openid.module 31.4 KB
Newer Older
1 2 3 4 5 6 7 8 9
<?php
// $Id$

/**
 * @file
 * Implement OpenID Relying Party support for Drupal
 */

/**
10
 * Implements hook_menu().
11 12 13 14 15 16 17
 */
function openid_menu() {
  $items['openid/authenticate'] = array(
    'title' => 'OpenID Login',
    'page callback' => 'openid_authentication_page',
    'access callback' => 'user_is_anonymous',
    'type' => MENU_CALLBACK,
18
    'file' => 'openid.pages.inc',
19 20 21 22 23 24 25 26
  );
  $items['user/%user/openid'] = array(
    'title' => 'OpenID identities',
    'page callback' => 'openid_user_identities',
    'page arguments' => array(1),
    'access callback' => 'user_edit_access',
    'access arguments' => array(1),
    'type' => MENU_LOCAL_TASK,
27
    'file' => 'openid.pages.inc',
28 29 30
  );
  $items['user/%user/openid/delete'] = array(
    'title' => 'Delete OpenID',
31 32
    'page callback' => 'drupal_get_form',
    'page arguments' => array('openid_user_delete_form', 1),
33 34
    'access callback' => 'user_edit_access',
    'access arguments' => array(1),
35
    'type' => MENU_CALLBACK,
36
    'file' => 'openid.pages.inc',
37 38 39 40 41
  );
  return $items;
}

/**
42
 * Implements hook_help().
43
 */
44 45
function openid_help($path, $arg) {
  switch ($path) {
46
    case 'user/%/openid':
47
      $output = '<p>' . t('This site supports <a href="@openid-net">OpenID</a>, a secure way to log in to many websites using a single username and password. OpenID can reduce the necessity of managing many usernames and passwords for many websites.', array('@openid-net' => 'http://openid.net')) . '</p>';
48
      $output .= '<p>' . t('To use OpenID you must first establish an identity on a public or private OpenID server. If you do not have an OpenID and would like one, look into one of the <a href="@openid-providers">free public providers</a>. You can find out more about OpenID at <a href="@openid-net">this website</a>.', array('@openid-providers' => 'http://openid.net/get/', '@openid-net' => 'http://openid.net')) . '</p>';
49
      $output .= '<p>' . t('If you already have an OpenID, enter the URL to your OpenID server below (e.g. myusername.openidprovider.com). Next time you log in, you will be able to use this URL instead of a regular username and password. You can have multiple OpenID servers if you like; just keep adding them here.') . '</p>';
50
      return $output;
51
    case 'admin/help#openid':
52 53 54 55 56 57 58 59
      $output = '';
      $output .= '<h3>' . t('About') . '</h3>';
      $output .= '<p>' . t('The OpenID module allows users to log in using the OpenID single sign on service. <a href="@openid-net">OpenID</a> is a secure method for logging into many websites with a single username and password. It does not require special software, and it does not share passwords with any site to which it is associated, including the site being logged into. The main benefit to users is that they can have a single password that they can use on many websites. This means they can easily update their single password from a centralized location, rather than having to change dozens of passwords individually. For more information, see the online handbook entry for <a href="@handbook">OpenID module</a>.', array('@openid-net' => 'http://openid.net', '@handbook' => 'http://drupal.org/handbook/modules/openid')) . '</p>';
      $output .= '<h3>' . t('Uses') . '</h3>';
      $output .= '<dl>';
      $output .= '<dt>' . t('Logging in with OpenID') . '</dt>';
      $output .= '<dd>' . t("To log in using OpenID, a user must already have an OpenID account. Users can then create site accounts using their OpenID, assign one or more OpenIDs to an existing account, and log in using an OpenID. This lowers the barrier to registration, which helps increase the user base, and offers convenience and security to the users. Because OpenID cannot guarantee a user is legitimate, email verification is still necessary. When logging in, users are presented with the option of entering their OpenID URL, which will look like <em>myusername.openidprovider.com</em>. The site then communicates with the OpenID server, asking it to verify the identity of the user. If the user is logged into their OpenID server, the server communicates back to your site, verifying the user. If they are not logged in, the OpenID server will ask the user for their password. At no point does the site being logged into record the user's OpenID password.") . '</dd>';
      $output .= '</dl>';
60
      return $output;
61 62 63 64
  }
}

/**
65
 * Implements hook_user_insert().
66
 */
67
function openid_user_insert(&$edit, $account, $category) {
68
  if (!empty($edit['openid_claimed_id'])) {
69
    // The user has registered after trying to log in via OpenID.
70
    if (variable_get('user_email_verification', TRUE)) {
71
      drupal_set_message(t('Once you have verified your e-mail address, you may log in via OpenID.'));
72
    }
73
    user_set_authmaps($account, array('authname_openid' => $edit['openid_claimed_id']));
74
    unset($_SESSION['openid']);
75
    unset($edit['openid_claimed_id']);
76 77 78
  }
}

79 80 81 82 83 84 85 86
/**
 * Implements hook_user_login().
 *
 * Save openid_identifier to visitor cookie.
 */
function openid_user_login(&$edit, $account) {
  if (isset($_SESSION['openid'])) {
    // The user has logged in via OpenID.
87
    user_cookie_save(array_intersect_key($_SESSION['openid']['user_login_values'], array_flip(array('openid_identifier'))));
88 89 90 91 92 93 94 95 96 97 98 99 100 101 102
    unset($_SESSION['openid']);
  }
}

/**
 * Implements hook_user_logout().
 *
 * Delete any openid_identifier in visitor cookie.
 */
function openid_user_logout($account) {
  if (isset($_COOKIE['Drupal_visitor_openid_identifier'])) {
    user_cookie_delete('openid_identifier');
  }
}

103
/**
104
 * Implements hook_form_FORM_ID_alter().
105
 */
106 107 108 109 110
function openid_form_user_login_block_alter(&$form, &$form_state) {
  _openid_user_login_form_alter($form, $form_state);
}

/**
111
 * Implements hook_form_FORM_ID_alter().
112 113 114 115
 */
function openid_form_user_login_alter(&$form, &$form_state) {
  _openid_user_login_form_alter($form, $form_state);
}
116

117
function _openid_user_login_form_alter(&$form, &$form_state) {
118 119 120
  $form['#attached']['css'][] = drupal_get_path('module', 'openid') . '/openid.css';
  $form['#attached']['js'][] = drupal_get_path('module', 'openid') . '/openid.js';
  $form['#attached']['library'][] = array('system', 'cookie');
121
  if (!empty($form_state['input']['openid_identifier'])) {
122 123 124 125
    $form['name']['#required'] = FALSE;
    $form['pass']['#required'] = FALSE;
    unset($form['#submit']);
    $form['#validate'] = array('openid_login_validate');
126
  }
127 128 129 130

  $items = array();
  $items[] = array(
    'data' => l(t('Log in using OpenID'), '#'),
131
    'class' => array('openid-link'),
132 133 134
  );
  $items[] = array(
    'data' => l(t('Cancel OpenID login'), '#'),
135
    'class' => array('user-link'),
136 137 138
  );

  $form['openid_links'] = array(
139
    '#markup' => theme('item_list', array('items' => $items)),
140 141 142 143 144 145 146 147
    '#weight' => 1,
  );

  $form['links']['#weight'] = 2;

  $form['openid_identifier'] = array(
    '#type' => 'textfield',
    '#title' => t('Log in using OpenID'),
148
    '#size' => $form['name']['#size'],
149 150 151 152
    '#maxlength' => 255,
    '#weight' => -1,
    '#description' => l(t('What is OpenID?'), 'http://openid.net/', array('external' => TRUE)),
  );
153
  $form['openid.return_to'] = array('#type' => 'hidden', '#value' => url('openid/authenticate', array('absolute' => TRUE, 'query' => user_login_destination())));
154 155 156
}

/**
157
 * Implements hook_form_FORM_ID_alter().
158
 *
159
 * Prefills the login form with values acquired via OpenID.
160
 */
161
function openid_form_user_register_form_alter(&$form, &$form_state) {
162 163 164 165 166 167 168 169 170 171 172 173 174 175
  if (isset($_SESSION['openid']['response'])) {
    module_load_include('inc', 'openid');

    $response = $_SESSION['openid']['response'];

    // Extract Simple Registration keys from the response.
    $sreg_values = openid_extract_namespace($response, OPENID_NS_SREG, 'sreg');
    // Extract Attribute Exchanges keys from the response.
    $ax_values = openid_extract_namespace($response, OPENID_NS_AX, 'ax');

    if (!empty($sreg_values['nickname'])) {
      // Use the nickname returned by Simple Registration if available.
      $form['account']['name']['#default_value'] = $sreg_values['nickname'];
    }
176 177 178 179 180 181
    elseif ($ax_name_values = openid_extract_ax_values($ax_values, array('name_ao', 'name_son'))) {
      // Else, use the first nickname returned by AX if available.
      $form['account']['name']['#default_value'] = current($ax_name_values);
    }
    else {
      $form['account']['name']['#default_value'] = '';
182 183 184 185 186 187
    }

    if (!empty($sreg_values['email'])) {
      // Use the email returned by Simple Registration if available.
      $form['account']['mail']['#default_value'] = $sreg_values['email'];
    }
188 189 190
    elseif ($ax_mail_values = openid_extract_ax_values($ax_values, array('mail_ao', 'mail_son'))) {
      // Else, use the first nickname returned by AX if available.
      $form['account']['mail']['#default_value'] = current($ax_mail_values);
191
    }
192

193 194 195
    // If user_email_verification is off, hide the password field and just fill
    // with random password to avoid confusion.
    if (!variable_get('user_email_verification', TRUE)) {
196 197
      $form['account']['pass']['#type'] = 'hidden';
      $form['account']['pass']['#value'] = user_password();
198
    }
199 200 201 202 203

    $form['openid_claimed_id'] = array(
      '#type' => 'value',
      '#default_value' => $response['openid.claimed_id'],
    );
204 205 206 207
    $form['openid_display'] = array(
      '#type' => 'item',
      '#title' => t('Your OpenID'),
      '#description' => t('This OpenID will be attached to your account after registration.'),
208
      '#markup' => check_plain($response['openid.claimed_id']),
209
    );
210 211 212 213 214 215 216 217 218 219 220 221
  }
}

/**
 * Login form _validate hook
 */
function openid_login_validate($form, &$form_state) {
  $return_to = $form_state['values']['openid.return_to'];
  if (empty($return_to)) {
    $return_to = url('', array('absolute' => TRUE));
  }

222
  openid_begin($form_state['values']['openid_identifier'], $return_to, $form_state['values']);
223 224 225 226 227 228 229 230 231 232 233 234
}

/**
 * The initial step of OpenID authentication responsible for the following:
 *  - Perform discovery on the claimed OpenID.
 *  - If possible, create an association with the Provider's endpoint.
 *  - Create the authentication request.
 *  - Perform the appropriate redirect.
 *
 * @param $claimed_id The OpenID to authenticate
 * @param $return_to The endpoint to return to from the OpenID Provider
 */
235
function openid_begin($claimed_id, $return_to = '', $form_values = array()) {
236
  module_load_include('inc', 'openid');
237

238
  $claimed_id = openid_normalize($claimed_id);
239 240

  $services = openid_discovery($claimed_id);
241 242 243
  $service = _openid_select_service($services);

  if (!$service) {
244
    form_set_error('openid_identifier', t('Sorry, that is not a valid OpenID. Ensure you have spelled your ID correctly.'));
245 246 247
    return;
  }

248
  // Store discovered information in the users' session so we don't have to rediscover.
249
  $_SESSION['openid']['service'] = $service;
250 251
  // Store the claimed id
  $_SESSION['openid']['claimed_id'] = $claimed_id;
252 253
  // Store the login form values so we can pass them to
  // user_exteral_login later.
254
  $_SESSION['openid']['user_login_values'] = $form_values;
255 256 257 258

  // If bcmath is present, then create an association
  $assoc_handle = '';
  if (function_exists('bcadd')) {
259
    $assoc_handle = openid_association($service['uri']);
260 261
  }

262 263 264
  if (in_array('http://specs.openid.net/auth/2.0/server', $service['types'])) {
    // User entered an OP Identifier.
    $claimed_id = $identity = 'http://specs.openid.net/auth/2.0/identifier_select';
265 266
  }
  else {
267 268 269 270
    // Use Claimed ID and/or OP-Local Identifier from service description, if
    // available.
    if (!empty($service['claimed_id'])) {
      $claimed_id = $service['claimed_id'];
271
    }
272
    $identity = !empty($service['identity']) ? $service['identity'] : $claimed_id;
273
  }
274
  $request = openid_authentication_request($claimed_id, $identity, $return_to, $assoc_handle, $service);
275

276 277
  if ($service['version'] == 2) {
    openid_redirect($service['uri'], $request);
278 279
  }
  else {
280
    openid_redirect_http($service['uri'], $request);
281 282 283 284 285 286 287
  }
}

/**
 * Completes OpenID authentication by validating returned data from the OpenID
 * Provider.
 *
288
 * @param $response Array of returned values from the OpenID Provider.
289 290 291 292
 *
 * @return $response Response values for further processing with
 *   $response['status'] set to one of 'success', 'failed' or 'cancel'.
 */
293
function openid_complete($response = array()) {
294
  module_load_include('inc', 'openid');
295

296 297 298
  if (count($response) == 0) {
    $response = _openid_response();
  }
299

300 301
  // Default to failed response
  $response['status'] = 'failed';
302 303 304 305 306
  if (isset($_SESSION['openid']['service']['uri']) && isset($_SESSION['openid']['claimed_id'])) {
    $service = $_SESSION['openid']['service'];
    $claimed_id = $_SESSION['openid']['claimed_id'];
    unset($_SESSION['openid']['service']);
    unset($_SESSION['openid']['claimed_id']);
307 308 309 310 311
    if (isset($response['openid.mode'])) {
      if ($response['openid.mode'] == 'cancel') {
        $response['status'] = 'cancel';
      }
      else {
312
        if (openid_verify_assertion($service['uri'], $response)) {
313 314 315 316 317 318 319 320 321
          // OpenID Authentication, section 7.3.2.3 and Appendix A.5:
          // The CanonicalID specified in the XRDS document must be used as the
          // account key. We rely on the XRI proxy resolver to verify that the
          // provider is authorized to respond on behalf of the specified
          // identifer (required per Extensible Resource Identifier (XRI)
          // (XRI) Resolution Version 2.0, section 14.3):
          if (!empty($service['claimed_id'])) {
            $response['openid.claimed_id'] = $service['claimed_id'];
          }
322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338
          elseif ($service['version'] == 2) {
            $response['openid.claimed_id'] = openid_normalize($response['openid.claimed_id']);
            // OpenID Authentication, section 11.2:
            // If the returned Claimed Identifier is different from the one sent
            // to the OpenID Provider, we need to do discovery on the returned
            // identififer to make sure that the provider is authorized to
            // respond on behalf of this.
            if ($response['openid.claimed_id'] != $claimed_id) {
              $services = openid_discovery($response['openid.claimed_id']);
              $uris = array();
              foreach ($services as $discovered_service) {
                if (in_array('http://specs.openid.net/auth/2.0/server', $discovered_service['types']) || in_array('http://specs.openid.net/auth/2.0/signon', $discovered_service['types'])) {
                  $uris[] = $discovered_service['uri'];
                }
              }
              if (!in_array($service['uri'], $uris)) {
                return $response;
339
              }
340 341 342 343 344
            }
          }
          else {
            $response['openid.claimed_id'] = $claimed_id;
          }
345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361
          $response['status'] = 'success';
        }
      }
    }
  }
  return $response;
}

/**
 * Perform discovery on a claimed ID to determine the OpenID provider endpoint.
 *
 * @param $claimed_id The OpenID URL to perform discovery on.
 *
 * @return Array of services discovered (including OpenID version, endpoint
 * URI, etc).
 */
function openid_discovery($claimed_id) {
362 363
  module_load_include('inc', 'openid');
  module_load_include('inc', 'openid', 'xrds');
364

365 366
  $methods = module_invoke_all('openid_discovery_method_info');
  drupal_alter('openid_discovery_method_info', $methods);
367

368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403
  // Execute each method in turn.
  foreach ($methods as $method) {
    $discovered_services = $method($claimed_id);
    if (!empty($discovered_services)) {
      return $discovered_services;
    }
  }

  return array();
}

/**
 * Implementation of hook_openid_discovery_method_info().
 *
 * Define standard discovery methods.
 */
function openid_openid_discovery_method_info() {
  // The discovery process will stop as soon as one discovery method succeed.
  // We first attempt to discover XRI-based identifiers, then standard XRDS
  // identifiers via Yadis and HTML-based discovery, conforming to the OpenID 2.0
  // specification. If those fail, we attempt to discover services based on
  // the Google user discovery scheme.
  return array(
    'xri' => '_openid_xri_discovery',
    'xrds' => '_openid_xrds_discovery',
    'google' => '_openid_google_user_discovery',
  );
}

/**
 * OpenID discovery method: perform an XRI discovery.
 *
 * @see http://openid.net/specs/openid-authentication-2_0.html#discovery
 * @see hook_openid_discovery_method_info()
 */
function _openid_xri_discovery($claimed_id) {
404
  if (_openid_is_xri($claimed_id)) {
405
    // Resolve XRI using a proxy resolver (Extensible Resource Identifier (XRI)
406
    // Resolution Version 2.0, section 11.2 and 14.3).
407 408
    $xrds_url = variable_get('xri_proxy_resolver', 'http://xri.net/') . rawurlencode($claimed_id) . '?_xrd_r=application/xrds+xml';
    $services = _openid_xrds_discovery($xrds_url);
409 410 411 412 413 414 415 416 417
    foreach ($services as $i => &$service) {
      $status = $service['xrd']->children(OPENID_NS_XRD)->Status;
      if ($status && $status->attributes()->cid == 'verified') {
        $service['claimed_id'] = openid_normalize((string)$service['xrd']->children(OPENID_NS_XRD)->CanonicalID);
      }
      else {
        // Ignore service if CanonicalID could not be verified.
        unset($services[$i]);
      }
418 419
    }
    return $services;
420
  }
421 422 423 424 425 426 427 428 429 430 431 432
}

/**
 * OpenID discovery method: perform a XRDS discovery.
 *
 * @see http://openid.net/specs/openid-authentication-2_0.html#discovery
 * @see hook_openid_discovery_method_info()
 */
function _openid_xrds_discovery($claimed_id) {
  $services = array();

  $xrds_url = $claimed_id;
433 434
  $scheme = @parse_url($xrds_url, PHP_URL_SCHEME);
  if ($scheme == 'http' || $scheme == 'https') {
435 436
    // For regular URLs, try Yadis resolution first, then HTML-based discovery
    $headers = array('Accept' => 'application/xrds+xml');
437
    $result = drupal_http_request($xrds_url, array('headers' => $headers));
438 439 440 441

    if (!isset($result->error)) {
      if (isset($result->headers['Content-Type']) && preg_match("/application\/xrds\+xml/", $result->headers['Content-Type'])) {
        // Parse XML document to find URL
442
        $services = _openid_xrds_parse($result->data);
443 444 445 446 447 448 449 450 451 452 453 454
      }
      else {
        $xrds_url = NULL;
        if (isset($result->headers['X-XRDS-Location'])) {
          $xrds_url = $result->headers['X-XRDS-Location'];
        }
        else {
          // Look for meta http-equiv link in HTML head
          $xrds_url = _openid_meta_httpequiv('X-XRDS-Location', $result->data);
        }
        if (!empty($xrds_url)) {
          $headers = array('Accept' => 'application/xrds+xml');
455
          $xrds_result = drupal_http_request($xrds_url, array('headers' => $headers));
456
          if (!isset($xrds_result->error)) {
457
            $services = _openid_xrds_parse($xrds_result->data);
458 459 460 461 462 463 464 465
          }
        }
      }

      // Check for HTML delegation
      if (count($services) == 0) {
        // Look for 2.0 links
        $uri = _openid_link_href('openid2.provider', $result->data);
466
        $identity = _openid_link_href('openid2.local_id', $result->data);
467
        $type = 'http://specs.openid.net/auth/2.0/signon';
468

469
        // 1.x links
470 471
        if (empty($uri)) {
          $uri = _openid_link_href('openid.server', $result->data);
472
          $identity = _openid_link_href('openid.delegate', $result->data);
473
          $type = 'http://openid.net/signon/1.1';
474 475
        }
        if (!empty($uri)) {
476 477
          $services[] = array(
            'uri' => $uri,
478
            'identity' => $identity,
479 480
            'types' => array($type),
          );
481 482 483 484 485 486 487
        }
      }
    }
  }
  return $services;
}

488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511
/**
 * OpenID discovery method: Perform an user discovery using Google Discovery protocol.
 *
 * This transforms a OpenID identifier into an OpenID endpoint.
 *
 * @see http://sites.google.com/site/oauthgoog/fedlogininterp/openiddiscovery#TOC-User-Discovery
 * @see hook_openid_discovery_method_info()
 */
function _openid_google_user_discovery($claimed_id) {
  $xrds_url = $claimed_id;
  $url = @parse_url($xrds_url);
  if (empty($url['scheme']) || ($url['scheme'] != 'http' && $scheme['scheme'] != 'https') || empty($url['host'])) {
    return;
  }

  $response = drupal_http_request('https://www.google.com/accounts/o8/.well-known/host-meta?hd=' . rawurlencode($url['host']));
  if (isset($response->error) || $response->code != 200) {
    return;
  }

  if (preg_match('/Link: <(.*)>/', $response->data, $matches)) {
    $xrds_url = $matches[1];
    $services = _openid_xrds_discovery($xrds_url);

512 513 514
    foreach ($services as $i => $service) {
      if (in_array('http://www.iana.org/assignments/relation/describedby', $service['types']) && $service['service']->children(OPENID_NS_GOOGLE)->URITemplate) {
        $template = (string)$service['service']->children(OPENID_NS_GOOGLE)->URITemplate;
515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538
        $xrds_url = str_replace('{%uri}', rawurlencode($claimed_id), $template);
        return _openid_xrds_discovery($xrds_url);
      }
    }
  }
}

/**
 * Implementation of hook_openid_normalization_method_info().
 *
 * Define standard normalization methods.
 */
function openid_openid_normalization_method_info() {
  // We first try to normalize Google Identifiers (user@domain) into their
  // corresponding XRDS URL. If this fail, we proceed with standard OpenID
  // normalization by normalizing XRI idenfiers. Finally, normalize the identifier
  // into a canonical URL.
  return array(
    'google_idp' => '_openid_google_idp_normalize',
    'xri' => '_openid_xri_normalize',
    'url' => '_openid_url_normalize',
  );
}

539 540 541 542 543 544 545 546
/**
 * Attempt to create a shared secret with the OpenID Provider.
 *
 * @param $op_endpoint URL of the OpenID Provider endpoint.
 *
 * @return $assoc_handle The association handle.
 */
function openid_association($op_endpoint) {
547
  module_load_include('inc', 'openid');
548 549

  // Remove Old Associations:
550 551 552
  db_delete('openid_association')
    ->condition('created + expires_in', REQUEST_TIME, '<')
    ->execute();
553 554

  // Check to see if we have an association for this IdP already
555
  $assoc_handle = db_query("SELECT assoc_handle FROM {openid_association} WHERE idp_endpoint_uri = :endpoint", array(':endpoint' => $op_endpoint))->fetchField();
556 557 558 559 560 561 562 563 564 565
  if (empty($assoc_handle)) {
    $mod = OPENID_DH_DEFAULT_MOD;
    $gen = OPENID_DH_DEFAULT_GEN;
    $r = _openid_dh_rand($mod);
    $private = bcadd($r, 1);
    $public = bcpowmod($gen, $private, $mod);

    // If there is no existing association, then request one
    $assoc_request = openid_association_request($public);
    $assoc_message = _openid_encode_message(_openid_create_message($assoc_request));
566 567 568 569 570 571
    $assoc_options = array(
      'headers' => array('Content-Type' => 'application/x-www-form-urlencoded; charset=utf-8'),
      'method' => 'POST',
      'data' => $assoc_message,
    );
    $assoc_result = drupal_http_request($op_endpoint, $assoc_options);
572 573 574 575 576 577
    if (isset($assoc_result->error)) {
      return FALSE;
    }

    $assoc_response = _openid_parse_message($assoc_result->data);
    if (isset($assoc_response['mode']) && $assoc_response['mode'] == 'error') {
578
      return FALSE;
579 580 581 582 583 584 585 586
    }

    if ($assoc_response['session_type'] == 'DH-SHA1') {
      $spub = _openid_dh_base64_to_long($assoc_response['dh_server_public']);
      $enc_mac_key = base64_decode($assoc_response['enc_mac_key']);
      $shared = bcpowmod($spub, $private, $mod);
      $assoc_response['mac_key'] = base64_encode(_openid_dh_xorsecret($shared, $enc_mac_key));
    }
587
    db_insert('openid_association')
588 589 590 591 592 593 594 595
      ->fields(array(
        'idp_endpoint_uri' => $op_endpoint,
        'session_type' => $assoc_response['session_type'],
        'assoc_handle' => $assoc_response['assoc_handle'],
        'assoc_type' => $assoc_response['assoc_type'],
        'expires_in' => $assoc_response['expires_in'],
        'mac_key' => $assoc_response['mac_key'],
        'created' => REQUEST_TIME,
596 597
      ))
      ->execute();
598 599 600 601 602 603 604 605 606 607 608
    $assoc_handle = $assoc_response['assoc_handle'];
  }
  return $assoc_handle;
}

/**
 * Authenticate a user or attempt registration.
 *
 * @param $response Response values from the OpenID Provider.
 */
function openid_authentication($response) {
609
  $identity = $response['openid.claimed_id'];
610 611 612 613

  $account = user_external_load($identity);
  if (isset($account->uid)) {
    if (!variable_get('user_email_verification', TRUE) || $account->login) {
614
      // Check if user is blocked.
615 616
      $state['values']['name'] = $account->name;
      user_login_name_validate(array(), $state);
617 618 619 620
      if (!form_get_errors()) {
        // Load global $user and perform final login tasks.
        $form_state['uid'] = $account->uid;
        user_login_submit(array(), $form_state);
621 622
        // Let other modules act on OpenID login
        module_invoke_all('openid_response', $response, $account);
623
      }
624 625
    }
    else {
626
      drupal_set_message(t('You must validate your email address for this account before logging in via OpenID.'));
627 628
    }
  }
629
  elseif (variable_get('user_register', 1)) {
630
    // Register new user.
631

632 633
    // Save response for use in openid_form_user_register_form_alter().
    $_SESSION['openid']['response'] = $response;
634

635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660
    $form_state['values'] = array();
    $form_state['values']['op'] = t('Create new account');
    drupal_form_submit('user_register_form', $form_state);

    if (!empty($form_state['user'])) {
      module_invoke_all('openid_response', $response, $form_state['user']);
      drupal_goto();
    }

    $messages = drupal_get_messages('error');
    if (empty($form_state['values']['name']) || empty($form_state['values']['mail'])) {
      // If the OpenID provider did not provide both a user name and an email
      // address, ask the user to complete the registration manually instead of
      // showing the error messages about the missing values generated by FAPI.
      drupal_set_message(t('Complete the registration by filling out the form below. If you already have an account, you can <a href="@login">log in</a> now and add your OpenID under "My account".', array('@login' => url('user/login'))), 'warning');
    }
    else {
      drupal_set_message(t('Account registration using the information provided by your OpenID provider failed due to the reasons listed below. Complete the registration by filling out the form below. If you already have an account, you can <a href="@login">log in</a> now and add your OpenID under "My account".', array('@login' => url('user/login'))), 'warning');
      // Append form validation errors below the above warning.
      foreach ($messages['error'] as $message) {
        drupal_set_message( $message, 'error');
      }
    }

    // We were unable to register a valid new user. Redirect to the normal
    // registration page and prefill with the values we received.
661 662 663
    $destination = drupal_get_destination();
    unset($_GET['destination']);
    drupal_goto('user/register', array('query' => $destination));
664
  }
665 666 667
  else {
    drupal_set_message(t('Only site administrators can create new user accounts.'), 'error');
  }
668 669 670 671
  drupal_goto();
}

function openid_association_request($public) {
672
  module_load_include('inc', 'openid');
673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688

  $request = array(
    'openid.ns' => OPENID_NS_2_0,
    'openid.mode' => 'associate',
    'openid.session_type' => 'DH-SHA1',
    'openid.assoc_type' => 'HMAC-SHA1'
  );

  if ($request['openid.session_type'] == 'DH-SHA1' || $request['openid.session_type'] == 'DH-SHA256') {
    $cpub = _openid_dh_long_to_base64($public);
    $request['openid.dh_consumer_public'] = $cpub;
  }

  return $request;
}

689
function openid_authentication_request($claimed_id, $identity, $return_to = '', $assoc_handle = '', $service) {
690
  module_load_include('inc', 'openid');
691 692 693 694 695 696 697 698

  $request =  array(
    'openid.mode' => 'checkid_setup',
    'openid.identity' => $identity,
    'openid.assoc_handle' => $assoc_handle,
    'openid.return_to' => $return_to,
  );

699
  if ($service['version'] == 2) {
700 701
    $request['openid.ns'] = OPENID_NS_2_0;
    $request['openid.claimed_id'] = $claimed_id;
702
    $request['openid.realm'] = url('', array('absolute' => TRUE));
703 704
  }
  else {
705
    $request['openid.trust_root'] = url('', array('absolute' => TRUE));
706 707
  }

708 709 710
  // Always request Simple Registration. The specification doesn't mandate
  // that the Endpoint advertise OPENID_NS_SREG in the service description.
  $request['openid.ns.sreg'] = OPENID_NS_SREG;
711
  $request['openid.sreg.required'] = 'nickname,email';
712 713 714 715 716 717 718

  // Request Attribute Exchange, if available.
  // We only request the minimum attributes we need here, contributed modules
  // can alter the request to add more attribute, and map them to profile fields.
  if (in_array(OPENID_NS_AX, $service['types'])) {
    $request['openid.ns.ax'] = OPENID_NS_AX;
    $request['openid.ax.mode'] = 'fetch_request';
719 720 721 722 723 724 725 726 727 728 729 730 731 732
    $request['openid.ax.required'] = 'mail_ao,name_ao,mail_son,name_son';

    // Implementors disagree on which URIs to use, even for simple
    // attributes like name and email (*sigh*). We ask for both axschema.org
    // attributes (which are supposed to be newer), and schema.openid.net ones
    // (which are supposed to be legacy).

    // Attributes as defined by axschema.org.
    $request['openid.ax.type.mail_ao'] = 'http://axschema.org/contact/email';
    $request['openid.ax.type.name_ao'] = 'http://axschema.org/namePerson/friendly';

    // Attributes as defined by schema.openid.net.
    $request['openid.ax.type.mail_son'] = 'http://schema.openid.net/contact/email';
    $request['openid.ax.type.name_son'] = 'http://schema.openid.net/namePerson/friendly';
733
  }
734 735 736 737 738 739 740 741 742 743

  $request = array_merge($request, module_invoke_all('openid', 'request', $request));

  return $request;
}

/**
 * Attempt to verify the response received from the OpenID Provider.
 *
 * @param $op_endpoint The OpenID Provider URL.
744
 * @param $response Array of response values from the provider.
745 746
 *
 * @return boolean
747
 * @see http://openid.net/specs/openid-authentication-2_0.html#rfc.section.11.4
748 749
 */
function openid_verify_assertion($op_endpoint, $response) {
750
  module_load_include('inc', 'openid');
751 752

  $valid = FALSE;
753 754 755 756 757 758 759 760
  $association = FALSE;

  // If the OP returned a openid.invalidate_handle, we have to proceed with
  // direct verification: ignore the openid.assoc_handle, even if present.
  // See http://openid.net/specs/openid-authentication-2_0.html#rfc.section.11.4.1
  if (!empty($response['openid.assoc_handle']) && empty($response['openid.invalidate_handle'])) {
    $association = db_query("SELECT * FROM {openid_association} WHERE assoc_handle = :assoc_handle", array(':assoc_handle' => $response['openid.assoc_handle']))->fetchObject();
  }
761 762 763 764 765 766 767 768 769 770 771 772

  if ($association && isset($association->session_type)) {
    $keys_to_sign = explode(',', $response['openid.signed']);
    $self_sig = _openid_signature($association, $response, $keys_to_sign);
    if ($self_sig == $response['openid.sig']) {
      $valid = TRUE;
    }
    else {
      $valid = FALSE;
    }
  }
  else {
773 774 775
    // See http://openid.net/specs/openid-authentication-2_0.html#rfc.section.11.4.2.1
    // The verification requests contain all the fields from the response,
    // except openid.mode.
776 777 778
    $request = $response;
    $request['openid.mode'] = 'check_authentication';
    $message = _openid_create_message($request);
779 780 781 782 783 784
    $options = array(
      'headers' => array('Content-Type' => 'application/x-www-form-urlencoded; charset=utf-8'),
      'method' => 'POST',
      'data' => _openid_encode_message($message),
    );
    $result = drupal_http_request($op_endpoint, $options);
785 786
    if (!isset($result->error)) {
      $response = _openid_parse_message($result->data);
787

788 789
      if (strtolower(trim($response['is_valid'])) == 'true') {
        $valid = TRUE;
790 791 792 793 794 795 796 797
        if (!empty($response['invalidate_handle'])) {
          // This association handle has expired on the OP side, remove it from the
          // database to avoid reusing it again on a subsequent authentication request.
          // See http://openid.net/specs/openid-authentication-2_0.html#rfc.section.11.4.2.2
          db_delete('openid_association')
            ->condition('assoc_handle', $response['invalidate_handle'])
            ->execute();
        }
798 799 800 801 802 803 804 805
      }
      else {
        $valid = FALSE;
      }
    }
  }
  return $valid;
}