function openid_complete in Drupal 6
Same name and namespace in other branches
- 7 modules/openid/openid.module \openid_complete()
Completes OpenID authentication by validating returned data from the OpenID Provider.
Parameters
$response Array of returned values from the OpenID Provider.:
Return value
$response Response values for further processing with $response['status'] set to one of 'success', 'failed' or 'cancel'.
2 calls to openid_complete()
- openid_authentication_page in modules/
openid/ openid.pages.inc - Menu callback; Process an OpenID authentication.
- openid_user_identities in modules/
openid/ openid.pages.inc - Menu callback; Manage OpenID identities for the specified user.
File
- modules/
openid/ openid.module, line 221 - Implement OpenID Relying Party support for Drupal
Code
function openid_complete($response = array()) {
global $base_url;
module_load_include('inc', 'openid');
if (count($response) == 0) {
$response = _openid_response();
}
// Default to failed response
$response['status'] = 'failed';
if (isset($_SESSION['openid']['service']['uri']) && isset($_SESSION['openid']['claimed_id'])) {
$service = $_SESSION['openid']['service'];
$claimed_id = $_SESSION['openid']['claimed_id'];
unset($_SESSION['openid']['service']);
unset($_SESSION['openid']['claimed_id']);
if (isset($response['openid.mode'])) {
if ($response['openid.mode'] == 'cancel') {
$response['status'] = 'cancel';
}
else {
if (openid_verify_assertion($service, $response)) {
// If the returned claimed_id is different from the session claimed_id,
// then we need to do discovery and make sure the op_endpoint matches.
if ($service['version'] == 2) {
// Returned Claimed Identifier could contain unique fragment
// identifier to allow identifier recycling so we need to preserve
// it in the response.
$response_claimed_id = _openid_normalize($response['openid.claimed_id']);
if ($response_claimed_id != $claimed_id || $response_claimed_id != $response['openid.identity']) {
$disco = openid_discovery($response['openid.claimed_id']);
if ($disco[0]['uri'] != $service['uri']) {
return $response;
}
if (!empty($disco[0]['localid'])) {
$identity = $disco[0]['localid'];
}
else {
if (!empty($disco[0]['delegate'])) {
$identity = $disco[0]['delegate'];
}
else {
$identity = FALSE;
}
}
// The OP-Local Identifier (if different than the Claimed
// Identifier) must be present in the XRDS document.
if ($response_claimed_id != $response['openid.identity'] && (!$identity || $identity != $response['openid.identity'])) {
return $response;
}
}
}
else {
$response['openid.claimed_id'] = $claimed_id;
}
// Verify that openid.return_to matches the current URL (see OpenID
// Authentication 2.0, section 11.1).
// While OpenID Authentication 1.1, section 4.3 does not mandate
// return_to verification, the received return_to should still
// match these constraints.
$return_to_parts = parse_url($response['openid.return_to']);
$base_url_parts = parse_url($base_url);
$current_parts = parse_url($base_url_parts['scheme'] . '://' . $base_url_parts['host'] . request_uri());
if ($return_to_parts['scheme'] != $current_parts['scheme'] || $return_to_parts['host'] != $current_parts['host'] || $return_to_parts['path'] != $current_parts['path']) {
return $response;
}
// Verify that all query parameters in the openid.return_to URL have
// the same value in the current URL. In addition, the current URL
// contains a number of other parameters added by the OpenID Provider.
parse_str(isset($return_to_parts['query']) ? $return_to_parts['query'] : '', $return_to_query_parameters);
foreach ($return_to_query_parameters as $name => $value) {
if (!array_key_exists($name, $_GET) || $_GET[$name] != $value) {
return $response;
}
}
$response['status'] = 'success';
}
}
}
}
return $response;
}