2 /***************************************************************************
3 * Copyright (C) 2003-2008 Polytechnique.org *
4 * http://opensource.polytechnique.org/ *
6 * This program is free software; you can redistribute it and/or modify *
7 * it under the terms of the GNU General Public License as published by *
8 * the Free Software Foundation; either version 2 of the License, or *
9 * (at your option) any later version. *
11 * This program is distributed in the hope that it will be useful, *
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of *
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
14 * GNU General Public License for more details. *
16 * You should have received a copy of the GNU General Public License *
17 * along with this program; if not, write to the Free Software *
19 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
20 ***************************************************************************/
23 /* Definitions for the OpenId Specification
24 * http://openid.net/specs/openid-authentication-2_0.html
26 * OP Endpoint URL: https://www.polytechnique.org/openid
27 * OP Identifier: https://www.polytechnique.org/openid
28 * User Identifier: https://www.polytechnique.org/openid/{hruid}
29 * OP-Local Identifier: {hruid}
32 /* This implementation supports two modes:
33 * - entering the OP Identifier, which can simply be 'polytechnique.org'
34 * - entering the User Identifier, or some URL that resolves there
35 * In both cases, Yadis discovery is made possible through the X-XRDS-Location
38 * In the former case, Yadis discovery is performed on /, or where it redirects;
39 * see platal.php. It resolves to the XRDS for this OP, and User Identifier
40 * selection is performed after forcing the user to log in. This only works for
41 * version 2.0 of the OpenId protocol.
43 * In the latter cas, Yadis discovery is performed on /openid/{hruid}. It
44 * resolves ta a user-specific XRDS. This page also features HTML-based
45 * discovery. This works with any version of the protocol.
48 /* Testing suite is here:
49 * http://openidenabled.com/resources/openid-test/
50 * It only supports User Indentifiers.
52 * To test OP Identifiers, download the JanRain PHP library and use the
53 * consumer provided as an example (although it appears that a failure is
54 * mistakenly reported: 'Server denied check_authentication').
55 * Reading the source of the server can also help understanding the code below.
58 /* **checkid_immediate is not supported (yet)**, which means that we will
59 * always ask for confirmation before redirecting to a third-party.
60 * A sensible way to implement it would be to add a "Always trust this site"
61 * checkbox to the form, and to store trusted websites per user. This still
62 * raises the question of removing websites from that list.
63 * Another possibility is to maintain a global whitelist.
66 class OpenidModule
extends PLModule
71 'openid' => $this->make_hook('openid', AUTH_PUBLIC
),
72 'openid/trust' => $this->make_hook('trust', AUTH_COOKIE
),
73 'openid/idp_xrds' => $this->make_hook('idp_xrds', AUTH_PUBLIC
),
74 'openid/user_xrds' => $this->make_hook('user_xrds', AUTH_PUBLIC
),
75 'openid/melix' => $this->make_hook('melix', AUTH_PUBLIC
),
79 function handler_openid(&$page, $x = null
)
81 $this->load('openid.inc.php');
83 // Spec ยง4.1.2: if "openid.mode" is absent, whe SHOULD assume that
84 // the request is not an OpenId message
85 // Thus, we try to render the discovery page
86 if (!array_key_exists('openid_mode', $_REQUEST)) {
87 return $this->render_discovery_page($page, get_user($x));
90 // Now, deal with the OpenId message
91 // Create a server and decode the request
92 $server = init_openid_server();
93 $request = $server->decodeRequest();
95 // With these modes, the request needs some logic
96 // and can not be automatically answered by the server
97 if (in_array($request->mode
,
98 array('checkid_immediate', 'checkid_setup'))) {
100 // User identifier selection
101 // if the user identifier is not known by the RP yet
102 if ($request->idSelect()) {
103 if ($request->mode
== 'checkid_immediate') {
104 // Deny authentication if we can't interact with the user
105 $response =& $request->answer(false
);
107 // Otherwise save request in session and redirect
108 // to a page that requires authentication
109 // Then the user will be known
110 S
::set('openid_request', serialize($request));
111 pl_redirect('openid/trust');
115 // If don't use identifier selection and don't have an identifier,
117 } else if (!$request->identity
) {
118 $this->render_no_identifier_page($page, $request);
121 // From now on we have an identifier
123 // We deny immediate requests, unless the user is logged in
124 // and has whitelisted the site
125 } else if ($request->immediate
) {
126 $answer = S
::logged() && is_trusted_site(S
::user(),
127 $request->trust_root
);
128 $response =& $request->answer($answer);
130 // For setup requests, we redirect to a page where the user
131 // will authenticate and confirm the use of his/her OpenId
133 // Save request in session before jumping to confirmation page
134 S
::set('openid_request', serialize($request));
135 pl_redirect('openid/trust');
139 // Other requests can be automatically handled by the server
141 $response =& $server->handleRequest($request);
145 $webresponse =& $server->encodeResponse($response);
146 $this->render_openid_response($webresponse);
149 function handler_trust(&$page, $x = null
)
151 $this->load('openid.inc.php');
153 // Recover request in session
154 $request = S
::v('openid_request');
155 if (is_null($request)) {
156 // There is no authentication information, something went wrong
161 // Unserialize the request
162 require_once 'Auth/OpenID/Server.php';
163 $request = unserialize($request);
165 $server = init_openid_server();
170 // Set the identity to the user currently logged in
171 // if an OP Identifier was initially used
172 if ($request->identity
== Auth_OpenID_IDENTIFIER_SELECT
) {
173 $identity = $user->hruid
;
174 $claimed_id = get_user_openid_url($user);
175 // Check that the identity matches the user currently logged in
176 // if an User Identifier was initially used
177 } else if ($request->identity
!= $user->hruid
) {
178 $response =& $request->answer(false
);
179 $webresponse =& $server->encodeResponse($response);
180 $this->render_openid_response($webresponse);
184 // Prepare Simple Registration response fields
185 require_once 'Auth/OpenID/SReg.php';
186 $sreg_request = Auth_OpenID_SRegRequest
::fromOpenIDRequest($request);
187 $sreg_response = Auth_OpenID_SRegResponse
::extractResponse($sreg_request, get_sreg_data($user));
189 // Check the whitelist
190 $whitelisted = is_trusted_site($user, $request->trust_root
);
192 // Ask the user for confirmation
193 if (!$whitelisted && $_SERVER['REQUEST_METHOD'] != 'POST') {
194 $page->changeTpl('openid/trust.tpl');
195 $page->assign('relying_party', $request->trust_root
);
196 $page->assign_by_ref('sreg_data', $sreg_response->data
);
200 // At this point $_SERVER['REQUEST_METHOD'] == 'POST'
201 // Answer to the Relying Party
202 if ($whitelisted ||
isset($_POST['trust'])) {
203 S
::kill('openid_request');
204 $response =& $request->answer(true
, null
, $identity, $claimed_id);
206 // Add the simple registration response values to the OpenID
208 $sreg_response->toMessage($response->fields
);
210 } else { // !$whitelisted && !isset($_POST['trust'])
211 S
::kill('openid_request');
212 $response =& $request->answer(false
);
215 // Generate a response to send to the user agent.
216 $webresponse =& $server->encodeResponse($response);
217 $this->render_openid_response($webresponse);
220 function handler_idp_xrds(&$page)
222 $this->load('openid.inc.php');
224 // Set XRDS content-type and template
225 header('Content-type: application/xrds+xml');
226 $page->changeTpl('openid/idp_xrds.tpl', NO_SKIN
);
229 $page->assign('type2', Auth_OpenID_TYPE_2_0_IDP
);
230 $page->assign('sreg', Auth_OpenID_SREG_URI
);
231 $page->assign('provider', get_openid_url());
234 function handler_user_xrds(&$page, $x = null
)
236 $this->load('openid.inc.php');
238 // Make sure the user exists
239 $user = get_user($x);
240 if (is_null($user)) {
244 // Set XRDS content-type and template
245 header('Content-type: application/xrds+xml');
246 $page->changeTpl('openid/user_xrds.tpl', NO_SKIN
);
249 $page->assign('type2', Auth_OpenID_TYPE_2_0
);
250 $page->assign('type1', Auth_OpenID_TYPE_1_1
);
251 $page->assign('sreg', Auth_OpenID_SREG_URI
);
252 $page->assign('provider', get_openid_url());
253 $page->assign('local_id', $user->hruid
);
256 function handler_melix(&$page, $x = null
)
258 $this->load('openid.inc.php');
259 $user = get_user_by_alias($x);
261 // This will redirect to the canonic URL, which was not used
262 // if this hook was triggered
263 return $this->render_discovery_page(&$page, $user);
266 //--------------------------------------------------------------------//
268 function render_discovery_page(&$page, $user)
271 // Show the documentation if this is not the OpenId page of an user
272 if (is_null($user)) {
273 pl_redirect('Xorg/OpenId');
276 // Redirect to the canonic URL if we are using an alias
277 // There might be a risk of redirection loop here
278 // if $_SERVER was not exactly what we expect
279 $current_url = 'http' . (empty($_SERVER['HTTPS']) ?
'' : 's') . '://'
280 . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
281 $canonic_url = get_user_openid_url($user);
282 if ($current_url != $canonic_url) {
283 http_redirect($canonic_url);
286 // Include X-XRDS-Location response-header for Yadis discovery
287 header('X-XRDS-Location: ' . get_user_xrds_url($user));
290 $page->changeTpl('openid/openid.tpl');
292 // Sets the title of the html page.
293 $page->setTitle($user->fullName());
295 // Sets the <link> tags for HTML-Based Discovery
296 $page->addLink('openid.server openid2.provider', get_openid_url());
297 $page->addLink('openid.delegate openid2.local_id', $user->hruid
);
299 // Adds the global user property array to the display.
300 $page->assign_by_ref('user', $user);
305 function render_no_identifier_page($page, $request)
308 $page->changeTpl('openid/no_identifier.tpl');
311 function render_openid_response($webresponse)
313 // Send HTTP response code
314 if ($webresponse->code
!= AUTH_OPENID_HTTP_OK
) {
315 header(sprintf("HTTP/1.1 %d ", $webresponse->code
),
316 true
, $webresponse->code
);
320 foreach ($webresponse->headers
as $k => $v) {
323 header('Connection: close');
326 print $webresponse->body
;
331 // vim:set et sw=4 sts=4 sws=4 foldmethod=marker enc=utf-8: