+ $requested_user = User::getSilent($login);
+ $server = new OpenId();
+
+ // Spec §4.1.2: if "openid.mode" is absent, we SHOULD assume that
+ // the request is not an OpenId message.
+ if (!$server->IsOpenIdRequest()) {
+ if ($requested_user) {
+ $server->RenderDiscoveryPage($page, $requested_user);
+ return;
+ } else {
+ pl_redirect('Xorg/OpenId');
+ }
+ exit;
+ }
+
+ // Initializes the OpenId environment from the request.
+ $server->Initialize();
+
+ // In modes 'checkid_immediate' and 'checkid_setup', we need to check
+ // by ourselves that we want to allow the user to be authenticated.
+ // Otherwise it can simply be forwarded to the Server object.
+ if ($server->IsAuthorizationRequest()) {
+ $authorized = S::logged() &&
+ $server->IsUserAuthorized(S::user()) &&
+ $server->IsEndpointTrusted(S::user());
+
+ if ($authorized) {
+ // TODO(vzanotti): SReg requests are currently not honored if
+ // the website is already trusted. We may want to redirect SReg
+ // requests to /openid/trust, to allow the user to choose.
+ $server->AnswerRequest(true);
+ } else if ($server->IsImmediateRequest()) {
+ $server->AnswerRequest(false);
+ } else {
+ // The user is currently not authorized to get her authorization
+ // request approved. Two possibilities:
+ // * the endpoint is not yet trusted => redirect to openid/trust
+ // * the user is not logged in => log in the user.
+ //
+ // The second case requires a special handling when the request
+ // was POSTed, as our current log in mechanism does not preserve
+ // POST arguments.
+ $openid_args = $server->GetQueryStringForRequest();
+ if (S::logged()) {
+ pl_redirect('openid/trust', $openid_args);
+ } else if (Post::has('openid_mode')) {
+ pl_redirect('openid', $openid_args);
+ } else {
+ return PL_DO_AUTH;
+ }
+ }
+ } else {
+ $server->HandleRequest();
+ }
+
+ // All requests should have been answered at this point. The best here
+ // is to get the user back to a safe page.
+ pl_redirect('');