2 /***************************************************************************
3 * Copyright (C) 2003-2008 Polytechnique.org *
4 * http://opensource.polytechnique.org/ *
6 * This program is free software; you can redistribute it and/or modify *
7 * it under the terms of the GNU General Public License as published by *
8 * the Free Software Foundation; either version 2 of the License, or *
9 * (at your option) any later version. *
11 * This program is distributed in the hope that it will be useful, *
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of *
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
14 * GNU General Public License for more details. *
16 * You should have received a copy of the GNU General Public License *
17 * along with this program; if not, write to the Free Software *
19 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
20 ***************************************************************************/
23 /* Definitions for the OpenId Specification
24 * http://openid.net/specs/openid-authentication-2_0.html
26 * OP Endpoint URL: https://www.polytechnique.org/openid
27 * OP Identifier: https://www.polytechnique.org/openid
28 * User-Supplied Identifier: https://www.polytechnique.org/openid/{$hruid}
29 * Identity selection is not supported by this implementation
30 * OP-Local Identifier: {$hruid}
33 /* Testing suite is here:
34 * http://openidenabled.com/resources/openid-test/
37 /* **checkid_immediate is not supported (yet)**, which means that we will
38 * always ask for confirmation before redirecting to a third-party.
39 * A sensible way to implement it would be to add a "Always trust this site"
40 * checkbox to the form, and to store trusted websites per user. This still
41 * raises the question of removing websites from that list.
42 * Another possibility is to maintain a global whitelist.
45 class OpenidModule
extends PLModule
50 'openid' => $this->make_hook('openid', AUTH_PUBLIC
),
51 'openid/trust' => $this->make_hook('trust', AUTH_COOKIE
),
52 'openid/idp_xrds' => $this->make_hook('idp_xrds', AUTH_PUBLIC
),
53 'openid/user_xrds' => $this->make_hook('user_xrds', AUTH_PUBLIC
),
57 function handler_openid(&$page, $x = null
)
59 $this->load('openid.inc.php');
62 // Spec ยง4.1.2: if "openid.mode" is absent, whe SHOULD assume that
63 // the request is not an OpenId message
64 // Thus, we try to render the discovery page
65 if (!array_key_exists('openid_mode', $_REQUEST)) {
66 return $this->render_discovery_page($page, $user);
69 // Create a server and decode the request
70 $server = init_openid_server();
71 $request = $server->decodeRequest();
73 // This request requires user interaction
74 if (in_array($request->mode
,
75 array('checkid_immediate', 'checkid_setup'))) {
77 // Each user has only one identity to choose from
78 // So we can make automatically the identity selection
79 if ($request->idSelect()) {
80 $request->identity
= get_user_openid_url($user);
83 // If we still don't have an identifier (used or desired), give up
84 if (!$request->identity
) {
85 $this->render_no_identifier_page($page, $request);
89 // We always require confirmation before sending information
90 // to third-party websites
91 if ($request->immediate
) {
92 $response =& $request->answer(false
);
94 // Save request in session and jump to confirmation page
95 S
::set('request', serialize($request));
96 pl_redirect('openid/trust');
100 // Other requests can be automatically handled by the server
102 $response =& $server->handleRequest($request);
106 $webresponse =& $server->encodeResponse($response);
107 $this->render_openid_response($webresponse);
110 function handler_trust(&$page, $x = null
)
112 $this->load('openid.inc.php');
114 // Recover request in session
115 $request = S
::v('request');
116 if (is_null($request)) {
117 // There is no authentication information, something went wrong
121 // Unserialize the request
122 require_once 'Auth/OpenID/Server.php';
123 $request = unserialize($request);
126 $server = init_openid_server();
129 // Check that the identity matches the user currently logged in
130 if ($request->identity
!= get_user_openid_url($user)) {
131 $response =& $request->answer(false
);
132 $webresponse =& $server->encodeResponse($response);
133 $this->render_openid_response($webresponse);
137 // Ask the user for confirmation
138 if ($_SERVER['REQUEST_METHOD'] != 'POST') {
139 $page->changeTpl('openid/trust.tpl');
140 $page->assign('relying_party', $request->trust_root
);
144 // At this point $_SERVER['REQUEST_METHOD'] == 'POST'
145 // Answer to the Relying Party based on the user's choice
146 if (isset($_POST['trust'])) {
147 unset($_SESSION['request']);
148 $response =& $request->answer(true
, null
, $request->identity
);
150 // Answer with some sample Simple Registration data.
151 // TODO USE REAL USER DATA FROM $user
153 'fullname' => 'Example User',
154 'nickname' => 'example',
155 'dob' => '1970-01-01',
156 'email' => 'invalid@example.com',
158 'postcode' => '12345',
161 'timezone' => 'America/New_York');
163 // Add the simple registration response values to the OpenID
165 require_once 'Auth/OpenID/SReg.php';
166 $sreg_request = Auth_OpenID_SRegRequest
::fromOpenIDRequest($request);
167 $sreg_response = Auth_OpenID_SRegResponse
::extractResponse($sreg_request, $sreg_data);
168 $sreg_response->toMessage($response->fields
);
170 } else { // !isset($_POST['trust'])
171 unset($_SESSION['request']);
172 $response =& $request->answer(false
);
175 // Generate a response to send to the user agent.
176 $webresponse =& $server->encodeResponse($response);
177 $this->render_openid_response($webresponse);
180 function handler_idp_xrds(&$page)
183 $this->load('openid.inc.php');
185 // Set XRDS content-type and template
186 header('Content-type: application/xrds+xml');
187 $page->changeTpl('openid/idp_xrds.tpl', NO_SKIN
);
190 $page->changeTpl('openid/idp_xrds.tpl', NO_SKIN
);
191 $page->assign('type', Auth_OpenID_TYPE_2_0_IDP
);
192 $page->assign('uri', get_openid_url());
195 function handler_user_xrds(&$page, $x = null
)
198 $this->load('openid.inc.php');
200 // Set XRDS content-type and template
201 header('Content-type: application/xrds+xml');
202 $page->changeTpl('openid/user_xrds.tpl', NO_SKIN
);
205 $page->assign('type1', Auth_OpenID_TYPE_2_0
);
206 $page->assign('type2', Auth_OpenID_TYPE_1_1
);
207 $page->assign('uri', get_openid_url());
210 //--------------------------------------------------------------------//
212 function render_discovery_page(&$page, $user)
215 // Show the documentation if this is not the OpenId page of an user
216 if (is_null($user)) {
217 pl_redirect('Xorg/OpenId');
220 // Include X-XRDS-Location response-header for Yadis discovery
221 header('X-XRDS-Location: ' . get_user_xrds_url($user));
224 $page->changeTpl('openid/openid.tpl');
226 // Sets the title of the html page.
227 $page->setTitle($user->fullName());
229 // Sets the <link> tags for HTML-Based Discovery
230 $page->addLink('openid.server openid2.provider', get_openid_url());
231 $page->addLink('openid.delegate openid2.local_id', $user->hruid
);
233 // Adds the global user property array to the display.
234 $page->assign_by_ref('user', $user);
239 function render_no_identifier_page($page, $request)
242 $page->changeTpl('openid/no_identifier.tpl');
245 function render_openid_response($webresponse)
247 // Send HTTP response code
248 if ($webresponse->code
!= AUTH_OPENID_HTTP_OK
) {
249 header(sprintf("HTTP/1.1 %d ", $webresponse->code
),
250 true
, $webresponse->code
);
254 foreach ($webresponse->headers
as $k => $v) {
257 header('Connection: close');
260 print $webresponse->body
;
265 // vim:set et sw=4 sts=4 sws=4 foldmethod=marker enc=utf-8: