commit 6c903f95ea2512d20cd0fe30141ea4a6fccaa589
parent f5494fa2fb852f48911115fafa78e92aca2e2270
Author: dankert <devnull@localhost>
Date: Fri, 5 Nov 2010 01:46:24 +0100
Unterstützung für OpenId 2.0
Diffstat:
1 file changed, 121 insertions(+), 17 deletions(-)
diff --git a/serviceClasses/OpenId.class.php b/serviceClasses/OpenId.class.php
@@ -2,7 +2,7 @@
/**
- * Open-Id Authentisierung gemäß OpenId-Spezifikation 1.0.
+ * Open-Id Authentisierung gem�� OpenId-Spezifikation 1.0.
*
*/
class OpenId
@@ -44,6 +44,12 @@ class OpenId
var $user;
+ var $supportAX;
+ var $supportSREG;
+ var $supportOpenId1_1;
+ var $supportOpenId2_0;
+
+
/**
* Neue Open-Id Anfrage.
*
@@ -57,9 +63,9 @@ class OpenId
/**
- * Stellt fest, ob der Server vertrauenswürdig ist.
+ * Stellt fest, ob der Server vertrauensw�rdig ist.
*
- * @return true, wenn vertrauenswürdig.
+ * @return true, wenn vertrauensw�rdig.
*/
function serverOk()
{
@@ -114,7 +120,7 @@ class OpenId
}
if ( !$this->serverOk() )
- return false; // Server nicht vertrauenswürdig.
+ return false; // Server nicht vertrauensw�rdig.
if ( empty($this->identity) )
// Falls die Identity bis hierher nicht deligiert wurde...
@@ -132,7 +138,56 @@ class OpenId
function redirect()
{
global $conf;
-
+ /*
+doodle:
+https://www.google.com/accounts/o8/ud?
+openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&
+openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select
+&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select
+&openid.mode=checkid_setup
+&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0
+&openid.ext1.mode=fetch_request
+&openid.ext1.type.email=http%3A%2F%2Faxschema.org%2Fcontact%2Femail
+&openid.ext1.type.fullname=http%3A%2F%2Faxschema.org%2FnamePerson
+&openid.ext1.type.firstname=http%3A%2F%2Faxschema.org%2FnamePerson%2Ffirst
+&openid.ext1.type.lastname=http%3A%2F%2Faxschema.org%2FnamePerson%2Flast
+&openid.ext1.type.language=http%3A%2F%2Faxschema.org%2Fpref%2Flanguage
+&openid.ext1.type.timezone=http%3A%2F%2Faxschema.org%2Fpref%2Ftimezone
+&openid.ext1.type.dob=http%3A%2F%2Faxschema.org%2FbirthDate
+&openid.ext1.type.gender=http%3A%2F%2Faxschema.org%2Fperson%2Fgender
+&openid.ext1.required=email%2Cfullname%2Cfirstname%2Clastname
+&openid.ext1.if_available=language%2Ctimezone%2Cdob%2Cgender
+&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1
+&openid.sreg.required=email%2Cfullname
+&openid.sreg.optional=language%2Ctimezone%2Cdob%2Cgender
+&openid.sreg.policy_url=http%3A%2F%2Fdoodle.com%2Fabout%2Ftos.html
+&openid.return_to=https%3A%2F%2Fdoodle.com%2Fmydoodle%2FopenIdAuth
+&openid.assoc_handle=AOQobUe2ez4x3-uPrza74M3s6dFXM-guMR8Q8nt6OBZ2Bbr-ehJ1y0n1
+&openid.realm=https%3A%2F%2Fdoodle.com
+or:
+https://www.google.com/accounts/o8/ud?openid.mode=checkid_setup&openid.identity=http%3A%2F%2Fhttp%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid&openid.sreg.required=email&openid.sreg.optional=fullname%2Clanguage&openid.trust_root=http%3A%2F%2Flocalhost%2F~dankert%2Fcms-test%2F09%2F&openid.return_to=http%3A%2F%2Flocalhost%2F~dankert%2Fcms-test%2F09%2Fopenid.php&openid.assoc_handle=ba1a257963793d3da613012507f8b3dc
+
+
+https://www.google.com/accounts/o8/ud?openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.mode=checkid_setup&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.sreg.required=email&openid.sreg.optional=fullname%2Clanguage&openid.trust_root=http%3A%2F%2Flocalhost%2F~dankert%2Fcms-test%2F09%2F&openid.return_to=http%3A%2F%2Flocalhost%2F~dankert%2Fcms-test%2F09%2Fopenid.php&openid.assoc_handle=49d81537840793d1c9c6dd81ba87481d
+
+
+antwort von google an or:
+http://localhost/~dankert/cms-test/09/openid.php?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res
+&openid.op_endpoint=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud&
+openid.response_nonce=2010-11-04T23%3A25%3A28ZfqphjoO3sRtDqw
+&openid.return_to=http%3A%2F%2Flocalhost%2F~dankert%2Fcms-test%2F09%2Fopenid.php
+&openid.invalidate_handle=68190efac8e20589c43ca83abc48a859
+&openid.assoc_handle=AOQobUcqrjsOLlzkJgE5QFWdFpikCKcFHbVtGMOG4L3ktOp4jS9NKpi
+7&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle
+&openid.sig=bErVC%2FlYpm%2Bi1HVAIe4vvhSld2g%3D
+&openid.identity=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawn9xVhyM9_Yf-XkfYtSZnSBP5hgXIuVAUA
+&openid.claimed_id=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawn9xVhyM9_Yf-XkfYtSZnSBP5hgXIuVAUA
+
+antwort von google an doodle:
+https://doodle.com/mydoodle/openIdAuth?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud&openid.response_nonce=2010-11-05T00%3A07%3A11Z56FFqcL6B5teKQ&openid.return_to=https%3A%2F%2Fdoodle.com%2Fmydoodle%2FopenIdAuth&openid.assoc_handle=AOQobUe2ez4x3-uPrza74M3s6dFXM-guMR8Q8nt6OBZ2Bbr-ehJ1y0n1&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cns.ext1%2Cext1.mode%2Cext1.type.firstname%2Cext1.value.firstname%2Cext1.type.email%2Cext1.value.email%2Cext1.type.lastname%2Cext1.value.lastname&openid.sig=eDdaxAhDl8IOgPLjgJB25pG9hKA%3D&openid.identity=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawkhGOOFbCs1EsijGYKG_afWsM8AfHedV5s&openid.claimed_id=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawkhGOOFbCs1EsijGYKG_afWsM8AfHedV5s&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext1.mode=fetch_response&openid.ext1.type.firstname=http%3A%2F%2Faxschema.org%2FnamePerson%2Ffirst&openid.ext1.value.firstname=Jan&openid.ext1.type.email=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ext1.value.email=jandunkerbeck%40googlemail.com&openid.ext1.type.lastname=http%3A%2F%2Faxschema.org%2FnamePerson%2Flast&openid.ext1.value.lastname=Dunkerbeck
+
+*/
+ //$this->identity = 'http://specs.openid.net/auth/2.0/identifier_select';
$openid_handle = md5(microtime().session_id());
Session::set('openid_user' ,$this->user );
Session::set('openid_server' ,$this->server );
@@ -140,12 +195,39 @@ class OpenId
Session::set('openid_handle' ,$openid_handle );
$redirHttp = new Http($this->server);
+
+ if ( $this->supportOpenId2_0 )
+ $redirHttp->requestParameter['openid.ns' ] = 'http://specs.openid.net/auth/2.0';
+
$redirHttp->requestParameter['openid.mode' ] = 'checkid_setup';
$redirHttp->requestParameter['openid.identity' ] = $this->identity;
+
+ if ( $this->supportOpenId2_0 )
+ $redirHttp->requestParameter['openid.claimed_id'] = $this->identity;
+
- // Profilangaben anfordern. E-Mail wird benötigt, Name und Sprache sind optional.
- $redirHttp->requestParameter['openid.sreg.required'] = 'email';
- $redirHttp->requestParameter['openid.sreg.optional'] = 'fullname,language';
+ // Profilangaben anfordern. E-Mail wird ben�tigt, Name und Sprache sind optional.
+
+ if ( $this->supportAX )
+ {
+ Logger::info("Server is using OpenID Attribute Exchange 1.0");
+ $redirHttp->requestParameter['openid.ns.ax' ] = 'http://openid.net/srv/ax/1.0';
+ $redirHttp->requestParameter['openid.ax.mode' ] = 'fetch_request';
+ $redirHttp->requestParameter['openid.ax.type.email' ] = 'http://axschema.org/contact/email';
+ $redirHttp->requestParameter['openid.ax.type.username' ] = 'http://axschema.org/namePerson/friendly';
+ $redirHttp->requestParameter['openid.ax.type.fullname' ] = 'http://axschema.org/namePerson';
+ $redirHttp->requestParameter['openid.ax.type.language' ] = 'http://axschema.org/pref/language';
+ $redirHttp->requestParameter['openid.ax.required' ] = 'username,email';
+ $redirHttp->requestParameter['openid.ax.if_available' ] = 'language,fullname';
+ }
+
+ if ( $this->supportSREG )
+ {
+ Logger::info("Server is using OpenID Simple Registration Extension 1.0");
+ $redirHttp->requestParameter['openid.ns.sreg' ] = 'http://openid.net/sreg/1.0';
+ $redirHttp->requestParameter['openid.sreg.required'] = 'email,nickname';
+ $redirHttp->requestParameter['openid.sreg.optional'] = 'fullname,language';
+ }
$trustRoot = @$conf['security']['openid']['trust_root'];
$server = Http::getServer();
@@ -154,6 +236,7 @@ class OpenId
$redirHttp->requestParameter['openid.trust_root' ] = slashify($trustRoot);
$redirHttp->requestParameter['openid.return_to' ] = slashify($server).'openid.'.PHP_EXT;
+ //$redirHttp->requestParameter['openid.realm' ] = slashify($server).'openid.'.PHP_EXT;
$redirHttp->requestParameter['openid.assoc_handle' ] = $openid_handle;
$redirHttp->sendRedirect(); // Browser umleiten.
@@ -179,13 +262,29 @@ class OpenId
return false;
}
-// Html::debug(htmlentities($http->body));
+ //Html::debug(htmlentities($http->body));
+ //die();
$p = xml_parser_create();
$ok = xml_parse_into_struct($p, $http->body, $vals, $index);
xml_parser_free($p);
foreach( $vals as $tag )
{
+ if ( strtolower($tag['tag']) == 'type' )
+ {
+ if ( $tag['value'] == 'http://openid.net/srv/ax/1.0' )
+ $this->supportAX = true;
+
+ if ( $tag['value'] == 'http://openid.net/sreg/1.0' )
+ $this->supportSREG = true;
+
+ if ( $tag['value'] == 'http://openid.net/signon/1.1' )
+ $this->supportOpenId1_1 = true;
+
+ if ( $tag['value'] == 'http://specs.openid.net/auth/2.0/server' )
+ $this->supportOpenId2_0 = true;
+ }
+
if ( strtolower($tag['tag']) == 'uri' )
{
$this->server = $tag['value'];
@@ -197,7 +296,6 @@ class OpenId
}
}
}
-
/**
@@ -218,7 +316,7 @@ class OpenId
$seite = $http->body;
- // Die Meta-Tags mit regulärem Ausdruck auslesen.
+ // Die Meta-Tags mit regul�rem Ausdruck auslesen.
$treffer = array();
preg_match('/rel="openid.server"\s+href="(\S+)"/',$seite,$treffer);
if ( count($treffer) >= 1 )
@@ -244,14 +342,14 @@ class OpenId
/**
- * Open-Id Login, Überprüfen der Anmeldung.<br>
+ * Open-Id Login, �berpr�fen der Anmeldung.<br>
* Spezifikation: http://openid.net/specs/openid-authentication-1_1.html<br>
* Kapitel "4.4. check_authentication"<br>
* <br>
- * Im 2. Schritt (Mode "id_res") erfolgte ein Redirect vom Open-Id Provider an OpenRat zurück.<br>
+ * Im 2. Schritt (Mode "id_res") erfolgte ein Redirect vom Open-Id Provider an OpenRat zur�ck.<br>
* Wir befinden uns nun im darauf folgenden Request des Browsers.<br>
* <br>
- * Es muss noch beim OpenId-Provider die Bestätigung eingeholt werden, danach ist der
+ * Es muss noch beim OpenId-Provider die Best�tigung eingeholt werden, danach ist der
* Benutzer angemeldet.<br>
*/
function checkAuthentication()
@@ -270,6 +368,12 @@ class OpenId
return false;
}
+ if ( $REQ['openid_mode'] != 'id_res' )
+ {
+ $this->error ='Open-Id: Unknown mode:'.$REQ['openid_mode'];
+ return false;
+ }
+
if ( $REQ['openid_identity'] != $this->identity )
{
$this->error ='Open-Id: Identity mismatch. Wrong identity:'.$REQ['openid_identity'];
@@ -304,7 +408,7 @@ class OpenId
}
// Analyse der HTTP-Antwort, Parsen des BODYs.
- // Die Anmeldung ist bestätigt, wenn im BODY die Zeile "is_valid:true" vorhanden ist.
+ // Die Anmeldung ist best�tigt, wenn im BODY die Zeile "is_valid:true" vorhanden ist.
// Siehe Spezifikation Kapitel 4.4.2
$valid = null;
foreach( explode("\n",$checkRequest->body) as $line )
@@ -322,12 +426,12 @@ class OpenId
}
elseif ( $valid )
{
- // Anmeldung wurde mit "is_valid:true" bestätigt.
+ // Anmeldung wurde mit "is_valid:true" best�tigt.
return true;
}
else
{
- // Bestätigung wurde durch den OpenId-Provider abgelehnt.
+ // Best�tigung wurde durch den OpenId-Provider abgelehnt.
$this->error = 'Server refused login.';
return false;
}
