} |
|
|
|
|
else { |
|
|
|
|
} else { |
|
|
|
|
openid_redirect_http($op_endpoint, $authn_request); |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
@ -83,8 +87,7 @@ function openid_begin($claimed_id, $return_to = '', $form_values = array()) |
|
|
|
|
* @return $response Response values for further processing with |
|
|
|
|
* $response['status'] set to one of 'success', 'failed' or 'cancel'. |
|
|
|
|
*/ |
|
|
|
|
function openid_complete($response) |
|
|
|
|
{ |
|
|
|
|
function openid_complete($response) { |
|
|
|
|
// Default to failed response |
|
|
|
|
$response['status'] = 'failed'; |
|
|
|
|
if (isset($_SESSION['openid_op_endpoint']) && isset($_SESSION['openid_claimed_id'])) { |
|
|
|
|
@ -96,8 +99,7 @@ function openid_complete($response) |
|
|
|
|
if (isset($response['openid.mode'])) { |
|
|
|
|
if ($response['openid.mode'] == 'cancel') { |
|
|
|
|
$response['status'] = 'cancel'; |
|
|
|
|
} |
|
|
|
|
else { |
|
|
|
|
} else { |
|
|
|
|
if (openid_verify_assertion($op_endpoint, $response)) { |
|
|
|
|
$response['openid.identity'] = $claimed_id; |
|
|
|
|
$response['status'] = 'success'; |
|
|
|
|
@ -135,13 +137,11 @@ function openid_discovery($claimed_id) { |
|
|
|
|
if (isset($result->headers['Content-Type']) && preg_match("/application\/xrds\+xml/", $result->headers['Content-Type'])) { |
|
|
|
|
// Parse XML document to find URL |
|
|
|
|
$services = xrds_parse($result->data); |
|
|
|
|
} |
|
|
|
|
else { |
|
|
|
|
} else { |
|
|
|
|
$xrds_url = NULL; |
|
|
|
|
if (isset($result->headers['X-XRDS-Location'])) { |
|
|
|
|
$xrds_url = $result->headers['X-XRDS-Location']; |
|
|
|
|
} |
|
|
|
|
else { |
|
|
|
|
} else { |
|
|
|
|
// Look for meta http-equiv link in HTML head |
|
|
|
|
$xrds_url = _openid_meta_httpequiv('X-XRDS-Location', $result->data); |
|
|
|
|
} |
|
|
|
|
@ -185,14 +185,15 @@ function openid_discovery($claimed_id) { |
|
|
|
|
* @return $assoc_handle The association handle. |
|
|
|
|
*/ |
|
|
|
|
function openid_association($op_endpoint) { |
|
|
|
|
|
|
|
|
|
// Remove Old Associations: |
|
|
|
|
//TODO |
|
|
|
|
//@todo Remove Old Associations: |
|
|
|
|
$openid_association = Database::get_main_table(TABLE_MAIN_OPENID_ASSOCIATION); |
|
|
|
|
Database::query("DELETE FROM $openid_association WHERE created + expires_in < %d", time()); |
|
|
|
|
$sql = "DELETE FROM $openid_association WHERE created + expires_in < '" . api_get_utc_datetime() . "'"; |
|
|
|
|
Database::query($sql); |
|
|
|
|
|
|
|
|
|
// Check to see if we have an association for this IdP already |
|
|
|
|
$assoc_handle = Database::query("SELECT assoc_handle FROM $openid_association WHERE idp_endpoint_uri = '%s'", $op_endpoint); |
|
|
|
|
$op_endpoint = Database::escape_string($op_endpoint); |
|
|
|
|
$sql = "SELECT assoc_handle FROM $openid_association WHERE idp_endpoint_uri = '$op_endpoint'"; |
|
|
|
|
$assoc_handle = Database::query($sql); |
|
|
|
|
if (Database::num_rows($assoc_handle) <= 1) { |
|
|
|
|
$mod = OPENID_DH_DEFAULT_MOD; |
|
|
|
|
$gen = OPENID_DH_DEFAULT_GEN; |
|
|
|
|
@ -223,12 +224,10 @@ function openid_association($op_endpoint) { |
|
|
|
|
} |
|
|
|
|
//TODO |
|
|
|
|
$openid_association = Database::get_main_table(TABLE_MAIN_OPENID_ASSOCIATION); |
|
|
|
|
Database::query(sprintf("INSERT INTO $openid_association (idp_endpoint_uri, session_type, assoc_handle, assoc_type, expires_in, mac_key, created) VALUES('%s', '%s', '%s', '%s', %d, '%s', %d)", |
|
|
|
|
$op_endpoint, $assoc_response['session_type'], $assoc_response['assoc_handle'], $assoc_response['assoc_type'], $assoc_response['expires_in'], $assoc_response['mac_key'], time())); |
|
|
|
|
Database::query(sprintf("INSERT INTO $openid_association (idp_endpoint_uri, session_type, assoc_handle, assoc_type, expires_in, mac_key, created) VALUES('%s', '%s', '%s', '%s', %d, '%s', %d)", $op_endpoint, $assoc_response['session_type'], $assoc_response['assoc_handle'], $assoc_response['assoc_type'], $assoc_response['expires_in'], $assoc_response['mac_key'], api_get_utc_datetime())); |
|
|
|
|
|
|
|
|
|
$assoc_handle = $assoc_response['assoc_handle']; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
return $assoc_handle; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
@ -270,8 +269,7 @@ function openid_authentication_request($claimed_id, $identity, $return_to = '', |
|
|
|
|
|
|
|
|
|
if ($version == 2) { |
|
|
|
|
$request['openid.realm'] = $realm; |
|
|
|
|
} |
|
|
|
|
else { |
|
|
|
|
} else { |
|
|
|
|
$request['openid.trust_root'] = $realm; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
@ -308,12 +306,10 @@ function openid_verify_assertion($op_endpoint, $response) { |
|
|
|
|
$self_sig = _openid_signature($association, $response, $keys_to_sign); |
|
|
|
|
if ($self_sig == $response['openid.sig']) { |
|
|
|
|
$valid = TRUE; |
|
|
|
|
} |
|
|
|
|
else { |
|
|
|
|
} else { |
|
|
|
|
$valid = FALSE; |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
else { |
|
|
|
|
} else { |
|
|
|
|
$request = $response; |
|
|
|
|
$request['openid.mode'] = 'check_authentication'; |
|
|
|
|
$message = _openid_create_message($request); |
|
|
|
|
@ -323,8 +319,7 @@ function openid_verify_assertion($op_endpoint, $response) { |
|
|
|
|
$response = _openid_parse_message($result->data); |
|
|
|
|
if (strtolower(trim($response['is_valid'])) == 'true') { |
|
|
|
|
$valid = TRUE; |
|
|
|
|
} |
|
|
|
|
else { |
|
|
|
|
} else { |
|
|
|
|
$valid = FALSE; |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
@ -424,8 +419,7 @@ function openid_http_request($url, $headers = array(), $method = 'GET', $data = |
|
|
|
|
// RFC 2109: the Set-Cookie response header comprises the token Set- |
|
|
|
|
// Cookie:, followed by a comma-separated list of one or more cookies. |
|
|
|
|
$result->headers[$header] .= ',' . trim($value); |
|
|
|
|
} |
|
|
|
|
else { |
|
|
|
|
} else { |
|
|
|
|
$result->headers[$header] = trim($value); |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
Julio Montoya
13 years ago