'XRDS service document', 'page callback' => 'openid_test_yadis_xrds', 'access callback' => TRUE, 'type' => MENU_CALLBACK, ); $items['openid-test/yadis/x-xrds-location'] = array( 'title' => 'Yadis discovery using X-XRDS-Location header', 'page callback' => 'openid_test_yadis_x_xrds_location', 'access callback' => TRUE, 'type' => MENU_CALLBACK, ); $items['openid-test/yadis/http-equiv'] = array( 'title' => 'Yadis discovery using ', 'page callback' => 'openid_test_yadis_http_equiv', 'access callback' => TRUE, 'type' => MENU_CALLBACK, ); $items['openid-test/html/openid1'] = array( 'title' => 'HTML-based discovery using ', 'page callback' => 'openid_test_html_openid1', 'access callback' => TRUE, 'type' => MENU_CALLBACK, ); $items['openid-test/html/openid2'] = array( 'title' => 'HTML-based discovery using ', 'page callback' => 'openid_test_html_openid2', 'access callback' => TRUE, 'type' => MENU_CALLBACK, ); $items['openid-test/endpoint'] = array( 'title' => 'OpenID Provider Endpoint', 'page callback' => 'openid_test_endpoint', 'access callback' => TRUE, 'type' => MENU_CALLBACK, ); return $items; } /** * Menu callback; XRDS document that references the OP Endpoint URL. */ function openid_test_yadis_xrds() { if ($_SERVER['HTTP_ACCEPT'] == 'application/xrds+xml') { drupal_set_header('Content-Type', 'application/xrds+xml'); print ' http://specs.openid.net/auth/2.0/signon ' . url('openid-test/endpoint', array('absolute' => TRUE)) . ' '; } else { return t('This is a regular HTML page. If the client sends an Accept: application/xrds+xml header when requesting this URL, an XRDS document is returned.'); } } /** * Menu callback; regular HTML page with an X-XRDS-Location HTTP header. */ function openid_test_yadis_x_xrds_location() { drupal_set_header('X-XRDS-Location', url('openid-test/yadis/xrds', array('absolute' => TRUE))); return t('This page includes an X-RDS-Location HTTP header containing the URL of an XRDS document.'); } /** * Menu callback; regular HTML page with element. */ function openid_test_yadis_http_equiv() { drupal_add_html_head(''); return t('This page includes a <meta equiv=...> element containing the URL of an XRDS document.'); } /** * Menu callback; regular HTML page with OpenID 1.0 element. */ function openid_test_html_openid1() { drupal_add_html_head(''); return t('This page includes a <link rel=...> element containing the URL of an OpenID Provider Endpoint.'); } /** * Menu callback; regular HTML page with OpenID 2.0 element. */ function openid_test_html_openid2() { drupal_add_html_head(''); return t('This page includes a <link rel=...> element containing the URL of an OpenID Provider Endpoint.'); } /** * Menu callback; OpenID Provider Endpoint. * * It accepts "associate" requests directly from the Relying Party, and * "checkid_setup" requests made by the user's browser based on HTTP redirects * (in OpenID 1) or HTML forms (in OpenID 2) generated by the Relying Party. */ function openid_test_endpoint() { switch ($_REQUEST['openid_mode']) { case 'associate'; _openid_test_endpoint_associate(); break; case 'checkid_setup'; _openid_test_endpoint_authenticate(); break; } } /** * OpenID endpoint; handle "associate" requests (see OpenID Authentication 2.0, * section 8). * * The purpose of association is to send the secret MAC key to the Relying Party * using Diffie-Hellman key exchange. The MAC key is used in subsequent * "authenticate" requests. The "associate" request is made by the Relying Party * (in the testing scenario, this is the OpenID module that communicates with * the endpoint using drupal_http_request()). */ function _openid_test_endpoint_associate() { module_load_include('inc', 'openid'); // Use default parameters for Diffie-Helmann key exchange. $mod = OPENID_DH_DEFAULT_MOD; $gen = OPENID_DH_DEFAULT_GEN; // Generate private Diffie-Helmann key. $r = _openid_dh_rand($mod); $private = bcadd($r, 1); // Calculate public Diffie-Helmann key. $public = bcpowmod($gen, $private, $mod); // Calculate shared secret based on Relying Party's public key. $cpub = _openid_dh_base64_to_long($_REQUEST['openid_dh_consumer_public']); $shared = bcpowmod($cpub, $private, $mod); // Encrypt the MAC key using the shared secret. $enc_mac_key = base64_encode(_openid_dh_xorsecret($shared, base64_decode(variable_get('mac_key')))); // Generate response including our public key and the MAC key. Using our // public key and its own private key, the Relying Party can calculate the // shared secret, and with this it can decrypt the encrypted MAC key. $response = array( 'ns' => 'http://specs.openid.net/auth/2.0', 'assoc_handle' => 'openid-test', 'session_type' => $_REQUEST['openid_session_type'], 'assoc_type' => $_REQUEST['openid_assoc_type'], 'expires_in' => '3600', 'dh_server_public' => _openid_dh_long_to_base64($public), 'enc_mac_key' => $enc_mac_key, ); // Respond to Relying Party in the special Key-Value Form Encoding (see OpenID // Authentication 1.0, section 4.1.1). drupal_set_header('Content-Type', 'text/plain'); print _openid_create_message($response); } /** * OpenID endpoint; handle "authenticate" requests. * * All requests result in a successful response. The request is a GET or POST * made by the user's browser based on an HTML form or HTTP redirect generated * by the Relying Party. The user is redirected back to the Relying Party using * a URL containing a signed message in the query string confirming the user's * identity. */ function _openid_test_endpoint_authenticate() { global $base_url; module_load_include('inc', 'openid'); // Generate unique identifier for this authentication. $nonce = _openid_nonce(); // Generate response containing the user's identity. The openid.sreg.xxx // entries contain profile data stored by the OpenID Provider (see OpenID // Simple Registration Extension 1.0). $response = array( 'openid.ns' => OPENID_NS_2_0, 'openid.mode' => 'id_res', 'openid.op_endpoint' => $base_url . url('openid/provider'), // openid.claimed_id is not sent by OpenID 1 clients. 'openid.claimed_id' => isset($_REQUEST['openid_claimed_id']) ? $_REQUEST['openid_claimed_id'] : '', 'openid.identity' => $_REQUEST['openid_identity'], 'openid.return_to' => $_REQUEST['openid_return_to'], 'openid.response_nonce' => $nonce, 'openid.assoc_handle' => 'openid-test', 'openid.sreg.email' => 'johndoe@example.com', 'openid.sreg.nickname' => 'johndoe', 'openid.signed' => 'op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle', ); // Sign the message using the MAC key that was exchanged during association. $association = new stdClass; $association->mac_key = variable_get('mac_key'); $keys_to_sign = explode(',', $response['openid.signed']); $response['openid.sig'] = _openid_signature($association, $response, $keys_to_sign); // Put the signed message into the query string of a URL supplied by the // Relying Party, and redirect the user. drupal_set_header('Content-Type', 'text/plain'); header('Location: ' . url($_REQUEST['openid_return_to'], array('query' => http_build_query($response, '', '&'), 'external' => TRUE))); }