Skip to content

Y
yii2
Commit fea65200 by Paul Klimov
Options

OpenId client identiy/claimed_id separation fixed.

parent 46746cd8
Showing with 32 additions and 36 deletions
extensions/yii/authclient/OpenId.php
...@@ -19,7 +19,6 @@ use Yii; ...@@ -19,7 +19,6 @@ use Yii;
* @property string $returnUrl authentication return URL. * @property string $returnUrl authentication return URL.
* @property mixed $identity ??? * @property mixed $identity ???
* @property string $trustRoot client trust root (realm), by default [[\yii\web\Request::hostInfo]] value will be used. * @property string $trustRoot client trust root (realm), by default [[\yii\web\Request::hostInfo]] value will be used.
* @property mixed $mode ??? This property is read-only.
* *
* @author Paul Klimov <klimov.paul@gmail.com> * @author Paul Klimov <klimov.paul@gmail.com>
* @since 2.0 * @since 2.0
...@@ -54,8 +53,10 @@ class OpenId extends BaseClient implements ClientInterface ...@@ -54,8 +53,10 @@ class OpenId extends BaseClient implements ClientInterface
* @var string authentication return URL. * @var string authentication return URL.
*/ */
private $_returnUrl; private $_returnUrl;
private $_identity; private $_identity;
private $claimed_id;
private $_claimedId;
/** /**
* @var string client trust root (realm), by default [[\yii\web\Request::hostInfo]] value will be used. * @var string client trust root (realm), by default [[\yii\web\Request::hostInfo]] value will be used.
*/ */
...@@ -103,7 +104,7 @@ class OpenId extends BaseClient implements ClientInterface ...@@ -103,7 +104,7 @@ class OpenId extends BaseClient implements ClientInterface
} }
} }
$this->_identity = $value; $this->_identity = $value;
$this->claimed_id = $value; $this->_claimedId = $value;
} }
public function getIdentity() public function getIdentity()
...@@ -111,7 +112,7 @@ class OpenId extends BaseClient implements ClientInterface ...@@ -111,7 +112,7 @@ class OpenId extends BaseClient implements ClientInterface
/* We return claimed_id instead of identity, /* We return claimed_id instead of identity,
because the developer should see the claimed identifier, because the developer should see the claimed identifier,
i.e. what he set as identity, not the op-local identifier (which is what we verify)*/ i.e. what he set as identity, not the op-local identifier (which is what we verify)*/
return $this->claimed_id; return $this->_claimedId;
} }
/** /**
...@@ -152,11 +153,6 @@ class OpenId extends BaseClient implements ClientInterface ...@@ -152,11 +153,6 @@ class OpenId extends BaseClient implements ClientInterface
return $this->_trustRoot; return $this->_trustRoot;
} }
public function getMode()
{
return empty($this->data['openid_mode']) ? null : $this->data['openid_mode'];
}
/** /**
* Generates default [[returnUrl]] value. * Generates default [[returnUrl]] value.
* @return string default authentication return URL. * @return string default authentication return URL.
...@@ -234,15 +230,15 @@ class OpenId extends BaseClient implements ClientInterface ...@@ -234,15 +230,15 @@ class OpenId extends BaseClient implements ClientInterface
if ($method == 'HEAD') { if ($method == 'HEAD') {
$headers = []; $headers = [];
foreach (explode("\n", $response) as $header) { foreach (explode("\n", $response) as $header) {
$pos = strpos($header,':'); $pos = strpos($header, ':');
$name = strtolower(trim(substr($header, 0, $pos))); $name = strtolower(trim(substr($header, 0, $pos)));
$headers[$name] = trim(substr($header, $pos+1)); $headers[$name] = trim(substr($header, $pos+1));
} }
# Updating claimed_id in case of redirections. // Updating claimed_id in case of redirections.
$effective_url = curl_getinfo($curl, CURLINFO_EFFECTIVE_URL); $effectiveUrl = curl_getinfo($curl, CURLINFO_EFFECTIVE_URL);
if ($effective_url != $url) { if ($effectiveUrl != $url) {
$this->identity = $this->claimed_id = $effective_url; $this->_identity = $this->_claimedId = $effectiveUrl;
} }
return $headers; return $headers;
...@@ -306,17 +302,17 @@ class OpenId extends BaseClient implements ClientInterface ...@@ -306,17 +302,17 @@ class OpenId extends BaseClient implements ClientInterface
]); ]);
$url = $url . ($params ? '?' . $params : ''); $url = $url . ($params ? '?' . $params : '');
$headers_tmp = get_headers($url); $headersTmp = get_headers($url);
if (!$headers_tmp) { if (empty($headersTmp)) {
return []; return [];
} }
// Parsing headers. // Parsing headers.
$headers = []; $headers = [];
foreach ($headers_tmp as $header) { foreach ($headersTmp as $header) {
$pos = strpos($header, ':'); $pos = strpos($header, ':');
$name = strtolower(trim(substr($header, 0, $pos))); $name = strtolower(trim(substr($header, 0, $pos)));
$headers[$name] = trim(substr($header, $pos+1)); $headers[$name] = trim(substr($header, $pos + 1));
/* Following possible redirections. The point is just to have /* Following possible redirections. The point is just to have
claimed_id change with them, because get_headers() will claimed_id change with them, because get_headers() will
...@@ -325,12 +321,12 @@ class OpenId extends BaseClient implements ClientInterface ...@@ -325,12 +321,12 @@ class OpenId extends BaseClient implements ClientInterface
If any known provider uses them, file a bug report.*/ If any known provider uses them, file a bug report.*/
if ($name == 'location') { if ($name == 'location') {
if (strpos($headers[$name], 'http') === 0) { if (strpos($headers[$name], 'http') === 0) {
$this->identity = $this->claimed_id = $headers[$name]; $this->_identity = $this->_claimedId = $headers[$name];
} elseif($headers[$name][0] == '/') { } elseif($headers[$name][0] == '/') {
$parsed_url = parse_url($this->claimed_id); $parsedUrl = parse_url($this->_claimedId);
$this->identity = $this->_identity =
$this->claimed_id = $parsed_url['scheme'] . '://' $this->_claimedId = $parsedUrl['scheme'] . '://'
. $parsed_url['host'] . $parsedUrl['host']
. $headers[$name]; . $headers[$name];
} }
} }
...@@ -487,7 +483,7 @@ class OpenId extends BaseClient implements ClientInterface ...@@ -487,7 +483,7 @@ class OpenId extends BaseClient implements ClientInterface
$server = $server[1]; $server = $server[1];
if (isset($delegate[2])) { if (isset($delegate[2])) {
$this->identity = trim($delegate[2]); $this->_identity = trim($delegate[2]);
} }
$result['url'] = $server; $result['url'] = $server;
...@@ -508,7 +504,7 @@ class OpenId extends BaseClient implements ClientInterface ...@@ -508,7 +504,7 @@ class OpenId extends BaseClient implements ClientInterface
$server = $server[1]; $server = $server[1];
if (isset($delegate[1])) { if (isset($delegate[1])) {
$this->identity = $delegate[1]; $this->_identity = $delegate[1];
} }
$result['url'] = $server; $result['url'] = $server;
...@@ -556,7 +552,7 @@ class OpenId extends BaseClient implements ClientInterface ...@@ -556,7 +552,7 @@ class OpenId extends BaseClient implements ClientInterface
// We found an OpenID2 OP Endpoint // We found an OpenID2 OP Endpoint
if ($delegate) { if ($delegate) {
// We have also found an OP-Local ID. // We have also found an OP-Local ID.
$this->identity = $delegate; $this->_identity = $delegate;
} }
$result['url'] = $server; $result['url'] = $server;
$result['version'] = $version; $result['version'] = $version;
...@@ -662,8 +658,8 @@ class OpenId extends BaseClient implements ClientInterface ...@@ -662,8 +658,8 @@ class OpenId extends BaseClient implements ClientInterface
/* If we have an openid.delegate that is different from our claimed id, /* If we have an openid.delegate that is different from our claimed id,
we need to somehow preserve the claimed id between requests. we need to somehow preserve the claimed id between requests.
The simplest way is to just send it along with the return_to url.*/ The simplest way is to just send it along with the return_to url.*/
if ($this->identity != $this->claimed_id) { if ($this->_identity != $this->_claimedId) {
$returnUrl .= (strpos($returnUrl, '?') ? '&' : '?') . 'openid.claimed_id=' . $this->claimed_id; $returnUrl .= (strpos($returnUrl, '?') ? '&' : '?') . 'openid.claimed_id=' . $this->_claimedId;
} }
$params = array_merge( $params = array_merge(
...@@ -671,7 +667,7 @@ class OpenId extends BaseClient implements ClientInterface ...@@ -671,7 +667,7 @@ class OpenId extends BaseClient implements ClientInterface
[ [
'openid.return_to' => $returnUrl, 'openid.return_to' => $returnUrl,
'openid.mode' => 'checkid_setup', 'openid.mode' => 'checkid_setup',
'openid.identity' => $this->identity, 'openid.identity' => $this->_identity,
'openid.trust_root' => $this->trustRoot, 'openid.trust_root' => $this->trustRoot,
] ]
); );
...@@ -708,21 +704,21 @@ class OpenId extends BaseClient implements ClientInterface ...@@ -708,21 +704,21 @@ class OpenId extends BaseClient implements ClientInterface
$params['openid.identity'] = $url; $params['openid.identity'] = $url;
$params['openid.claimed_id']= $url; $params['openid.claimed_id']= $url;
} else { } else {
$params['openid.identity'] = $this->identity; $params['openid.identity'] = $this->_identity;
$params['openid.claimed_id'] = $this->claimed_id; $params['openid.claimed_id'] = $this->_claimedId;
} }
return $this->buildUrl(parse_url($serverInfo['url']), ['query' => http_build_query($params, '', '&')]); return $this->buildUrl(parse_url($serverInfo['url']), ['query' => http_build_query($params, '', '&')]);
} }
/** /**
* Returns authentication URL. Usually, you want to redirect your user to it. * Returns authentication URL. Usually, you want to redirect your user to it.
* @param boolean $identifierSelect whether to request OP to select identity for an user in OpenID 2. Does not affect OpenID 1. * @param boolean $identifierSelect whether to request OP to select identity for an user in OpenID 2, does not affect OpenID 1.
* @return string the authentication URL. * @return string the authentication URL.
* @throws Exception on failure. * @throws Exception on failure.
*/ */
public function buildAuthUrl($identifierSelect = null) public function buildAuthUrl($identifierSelect = null)
{ {
$serverInfo = $this->discover($this->identity); $serverInfo = $this->discover($this->_identity);
if ($serverInfo['version'] == 2) { if ($serverInfo['version'] == 2) {
if ($identifierSelect !== null) { if ($identifierSelect !== null) {
$serverInfo['identifierSelect'] = $identifierSelect; $serverInfo['identifierSelect'] = $identifierSelect;
...@@ -739,7 +735,7 @@ class OpenId extends BaseClient implements ClientInterface ...@@ -739,7 +735,7 @@ class OpenId extends BaseClient implements ClientInterface
*/ */
public function validate() public function validate()
{ {
$this->claimed_id = isset($this->data['openid_claimed_id']) ? $this->data['openid_claimed_id'] : $this->data['openid_identity']; $this->_claimedId = isset($this->data['openid_claimed_id']) ? $this->data['openid_claimed_id'] : $this->data['openid_identity'];
$params = [ $params = [
'openid.assoc_handle' => $this->data['openid_assoc_handle'], 'openid.assoc_handle' => $this->data['openid_assoc_handle'],
'openid.signed' => $this->data['openid_signed'], 'openid.signed' => $this->data['openid_signed'],
...@@ -754,7 +750,7 @@ class OpenId extends BaseClient implements ClientInterface ...@@ -754,7 +750,7 @@ class OpenId extends BaseClient implements ClientInterface
} elseif (isset($this->data['openid_claimed_id']) && $this->data['openid_claimed_id'] != $this->data['openid_identity']) { } elseif (isset($this->data['openid_claimed_id']) && $this->data['openid_claimed_id'] != $this->data['openid_identity']) {
// If it's an OpenID 1 provider, and we've got claimed_id, // If it's an OpenID 1 provider, and we've got claimed_id,
// we have to append it to the returnUrl, like authUrl_v1 does. // we have to append it to the returnUrl, like authUrl_v1 does.
$this->returnUrl .= (strpos($this->returnUrl, '?') ? '&' : '?') . 'openid.claimed_id=' . $this->claimed_id; $this->returnUrl .= (strpos($this->returnUrl, '?') ? '&' : '?') . 'openid.claimed_id=' . $this->_claimedId;
} }
if ($this->data['openid_return_to'] != $this->returnUrl) { if ($this->data['openid_return_to'] != $this->returnUrl) {
...@@ -763,7 +759,7 @@ class OpenId extends BaseClient implements ClientInterface ...@@ -763,7 +759,7 @@ class OpenId extends BaseClient implements ClientInterface
return false; return false;
} }
$serverInfo = $this->discover($this->claimed_id); $serverInfo = $this->discover($this->_claimedId);
foreach (explode(',', $this->data['openid_signed']) as $item) { foreach (explode(',', $this->data['openid_signed']) as $item) {
/* Checking whether magic_quotes_gpc is turned on, because /* Checking whether magic_quotes_gpc is turned on, because
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment