Browse Source

OpenId client identiy/claimed_id separation fixed.

tags/2.0.0-beta
Paul Klimov 11 years ago
parent
commit
fea6520070
  1. 64
      extensions/yii/authclient/OpenId.php

64
extensions/yii/authclient/OpenId.php

@ -19,7 +19,6 @@ use Yii;
* @property string $returnUrl authentication return URL. * @property string $returnUrl authentication return URL.
* @property mixed $identity ??? * @property mixed $identity ???
* @property string $trustRoot client trust root (realm), by default [[\yii\web\Request::hostInfo]] value will be used. * @property string $trustRoot client trust root (realm), by default [[\yii\web\Request::hostInfo]] value will be used.
* @property mixed $mode ??? This property is read-only.
* *
* @author Paul Klimov <klimov.paul@gmail.com> * @author Paul Klimov <klimov.paul@gmail.com>
* @since 2.0 * @since 2.0
@ -54,8 +53,10 @@ class OpenId extends BaseClient implements ClientInterface
* @var string authentication return URL. * @var string authentication return URL.
*/ */
private $_returnUrl; private $_returnUrl;
private $_identity; private $_identity;
private $claimed_id;
private $_claimedId;
/** /**
* @var string client trust root (realm), by default [[\yii\web\Request::hostInfo]] value will be used. * @var string client trust root (realm), by default [[\yii\web\Request::hostInfo]] value will be used.
*/ */
@ -103,7 +104,7 @@ class OpenId extends BaseClient implements ClientInterface
} }
} }
$this->_identity = $value; $this->_identity = $value;
$this->claimed_id = $value; $this->_claimedId = $value;
} }
public function getIdentity() public function getIdentity()
@ -111,7 +112,7 @@ class OpenId extends BaseClient implements ClientInterface
/* We return claimed_id instead of identity, /* We return claimed_id instead of identity,
because the developer should see the claimed identifier, because the developer should see the claimed identifier,
i.e. what he set as identity, not the op-local identifier (which is what we verify)*/ i.e. what he set as identity, not the op-local identifier (which is what we verify)*/
return $this->claimed_id; return $this->_claimedId;
} }
/** /**
@ -152,11 +153,6 @@ class OpenId extends BaseClient implements ClientInterface
return $this->_trustRoot; return $this->_trustRoot;
} }
public function getMode()
{
return empty($this->data['openid_mode']) ? null : $this->data['openid_mode'];
}
/** /**
* Generates default [[returnUrl]] value. * Generates default [[returnUrl]] value.
* @return string default authentication return URL. * @return string default authentication return URL.
@ -239,10 +235,10 @@ class OpenId extends BaseClient implements ClientInterface
$headers[$name] = trim(substr($header, $pos+1)); $headers[$name] = trim(substr($header, $pos+1));
} }
# Updating claimed_id in case of redirections. // Updating claimed_id in case of redirections.
$effective_url = curl_getinfo($curl, CURLINFO_EFFECTIVE_URL); $effectiveUrl = curl_getinfo($curl, CURLINFO_EFFECTIVE_URL);
if ($effective_url != $url) { if ($effectiveUrl != $url) {
$this->identity = $this->claimed_id = $effective_url; $this->_identity = $this->_claimedId = $effectiveUrl;
} }
return $headers; return $headers;
@ -306,14 +302,14 @@ class OpenId extends BaseClient implements ClientInterface
]); ]);
$url = $url . ($params ? '?' . $params : ''); $url = $url . ($params ? '?' . $params : '');
$headers_tmp = get_headers($url); $headersTmp = get_headers($url);
if (!$headers_tmp) { if (empty($headersTmp)) {
return []; return [];
} }
// Parsing headers. // Parsing headers.
$headers = []; $headers = [];
foreach ($headers_tmp as $header) { foreach ($headersTmp as $header) {
$pos = strpos($header, ':'); $pos = strpos($header, ':');
$name = strtolower(trim(substr($header, 0, $pos))); $name = strtolower(trim(substr($header, 0, $pos)));
$headers[$name] = trim(substr($header, $pos + 1)); $headers[$name] = trim(substr($header, $pos + 1));
@ -325,12 +321,12 @@ class OpenId extends BaseClient implements ClientInterface
If any known provider uses them, file a bug report.*/ If any known provider uses them, file a bug report.*/
if ($name == 'location') { if ($name == 'location') {
if (strpos($headers[$name], 'http') === 0) { if (strpos($headers[$name], 'http') === 0) {
$this->identity = $this->claimed_id = $headers[$name]; $this->_identity = $this->_claimedId = $headers[$name];
} elseif($headers[$name][0] == '/') { } elseif($headers[$name][0] == '/') {
$parsed_url = parse_url($this->claimed_id); $parsedUrl = parse_url($this->_claimedId);
$this->identity = $this->_identity =
$this->claimed_id = $parsed_url['scheme'] . '://' $this->_claimedId = $parsedUrl['scheme'] . '://'
. $parsed_url['host'] . $parsedUrl['host']
. $headers[$name]; . $headers[$name];
} }
} }
@ -487,7 +483,7 @@ class OpenId extends BaseClient implements ClientInterface
$server = $server[1]; $server = $server[1];
if (isset($delegate[2])) { if (isset($delegate[2])) {
$this->identity = trim($delegate[2]); $this->_identity = trim($delegate[2]);
} }
$result['url'] = $server; $result['url'] = $server;
@ -508,7 +504,7 @@ class OpenId extends BaseClient implements ClientInterface
$server = $server[1]; $server = $server[1];
if (isset($delegate[1])) { if (isset($delegate[1])) {
$this->identity = $delegate[1]; $this->_identity = $delegate[1];
} }
$result['url'] = $server; $result['url'] = $server;
@ -556,7 +552,7 @@ class OpenId extends BaseClient implements ClientInterface
// We found an OpenID2 OP Endpoint // We found an OpenID2 OP Endpoint
if ($delegate) { if ($delegate) {
// We have also found an OP-Local ID. // We have also found an OP-Local ID.
$this->identity = $delegate; $this->_identity = $delegate;
} }
$result['url'] = $server; $result['url'] = $server;
$result['version'] = $version; $result['version'] = $version;
@ -662,8 +658,8 @@ class OpenId extends BaseClient implements ClientInterface
/* If we have an openid.delegate that is different from our claimed id, /* If we have an openid.delegate that is different from our claimed id,
we need to somehow preserve the claimed id between requests. we need to somehow preserve the claimed id between requests.
The simplest way is to just send it along with the return_to url.*/ The simplest way is to just send it along with the return_to url.*/
if ($this->identity != $this->claimed_id) { if ($this->_identity != $this->_claimedId) {
$returnUrl .= (strpos($returnUrl, '?') ? '&' : '?') . 'openid.claimed_id=' . $this->claimed_id; $returnUrl .= (strpos($returnUrl, '?') ? '&' : '?') . 'openid.claimed_id=' . $this->_claimedId;
} }
$params = array_merge( $params = array_merge(
@ -671,7 +667,7 @@ class OpenId extends BaseClient implements ClientInterface
[ [
'openid.return_to' => $returnUrl, 'openid.return_to' => $returnUrl,
'openid.mode' => 'checkid_setup', 'openid.mode' => 'checkid_setup',
'openid.identity' => $this->identity, 'openid.identity' => $this->_identity,
'openid.trust_root' => $this->trustRoot, 'openid.trust_root' => $this->trustRoot,
] ]
); );
@ -708,21 +704,21 @@ class OpenId extends BaseClient implements ClientInterface
$params['openid.identity'] = $url; $params['openid.identity'] = $url;
$params['openid.claimed_id']= $url; $params['openid.claimed_id']= $url;
} else { } else {
$params['openid.identity'] = $this->identity; $params['openid.identity'] = $this->_identity;
$params['openid.claimed_id'] = $this->claimed_id; $params['openid.claimed_id'] = $this->_claimedId;
} }
return $this->buildUrl(parse_url($serverInfo['url']), ['query' => http_build_query($params, '', '&')]); return $this->buildUrl(parse_url($serverInfo['url']), ['query' => http_build_query($params, '', '&')]);
} }
/** /**
* Returns authentication URL. Usually, you want to redirect your user to it. * Returns authentication URL. Usually, you want to redirect your user to it.
* @param boolean $identifierSelect whether to request OP to select identity for an user in OpenID 2. Does not affect OpenID 1. * @param boolean $identifierSelect whether to request OP to select identity for an user in OpenID 2, does not affect OpenID 1.
* @return string the authentication URL. * @return string the authentication URL.
* @throws Exception on failure. * @throws Exception on failure.
*/ */
public function buildAuthUrl($identifierSelect = null) public function buildAuthUrl($identifierSelect = null)
{ {
$serverInfo = $this->discover($this->identity); $serverInfo = $this->discover($this->_identity);
if ($serverInfo['version'] == 2) { if ($serverInfo['version'] == 2) {
if ($identifierSelect !== null) { if ($identifierSelect !== null) {
$serverInfo['identifierSelect'] = $identifierSelect; $serverInfo['identifierSelect'] = $identifierSelect;
@ -739,7 +735,7 @@ class OpenId extends BaseClient implements ClientInterface
*/ */
public function validate() public function validate()
{ {
$this->claimed_id = isset($this->data['openid_claimed_id']) ? $this->data['openid_claimed_id'] : $this->data['openid_identity']; $this->_claimedId = isset($this->data['openid_claimed_id']) ? $this->data['openid_claimed_id'] : $this->data['openid_identity'];
$params = [ $params = [
'openid.assoc_handle' => $this->data['openid_assoc_handle'], 'openid.assoc_handle' => $this->data['openid_assoc_handle'],
'openid.signed' => $this->data['openid_signed'], 'openid.signed' => $this->data['openid_signed'],
@ -754,7 +750,7 @@ class OpenId extends BaseClient implements ClientInterface
} elseif (isset($this->data['openid_claimed_id']) && $this->data['openid_claimed_id'] != $this->data['openid_identity']) { } elseif (isset($this->data['openid_claimed_id']) && $this->data['openid_claimed_id'] != $this->data['openid_identity']) {
// If it's an OpenID 1 provider, and we've got claimed_id, // If it's an OpenID 1 provider, and we've got claimed_id,
// we have to append it to the returnUrl, like authUrl_v1 does. // we have to append it to the returnUrl, like authUrl_v1 does.
$this->returnUrl .= (strpos($this->returnUrl, '?') ? '&' : '?') . 'openid.claimed_id=' . $this->claimed_id; $this->returnUrl .= (strpos($this->returnUrl, '?') ? '&' : '?') . 'openid.claimed_id=' . $this->_claimedId;
} }
if ($this->data['openid_return_to'] != $this->returnUrl) { if ($this->data['openid_return_to'] != $this->returnUrl) {
@ -763,7 +759,7 @@ class OpenId extends BaseClient implements ClientInterface
return false; return false;
} }
$serverInfo = $this->discover($this->claimed_id); $serverInfo = $this->discover($this->_claimedId);
foreach (explode(',', $this->data['openid_signed']) as $item) { foreach (explode(',', $this->data['openid_signed']) as $item) {
/* Checking whether magic_quotes_gpc is turned on, because /* Checking whether magic_quotes_gpc is turned on, because

Loading…
Cancel
Save