You are here

function openid_complete in Drupal 6

Same name and namespace in other branches
  1. 7 modules/openid/openid.module \openid_complete()

Completes OpenID authentication by validating returned data from the OpenID Provider.

Parameters

$response Array of returned values from the OpenID Provider.:

Return value

$response Response values for further processing with $response['status'] set to one of 'success', 'failed' or 'cancel'.

2 calls to openid_complete()
openid_authentication_page in modules/openid/openid.pages.inc
Menu callback; Process an OpenID authentication.
openid_user_identities in modules/openid/openid.pages.inc
Menu callback; Manage OpenID identities for the specified user.

File

modules/openid/openid.module, line 221
Implement OpenID Relying Party support for Drupal

Code

function openid_complete($response = array()) {
  global $base_url;
  module_load_include('inc', 'openid');
  if (count($response) == 0) {
    $response = _openid_response();
  }

  // Default to failed response
  $response['status'] = 'failed';
  if (isset($_SESSION['openid']['service']['uri']) && isset($_SESSION['openid']['claimed_id'])) {
    $service = $_SESSION['openid']['service'];
    $claimed_id = $_SESSION['openid']['claimed_id'];
    unset($_SESSION['openid']['service']);
    unset($_SESSION['openid']['claimed_id']);
    if (isset($response['openid.mode'])) {
      if ($response['openid.mode'] == 'cancel') {
        $response['status'] = 'cancel';
      }
      else {
        if (openid_verify_assertion($service, $response)) {

          // If the returned claimed_id is different from the session claimed_id,
          // then we need to do discovery and make sure the op_endpoint matches.
          if ($service['version'] == 2) {

            // Returned Claimed Identifier could contain unique fragment
            // identifier to allow identifier recycling so we need to preserve
            // it in the response.
            $response_claimed_id = _openid_normalize($response['openid.claimed_id']);
            if ($response_claimed_id != $claimed_id || $response_claimed_id != $response['openid.identity']) {
              $disco = openid_discovery($response['openid.claimed_id']);
              if ($disco[0]['uri'] != $service['uri']) {
                return $response;
              }
              if (!empty($disco[0]['localid'])) {
                $identity = $disco[0]['localid'];
              }
              else {
                if (!empty($disco[0]['delegate'])) {
                  $identity = $disco[0]['delegate'];
                }
                else {
                  $identity = FALSE;
                }
              }

              // The OP-Local Identifier (if different than the Claimed
              // Identifier) must be present in the XRDS document.
              if ($response_claimed_id != $response['openid.identity'] && (!$identity || $identity != $response['openid.identity'])) {
                return $response;
              }
            }
          }
          else {
            $response['openid.claimed_id'] = $claimed_id;
          }

          // Verify that openid.return_to matches the current URL (see OpenID
          // Authentication 2.0, section 11.1).
          // While OpenID Authentication 1.1, section 4.3 does not mandate
          // return_to verification, the received return_to should still
          // match these constraints.
          $return_to_parts = parse_url($response['openid.return_to']);
          $base_url_parts = parse_url($base_url);
          $current_parts = parse_url($base_url_parts['scheme'] . '://' . $base_url_parts['host'] . request_uri());
          if ($return_to_parts['scheme'] != $current_parts['scheme'] || $return_to_parts['host'] != $current_parts['host'] || $return_to_parts['path'] != $current_parts['path']) {
            return $response;
          }

          // Verify that all query parameters in the openid.return_to URL have
          // the same value in the current URL. In addition, the current URL
          // contains a number of other parameters added by the OpenID Provider.
          parse_str(isset($return_to_parts['query']) ? $return_to_parts['query'] : '', $return_to_query_parameters);
          foreach ($return_to_query_parameters as $name => $value) {
            if (!array_key_exists($name, $_GET) || $_GET[$name] != $value) {
              return $response;
            }
          }
          $response['status'] = 'success';
        }
      }
    }
  }
  return $response;
}