openid.module 31.3 KB
Newer Older
1 2 3 4 5 6 7 8 9
<?php
// $Id$

/**
 * @file
 * Implement OpenID Relying Party support for Drupal
 */

/**
10
 * Implements hook_menu().
11 12 13 14 15 16 17
 */
function openid_menu() {
  $items['openid/authenticate'] = array(
    'title' => 'OpenID Login',
    'page callback' => 'openid_authentication_page',
    'access callback' => 'user_is_anonymous',
    'type' => MENU_CALLBACK,
18
    'file' => 'openid.pages.inc',
19 20 21 22 23 24 25 26
  );
  $items['user/%user/openid'] = array(
    'title' => 'OpenID identities',
    'page callback' => 'openid_user_identities',
    'page arguments' => array(1),
    'access callback' => 'user_edit_access',
    'access arguments' => array(1),
    'type' => MENU_LOCAL_TASK,
27
    'file' => 'openid.pages.inc',
28 29 30
  );
  $items['user/%user/openid/delete'] = array(
    'title' => 'Delete OpenID',
31 32
    'page callback' => 'drupal_get_form',
    'page arguments' => array('openid_user_delete_form', 1),
33 34
    'access callback' => 'user_edit_access',
    'access arguments' => array(1),
35
    'type' => MENU_CALLBACK,
36
    'file' => 'openid.pages.inc',
37 38 39 40 41
  );
  return $items;
}

/**
42
 * Implements hook_help().
43
 */
44 45
function openid_help($path, $arg) {
  switch ($path) {
46
    case 'user/%/openid':
47
      $output = '<p>' . t('This site supports <a href="@openid-net">OpenID</a>, a secure way to log in to many websites using a single username and password. OpenID can reduce the necessity of managing many usernames and passwords for many websites.', array('@openid-net' => 'http://openid.net')) . '</p>';
48
      $output .= '<p>' . t('To use OpenID you must first establish an identity on a public or private OpenID server. If you do not have an OpenID and would like one, look into one of the <a href="@openid-providers">free public providers</a>. You can find out more about OpenID at <a href="@openid-net">this website</a>.', array('@openid-providers' => 'http://openid.net/get/', '@openid-net' => 'http://openid.net')) . '</p>';
49
      $output .= '<p>' . t('If you already have an OpenID, enter the URL to your OpenID server below (e.g. myusername.openidprovider.com). Next time you log in, you will be able to use this URL instead of a regular username and password. You can have multiple OpenID servers if you like; just keep adding them here.') . '</p>';
50
      return $output;
51
    case 'admin/help#openid':
52 53 54 55 56 57 58 59
      $output = '';
      $output .= '<h3>' . t('About') . '</h3>';
      $output .= '<p>' . t('The OpenID module allows users to log in using the OpenID single sign on service. <a href="@openid-net">OpenID</a> is a secure method for logging into many websites with a single username and password. It does not require special software, and it does not share passwords with any site to which it is associated, including the site being logged into. The main benefit to users is that they can have a single password that they can use on many websites. This means they can easily update their single password from a centralized location, rather than having to change dozens of passwords individually. For more information, see the online handbook entry for <a href="@handbook">OpenID module</a>.', array('@openid-net' => 'http://openid.net', '@handbook' => 'http://drupal.org/handbook/modules/openid')) . '</p>';
      $output .= '<h3>' . t('Uses') . '</h3>';
      $output .= '<dl>';
      $output .= '<dt>' . t('Logging in with OpenID') . '</dt>';
      $output .= '<dd>' . t("To log in using OpenID, a user must already have an OpenID account. Users can then create site accounts using their OpenID, assign one or more OpenIDs to an existing account, and log in using an OpenID. This lowers the barrier to registration, which helps increase the user base, and offers convenience and security to the users. Because OpenID cannot guarantee a user is legitimate, email verification is still necessary. When logging in, users are presented with the option of entering their OpenID URL, which will look like <em>myusername.openidprovider.com</em>. The site then communicates with the OpenID server, asking it to verify the identity of the user. If the user is logged into their OpenID server, the server communicates back to your site, verifying the user. If they are not logged in, the OpenID server will ask the user for their password. At no point does the site being logged into record the user's OpenID password.") . '</dd>';
      $output .= '</dl>';
60
      return $output;
61 62 63 64
  }
}

/**
65
 * Implements hook_user_insert().
66
 */
67
function openid_user_insert(&$edit, $account, $category) {
68
  if (isset($_SESSION['openid']['values'])) {
69
    // The user has registered after trying to log in via OpenID.
70
    if (variable_get('user_email_verification', TRUE)) {
71
      drupal_set_message(t('Once you have verified your e-mail address, you may log in via OpenID.'));
72
    }
73
    user_set_authmaps($account, array('authname_openid' => $_SESSION['openid']['values']['response']['openid.claimed_id']));
74 75 76 77
    unset($_SESSION['openid']);
  }
}

78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101
/**
 * Implements hook_user_login().
 *
 * Save openid_identifier to visitor cookie.
 */
function openid_user_login(&$edit, $account) {
  if (isset($_SESSION['openid'])) {
    // The user has logged in via OpenID.
    user_cookie_save($_SESSION['openid']['user_login_values'], array('openid_identifier'));
    unset($_SESSION['openid']);
  }
}

/**
 * Implements hook_user_logout().
 *
 * Delete any openid_identifier in visitor cookie.
 */
function openid_user_logout($account) {
  if (isset($_COOKIE['Drupal_visitor_openid_identifier'])) {
    user_cookie_delete('openid_identifier');
  }
}

102
/**
103
 * Implements hook_form_FORM_ID_alter().
104
 */
105 106 107 108 109
function openid_form_user_login_block_alter(&$form, &$form_state) {
  _openid_user_login_form_alter($form, $form_state);
}

/**
110
 * Implements hook_form_FORM_ID_alter().
111 112 113 114
 */
function openid_form_user_login_alter(&$form, &$form_state) {
  _openid_user_login_form_alter($form, $form_state);
}
115

116
function _openid_user_login_form_alter(&$form, &$form_state) {
117 118 119
  $form['#attached']['css'][] = drupal_get_path('module', 'openid') . '/openid.css';
  $form['#attached']['js'][] = drupal_get_path('module', 'openid') . '/openid.js';
  $form['#attached']['library'][] = array('system', 'cookie');
120
  if (!empty($form_state['input']['openid_identifier'])) {
121 122 123 124
    $form['name']['#required'] = FALSE;
    $form['pass']['#required'] = FALSE;
    unset($form['#submit']);
    $form['#validate'] = array('openid_login_validate');
125
  }
126 127 128 129

  $items = array();
  $items[] = array(
    'data' => l(t('Log in using OpenID'), '#'),
130
    'class' => array('openid-link'),
131 132 133
  );
  $items[] = array(
    'data' => l(t('Cancel OpenID login'), '#'),
134
    'class' => array('user-link'),
135 136 137
  );

  $form['openid_links'] = array(
138
    '#markup' => theme('item_list', array('items' => $items)),
139 140 141 142 143 144 145 146
    '#weight' => 1,
  );

  $form['links']['#weight'] = 2;

  $form['openid_identifier'] = array(
    '#type' => 'textfield',
    '#title' => t('Log in using OpenID'),
147
    '#size' => $form['name']['#size'],
148 149 150 151
    '#maxlength' => 255,
    '#weight' => -1,
    '#description' => l(t('What is OpenID?'), 'http://openid.net/', array('external' => TRUE)),
  );
152
  $form['openid.return_to'] = array('#type' => 'hidden', '#value' => url('openid/authenticate', array('absolute' => TRUE, 'query' => user_login_destination())));
153 154 155
}

/**
156
 * Implements hook_form_alter().
157 158
 *
 * Adds OpenID login to the login forms.
159
 */
160
function openid_form_user_register_form_alter(&$form, &$form_state) {
161
  if (isset($_SESSION['openid']['values'])) {
162 163
    // We were unable to auto-register a new user. Prefill the registration
    // form with the values we have.
164 165 166
    $form['account']['name']['#default_value'] = $_SESSION['openid']['values']['name'];
    $form['account']['mail']['#default_value'] = $_SESSION['openid']['values']['mail'];

167 168 169 170 171 172
    // If user_email_verification is off, hide the password field and just fill
    // with random password to avoid confusion.
    if (!variable_get('user_email_verification', TRUE)) {
      $form['pass']['#type'] = 'hidden';
      $form['pass']['#value'] = user_password();
    }
173 174 175 176 177 178
    $form['openid_display'] = array(
      '#type' => 'item',
      '#title' => t('Your OpenID'),
      '#description' => t('This OpenID will be attached to your account after registration.'),
      '#markup' => check_plain($_SESSION['openid']['values']['response']['openid.claimed_id']),
    );
179 180 181 182 183 184 185 186 187 188 189 190
  }
}

/**
 * Login form _validate hook
 */
function openid_login_validate($form, &$form_state) {
  $return_to = $form_state['values']['openid.return_to'];
  if (empty($return_to)) {
    $return_to = url('', array('absolute' => TRUE));
  }

191
  openid_begin($form_state['values']['openid_identifier'], $return_to, $form_state['values']);
192 193 194 195 196 197 198 199 200 201 202 203
}

/**
 * The initial step of OpenID authentication responsible for the following:
 *  - Perform discovery on the claimed OpenID.
 *  - If possible, create an association with the Provider's endpoint.
 *  - Create the authentication request.
 *  - Perform the appropriate redirect.
 *
 * @param $claimed_id The OpenID to authenticate
 * @param $return_to The endpoint to return to from the OpenID Provider
 */
204
function openid_begin($claimed_id, $return_to = '', $form_values = array()) {
205
  module_load_include('inc', 'openid');
206

207
  $claimed_id = openid_normalize($claimed_id);
208 209

  $services = openid_discovery($claimed_id);
210 211 212
  $service = _openid_select_service($services);

  if (!$service) {
213
    form_set_error('openid_identifier', t('Sorry, that is not a valid OpenID. Ensure you have spelled your ID correctly.'));
214 215 216
    return;
  }

217
  // Store discovered information in the users' session so we don't have to rediscover.
218
  $_SESSION['openid']['service'] = $service;
219 220
  // Store the claimed id
  $_SESSION['openid']['claimed_id'] = $claimed_id;
221 222
  // Store the login form values so we can pass them to
  // user_exteral_login later.
223
  $_SESSION['openid']['user_login_values'] = $form_values;
224 225 226 227

  // If bcmath is present, then create an association
  $assoc_handle = '';
  if (function_exists('bcadd')) {
228
    $assoc_handle = openid_association($service['uri']);
229 230
  }

231 232 233
  if (in_array('http://specs.openid.net/auth/2.0/server', $service['types'])) {
    // User entered an OP Identifier.
    $claimed_id = $identity = 'http://specs.openid.net/auth/2.0/identifier_select';
234 235
  }
  else {
236 237 238 239
    // Use Claimed ID and/or OP-Local Identifier from service description, if
    // available.
    if (!empty($service['claimed_id'])) {
      $claimed_id = $service['claimed_id'];
240
    }
241
    $identity = !empty($service['identity']) ? $service['identity'] : $claimed_id;
242
  }
243
  $request = openid_authentication_request($claimed_id, $identity, $return_to, $assoc_handle, $service);
244

245 246
  if ($service['version'] == 2) {
    openid_redirect($service['uri'], $request);
247 248
  }
  else {
249
    openid_redirect_http($service['uri'], $request);
250 251 252 253 254 255 256
  }
}

/**
 * Completes OpenID authentication by validating returned data from the OpenID
 * Provider.
 *
257
 * @param $response Array of returned values from the OpenID Provider.
258 259 260 261
 *
 * @return $response Response values for further processing with
 *   $response['status'] set to one of 'success', 'failed' or 'cancel'.
 */
262
function openid_complete($response = array()) {
263
  module_load_include('inc', 'openid');
264

265 266 267
  if (count($response) == 0) {
    $response = _openid_response();
  }
268

269 270
  // Default to failed response
  $response['status'] = 'failed';
271 272 273 274 275
  if (isset($_SESSION['openid']['service']['uri']) && isset($_SESSION['openid']['claimed_id'])) {
    $service = $_SESSION['openid']['service'];
    $claimed_id = $_SESSION['openid']['claimed_id'];
    unset($_SESSION['openid']['service']);
    unset($_SESSION['openid']['claimed_id']);
276 277 278 279 280
    if (isset($response['openid.mode'])) {
      if ($response['openid.mode'] == 'cancel') {
        $response['status'] = 'cancel';
      }
      else {
281
        if (openid_verify_assertion($service['uri'], $response)) {
282 283 284 285 286 287 288 289 290
          // OpenID Authentication, section 7.3.2.3 and Appendix A.5:
          // The CanonicalID specified in the XRDS document must be used as the
          // account key. We rely on the XRI proxy resolver to verify that the
          // provider is authorized to respond on behalf of the specified
          // identifer (required per Extensible Resource Identifier (XRI)
          // (XRI) Resolution Version 2.0, section 14.3):
          if (!empty($service['claimed_id'])) {
            $response['openid.claimed_id'] = $service['claimed_id'];
          }
291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307
          elseif ($service['version'] == 2) {
            $response['openid.claimed_id'] = openid_normalize($response['openid.claimed_id']);
            // OpenID Authentication, section 11.2:
            // If the returned Claimed Identifier is different from the one sent
            // to the OpenID Provider, we need to do discovery on the returned
            // identififer to make sure that the provider is authorized to
            // respond on behalf of this.
            if ($response['openid.claimed_id'] != $claimed_id) {
              $services = openid_discovery($response['openid.claimed_id']);
              $uris = array();
              foreach ($services as $discovered_service) {
                if (in_array('http://specs.openid.net/auth/2.0/server', $discovered_service['types']) || in_array('http://specs.openid.net/auth/2.0/signon', $discovered_service['types'])) {
                  $uris[] = $discovered_service['uri'];
                }
              }
              if (!in_array($service['uri'], $uris)) {
                return $response;
308
              }
309 310 311 312 313
            }
          }
          else {
            $response['openid.claimed_id'] = $claimed_id;
          }
314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330
          $response['status'] = 'success';
        }
      }
    }
  }
  return $response;
}

/**
 * Perform discovery on a claimed ID to determine the OpenID provider endpoint.
 *
 * @param $claimed_id The OpenID URL to perform discovery on.
 *
 * @return Array of services discovered (including OpenID version, endpoint
 * URI, etc).
 */
function openid_discovery($claimed_id) {
331 332
  module_load_include('inc', 'openid');
  module_load_include('inc', 'openid', 'xrds');
333

334 335
  $methods = module_invoke_all('openid_discovery_method_info');
  drupal_alter('openid_discovery_method_info', $methods);
336

337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372
  // Execute each method in turn.
  foreach ($methods as $method) {
    $discovered_services = $method($claimed_id);
    if (!empty($discovered_services)) {
      return $discovered_services;
    }
  }

  return array();
}

/**
 * Implementation of hook_openid_discovery_method_info().
 *
 * Define standard discovery methods.
 */
function openid_openid_discovery_method_info() {
  // The discovery process will stop as soon as one discovery method succeed.
  // We first attempt to discover XRI-based identifiers, then standard XRDS
  // identifiers via Yadis and HTML-based discovery, conforming to the OpenID 2.0
  // specification. If those fail, we attempt to discover services based on
  // the Google user discovery scheme.
  return array(
    'xri' => '_openid_xri_discovery',
    'xrds' => '_openid_xrds_discovery',
    'google' => '_openid_google_user_discovery',
  );
}

/**
 * OpenID discovery method: perform an XRI discovery.
 *
 * @see http://openid.net/specs/openid-authentication-2_0.html#discovery
 * @see hook_openid_discovery_method_info()
 */
function _openid_xri_discovery($claimed_id) {
373
  if (_openid_is_xri($claimed_id)) {
374 375 376 377 378 379 380 381
    // Resolve XRI using a proxy resolver (Extensible Resource Identifier (XRI)
    // Resolution Version 2.0, section 11.2).
    $xrds_url = variable_get('xri_proxy_resolver', 'http://xri.net/') . rawurlencode($claimed_id) . '?_xrd_r=application/xrds+xml';
    $services = _openid_xrds_discovery($xrds_url);
    foreach ($services as &$service) {
      $service['claimed_id'] = openid_normalize((string)$service['xrd']->children(OPENID_NS_XRD)->CanonicalID);
    }
    return $services;
382
  }
383 384 385 386 387 388 389 390 391 392 393 394
}

/**
 * OpenID discovery method: perform a XRDS discovery.
 *
 * @see http://openid.net/specs/openid-authentication-2_0.html#discovery
 * @see hook_openid_discovery_method_info()
 */
function _openid_xrds_discovery($claimed_id) {
  $services = array();

  $xrds_url = $claimed_id;
395 396
  $scheme = @parse_url($xrds_url, PHP_URL_SCHEME);
  if ($scheme == 'http' || $scheme == 'https') {
397 398
    // For regular URLs, try Yadis resolution first, then HTML-based discovery
    $headers = array('Accept' => 'application/xrds+xml');
399
    $result = drupal_http_request($xrds_url, array('headers' => $headers));
400 401 402 403

    if (!isset($result->error)) {
      if (isset($result->headers['Content-Type']) && preg_match("/application\/xrds\+xml/", $result->headers['Content-Type'])) {
        // Parse XML document to find URL
404
        $services = _openid_xrds_parse($result->data);
405 406 407 408 409 410 411 412 413 414 415 416
      }
      else {
        $xrds_url = NULL;
        if (isset($result->headers['X-XRDS-Location'])) {
          $xrds_url = $result->headers['X-XRDS-Location'];
        }
        else {
          // Look for meta http-equiv link in HTML head
          $xrds_url = _openid_meta_httpequiv('X-XRDS-Location', $result->data);
        }
        if (!empty($xrds_url)) {
          $headers = array('Accept' => 'application/xrds+xml');
417
          $xrds_result = drupal_http_request($xrds_url, array('headers' => $headers));
418
          if (!isset($xrds_result->error)) {
419
            $services = _openid_xrds_parse($xrds_result->data);
420 421 422 423 424 425 426 427
          }
        }
      }

      // Check for HTML delegation
      if (count($services) == 0) {
        // Look for 2.0 links
        $uri = _openid_link_href('openid2.provider', $result->data);
428
        $identity = _openid_link_href('openid2.local_id', $result->data);
429
        $type = 'http://specs.openid.net/auth/2.0/signon';
430

431
        // 1.x links
432 433
        if (empty($uri)) {
          $uri = _openid_link_href('openid.server', $result->data);
434
          $identity = _openid_link_href('openid.delegate', $result->data);
435
          $type = 'http://openid.net/signon/1.1';
436 437
        }
        if (!empty($uri)) {
438 439
          $services[] = array(
            'uri' => $uri,
440
            'identity' => $identity,
441 442
            'types' => array($type),
          );
443 444 445 446 447 448 449
        }
      }
    }
  }
  return $services;
}

450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473
/**
 * OpenID discovery method: Perform an user discovery using Google Discovery protocol.
 *
 * This transforms a OpenID identifier into an OpenID endpoint.
 *
 * @see http://sites.google.com/site/oauthgoog/fedlogininterp/openiddiscovery#TOC-User-Discovery
 * @see hook_openid_discovery_method_info()
 */
function _openid_google_user_discovery($claimed_id) {
  $xrds_url = $claimed_id;
  $url = @parse_url($xrds_url);
  if (empty($url['scheme']) || ($url['scheme'] != 'http' && $scheme['scheme'] != 'https') || empty($url['host'])) {
    return;
  }

  $response = drupal_http_request('https://www.google.com/accounts/o8/.well-known/host-meta?hd=' . rawurlencode($url['host']));
  if (isset($response->error) || $response->code != 200) {
    return;
  }

  if (preg_match('/Link: <(.*)>/', $response->data, $matches)) {
    $xrds_url = $matches[1];
    $services = _openid_xrds_discovery($xrds_url);

474 475 476
    foreach ($services as $i => $service) {
      if (in_array('http://www.iana.org/assignments/relation/describedby', $service['types']) && $service['service']->children(OPENID_NS_GOOGLE)->URITemplate) {
        $template = (string)$service['service']->children(OPENID_NS_GOOGLE)->URITemplate;
477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500
        $xrds_url = str_replace('{%uri}', rawurlencode($claimed_id), $template);
        return _openid_xrds_discovery($xrds_url);
      }
    }
  }
}

/**
 * Implementation of hook_openid_normalization_method_info().
 *
 * Define standard normalization methods.
 */
function openid_openid_normalization_method_info() {
  // We first try to normalize Google Identifiers (user@domain) into their
  // corresponding XRDS URL. If this fail, we proceed with standard OpenID
  // normalization by normalizing XRI idenfiers. Finally, normalize the identifier
  // into a canonical URL.
  return array(
    'google_idp' => '_openid_google_idp_normalize',
    'xri' => '_openid_xri_normalize',
    'url' => '_openid_url_normalize',
  );
}

501 502 503 504 505 506 507 508
/**
 * Attempt to create a shared secret with the OpenID Provider.
 *
 * @param $op_endpoint URL of the OpenID Provider endpoint.
 *
 * @return $assoc_handle The association handle.
 */
function openid_association($op_endpoint) {
509
  module_load_include('inc', 'openid');
510 511

  // Remove Old Associations:
512 513 514
  db_delete('openid_association')
    ->condition('created + expires_in', REQUEST_TIME, '<')
    ->execute();
515 516

  // Check to see if we have an association for this IdP already
517
  $assoc_handle = db_query("SELECT assoc_handle FROM {openid_association} WHERE idp_endpoint_uri = :endpoint", array(':endpoint' => $op_endpoint))->fetchField();
518 519 520 521 522 523 524 525 526 527
  if (empty($assoc_handle)) {
    $mod = OPENID_DH_DEFAULT_MOD;
    $gen = OPENID_DH_DEFAULT_GEN;
    $r = _openid_dh_rand($mod);
    $private = bcadd($r, 1);
    $public = bcpowmod($gen, $private, $mod);

    // If there is no existing association, then request one
    $assoc_request = openid_association_request($public);
    $assoc_message = _openid_encode_message(_openid_create_message($assoc_request));
528 529 530 531 532 533
    $assoc_options = array(
      'headers' => array('Content-Type' => 'application/x-www-form-urlencoded; charset=utf-8'),
      'method' => 'POST',
      'data' => $assoc_message,
    );
    $assoc_result = drupal_http_request($op_endpoint, $assoc_options);
534 535 536 537 538 539
    if (isset($assoc_result->error)) {
      return FALSE;
    }

    $assoc_response = _openid_parse_message($assoc_result->data);
    if (isset($assoc_response['mode']) && $assoc_response['mode'] == 'error') {
540
      return FALSE;
541 542 543 544 545 546 547 548
    }

    if ($assoc_response['session_type'] == 'DH-SHA1') {
      $spub = _openid_dh_base64_to_long($assoc_response['dh_server_public']);
      $enc_mac_key = base64_decode($assoc_response['enc_mac_key']);
      $shared = bcpowmod($spub, $private, $mod);
      $assoc_response['mac_key'] = base64_encode(_openid_dh_xorsecret($shared, $enc_mac_key));
    }
549
    db_insert('openid_association')
550 551 552 553 554 555 556 557
      ->fields(array(
        'idp_endpoint_uri' => $op_endpoint,
        'session_type' => $assoc_response['session_type'],
        'assoc_handle' => $assoc_response['assoc_handle'],
        'assoc_type' => $assoc_response['assoc_type'],
        'expires_in' => $assoc_response['expires_in'],
        'mac_key' => $assoc_response['mac_key'],
        'created' => REQUEST_TIME,
558 559
      ))
      ->execute();
560 561 562 563 564 565 566 567 568 569 570
    $assoc_handle = $assoc_response['assoc_handle'];
  }
  return $assoc_handle;
}

/**
 * Authenticate a user or attempt registration.
 *
 * @param $response Response values from the OpenID Provider.
 */
function openid_authentication($response) {
571
  module_load_include('inc', 'openid');
572

573
  $identity = $response['openid.claimed_id'];
574 575 576 577

  $account = user_external_load($identity);
  if (isset($account->uid)) {
    if (!variable_get('user_email_verification', TRUE) || $account->login) {
578
      // Check if user is blocked.
579 580
      $state['values']['name'] = $account->name;
      user_login_name_validate(array(), $state);
581 582 583 584
      if (!form_get_errors()) {
        // Load global $user and perform final login tasks.
        $form_state['uid'] = $account->uid;
        user_login_submit(array(), $form_state);
585 586
        // Let other modules act on OpenID login
        module_invoke_all('openid_response', $response, $account);
587
      }
588 589 590 591 592
    }
    else {
      drupal_set_message(t('You must validate your email address for this account before logging in via OpenID'));
    }
  }
593
  elseif (variable_get('user_register', 1)) {
594 595 596 597 598 599 600
    // Register new user.

    // Extract Simple Registration keys from the response.
    $sreg_values = openid_extract_namespace($response, OPENID_NS_SREG, 'sreg');
    // Extract Attribute Exchanges keys from the response.
    $ax_values = openid_extract_namespace($response, OPENID_NS_AX, 'ax');

601
    $form_state['build_info']['args'] = array();
602
    $form_state['redirect'] = NULL;
603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628

    if (!empty($sreg_values['nickname'])) {
      // Use the nickname returned by Simple Registration if available.
      $form_state['values']['name'] = $sreg_values['nickname'];
    }
    else if (!empty($ax_values['value.email'])) {
      // Else, extract the name part of the email address returned by AX if available.
      list ($name, $domain) = explode('@', $ax_values['value.email'], 2);
      $form_state['values']['name'] = $name;
    }
    else {
      $form_state['values']['name'] = '';
    }

    if (!empty($sreg_values['email'])) {
      // Use the email returned by Simple Registration if available.
      $form_state['values']['mail'] = $sreg_values['email'];
    }
    else if (!empty($ax_values['value.email'])) {
      // Else, use the email returned by AX if available.
      $form_state['values']['mail'] = $ax_values['value.email'];
    }
    else {
      $form_state['values']['mail'] = '';
    }

629 630 631
    $form_state['values']['pass']  = user_password();
    $form_state['values']['status'] = variable_get('user_register', 1) == 1;
    $form_state['values']['response'] = $response;
632

633
    if (empty($form_state['values']['name']) || empty($form_state['values']['mail'])) {
634
      drupal_set_message(t('Complete the registration by filling out the form below. If you already have an account, you can <a href="@login">log in</a> now and add your OpenID under "My account".', array('@login' => url('user/login'))), 'warning');
635 636 637 638 639 640 641 642
      $success = FALSE;
    }
    else {
      $form = drupal_retrieve_form('user_register_form', $form_state);
      drupal_prepare_form('user_register_form', $form, $form_state);
      drupal_validate_form('user_register_form', $form, $form_state);
      $success = !form_get_errors();
      if (!$success) {
643
        drupal_set_message(t('Account registration using the information provided by your OpenID provider failed due to the reasons listed below. Complete the registration by filling out the form below. If you already have an account, you can <a href="@login">log in</a> now and add your OpenID under "My account".', array('@login' => url('user/login'))), 'warning');
644 645 646 647 648 649 650 651
        // Append form validation errors below the above warning.
        $messages = drupal_get_messages('error');
        foreach ($messages['error'] as $message) {
          drupal_set_message( $message, 'error');
        }
      }
    }
    if (!$success) {
652 653
      // We were unable to register a valid new user, redirect to standard
      // user/register and prefill with the values we received.
654
      $_SESSION['openid']['values'] = $form_state['values'];
655 656
      // We'll want to redirect back to the same place.
      $destination = drupal_get_destination();
657
      unset($_GET['destination']);
658
      drupal_goto('user/register', array('query' => $destination));
659 660 661
    }
    else {
      unset($form_state['values']['response']);
662
      $account = user_save(drupal_anonymous_user(), $form_state['values']);
663
      // Terminate if an error occurred during user_save().
664 665 666 667
      if (!$account) {
        drupal_set_message(t("Error saving user account."), 'error');
        drupal_goto();
      }
668
      user_set_authmaps($account, array("authname_openid" => $identity));
669 670 671
      // Load global $user and perform final login tasks.
      $form_state['uid'] = $account->uid;
      user_login_submit(array(), $form_state);
672 673
      // Let other modules act on OpenID login
      module_invoke_all('openid_response', $response, $account);
674
    }
675
    drupal_redirect_form($form_state);
676
  }
677 678 679
  else {
    drupal_set_message(t('Only site administrators can create new user accounts.'), 'error');
  }
680 681 682 683
  drupal_goto();
}

function openid_association_request($public) {
684
  module_load_include('inc', 'openid');
685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700

  $request = array(
    'openid.ns' => OPENID_NS_2_0,
    'openid.mode' => 'associate',
    'openid.session_type' => 'DH-SHA1',
    'openid.assoc_type' => 'HMAC-SHA1'
  );

  if ($request['openid.session_type'] == 'DH-SHA1' || $request['openid.session_type'] == 'DH-SHA256') {
    $cpub = _openid_dh_long_to_base64($public);
    $request['openid.dh_consumer_public'] = $cpub;
  }

  return $request;
}

701
function openid_authentication_request($claimed_id, $identity, $return_to = '', $assoc_handle = '', $service) {
702
  module_load_include('inc', 'openid');
703 704 705 706 707 708 709 710

  $request =  array(
    'openid.mode' => 'checkid_setup',
    'openid.identity' => $identity,
    'openid.assoc_handle' => $assoc_handle,
    'openid.return_to' => $return_to,
  );

711
  if ($service['version'] == 2) {
712 713
    $request['openid.ns'] = OPENID_NS_2_0;
    $request['openid.claimed_id'] = $claimed_id;
714
    $request['openid.realm'] = url('', array('absolute' => TRUE));
715 716
  }
  else {
717
    $request['openid.trust_root'] = url('', array('absolute' => TRUE));
718 719
  }

720 721 722
  // Always request Simple Registration. The specification doesn't mandate
  // that the Endpoint advertise OPENID_NS_SREG in the service description.
  $request['openid.ns.sreg'] = OPENID_NS_SREG;
723
  $request['openid.sreg.required'] = 'nickname,email';
724 725 726 727 728 729 730 731 732 733

  // Request Attribute Exchange, if available.
  // We only request the minimum attributes we need here, contributed modules
  // can alter the request to add more attribute, and map them to profile fields.
  if (in_array(OPENID_NS_AX, $service['types'])) {
    $request['openid.ns.ax'] = OPENID_NS_AX;
    $request['openid.ax.mode'] = 'fetch_request';
    $request['openid.ax.required'] = 'email';
    $request['openid.ax.type.email'] = 'http://schema.openid.net/contact/email';
  }
734 735 736 737 738 739 740 741 742 743

  $request = array_merge($request, module_invoke_all('openid', 'request', $request));

  return $request;
}

/**
 * Attempt to verify the response received from the OpenID Provider.
 *
 * @param $op_endpoint The OpenID Provider URL.
744
 * @param $response Array of response values from the provider.
745 746
 *
 * @return boolean
747
 * @see http://openid.net/specs/openid-authentication-2_0.html#rfc.section.11.4
748 749
 */
function openid_verify_assertion($op_endpoint, $response) {
750
  module_load_include('inc', 'openid');
751 752

  $valid = FALSE;
753 754 755 756 757 758 759 760
  $association = FALSE;

  // If the OP returned a openid.invalidate_handle, we have to proceed with
  // direct verification: ignore the openid.assoc_handle, even if present.
  // See http://openid.net/specs/openid-authentication-2_0.html#rfc.section.11.4.1
  if (!empty($response['openid.assoc_handle']) && empty($response['openid.invalidate_handle'])) {
    $association = db_query("SELECT * FROM {openid_association} WHERE assoc_handle = :assoc_handle", array(':assoc_handle' => $response['openid.assoc_handle']))->fetchObject();
  }
761 762 763 764 765 766 767 768 769 770 771 772

  if ($association && isset($association->session_type)) {
    $keys_to_sign = explode(',', $response['openid.signed']);
    $self_sig = _openid_signature($association, $response, $keys_to_sign);
    if ($self_sig == $response['openid.sig']) {
      $valid = TRUE;
    }
    else {
      $valid = FALSE;
    }
  }
  else {
773 774 775
    // See http://openid.net/specs/openid-authentication-2_0.html#rfc.section.11.4.2.1
    // The verification requests contain all the fields from the response,
    // except openid.mode.
776 777 778
    $request = $response;
    $request['openid.mode'] = 'check_authentication';
    $message = _openid_create_message($request);
779 780 781 782 783 784
    $options = array(
      'headers' => array('Content-Type' => 'application/x-www-form-urlencoded; charset=utf-8'),
      'method' => 'POST',
      'data' => _openid_encode_message($message),
    );
    $result = drupal_http_request($op_endpoint, $options);
785 786
    if (!isset($result->error)) {
      $response = _openid_parse_message($result->data);
787

788 789
      if (strtolower(trim($response['is_valid'])) == 'true') {
        $valid = TRUE;
790 791 792 793 794 795 796 797
        if (!empty($response['invalidate_handle'])) {
          // This association handle has expired on the OP side, remove it from the
          // database to avoid reusing it again on a subsequent authentication request.
          // See http://openid.net/specs/openid-authentication-2_0.html#rfc.section.11.4.2.2
          db_delete('openid_association')
            ->condition('assoc_handle', $response['invalidate_handle'])
            ->execute();
        }
798 799 800 801 802 803 804 805
      }
      else {
        $valid = FALSE;
      }
    }
  }
  return $valid;
}