diff options
author | Dries Buytaert <dries@buytaert.net> | 2011-05-11 21:34:06 -0400 |
---|---|---|
committer | Dries Buytaert <dries@buytaert.net> | 2011-05-11 21:34:06 -0400 |
commit | fcf48f0c8c3cf37b6a397cf9dfa78e53831de8c3 (patch) | |
tree | ab1cdaab311be1840feea197b43a8a29c22487d6 /modules | |
parent | 980d5188f7ccd7514347a81e6de753f1fb8b5e7b (diff) | |
download | brdo-fcf48f0c8c3cf37b6a397cf9dfa78e53831de8c3.tar.gz brdo-fcf48f0c8c3cf37b6a397cf9dfa78e53831de8c3.tar.bz2 |
- Patch #1076366 by wojtha: OpenID discovery spec violation - fragments are removed from claimed id .
Diffstat (limited to 'modules')
-rw-r--r-- | modules/openid/openid.module | 10 | ||||
-rw-r--r-- | modules/openid/openid.test | 12 |
2 files changed, 13 insertions, 9 deletions
diff --git a/modules/openid/openid.module b/modules/openid/openid.module index 7673de886..6d4b1d7ff 100644 --- a/modules/openid/openid.module +++ b/modules/openid/openid.module @@ -341,14 +341,18 @@ function openid_complete($response = array()) { $response['openid.claimed_id'] = $service['claimed_id']; } elseif ($service['version'] == 2) { - $response['openid.claimed_id'] = openid_normalize($response['openid.claimed_id']); + // Returned Claimed Identifier could contain unique fragment + // identifier to allow identifier recycling so we need to preserve + // it in the response. + $response_claimed_id = openid_normalize($response['openid.claimed_id']); + // OpenID Authentication, section 11.2: // If the returned Claimed Identifier is different from the one sent // to the OpenID Provider, we need to do discovery on the returned // identififer to make sure that the provider is authorized to // respond on behalf of this. - if ($response['openid.claimed_id'] != $claimed_id) { - $services = openid_discovery($response['openid.claimed_id']); + if ($response_claimed_id != $claimed_id) { + $services = openid_discovery($response_claimed_id); $uris = array(); foreach ($services as $discovered_service) { if (in_array('http://specs.openid.net/auth/2.0/server', $discovered_service['types']) || in_array('http://specs.openid.net/auth/2.0/signon', $discovered_service['types'])) { diff --git a/modules/openid/openid.test b/modules/openid/openid.test index 202a8355e..09632ba14 100644 --- a/modules/openid/openid.test +++ b/modules/openid/openid.test @@ -89,12 +89,12 @@ class OpenIDFunctionalTestCase extends OpenIDWebTestCase { // Identifier is the URL of an XRDS document containing an OP Identifier // Element. The Relying Party sends the special value // "http://specs.openid.net/auth/2.0/identifier_select" as Claimed - // Identifier. The OpenID Provider responds with the actual identifier. - $identity = url('openid-test/yadis/xrds/dummy-user', array('absolute' => TRUE)); - // Tell openid_test.module to respond with this identifier. The URL scheme - // is stripped in order to test that the returned identifier is normalized in - // openid_complete(). - variable_set('openid_test_response', array('openid.claimed_id' => preg_replace('@^https?://@', '', $identity))); + // Identifier. The OpenID Provider responds with the actual identifier + // including the fragment. + $identity = url('openid-test/yadis/xrds/dummy-user', array('absolute' => TRUE, 'fragment' => $this->randomName())); + // Tell openid_test.module to respond with this identifier. We test if + // openid_complete() processes it right. + variable_set('openid_test_response', array('openid.claimed_id' => $identity)); $this->addIdentity(url('openid-test/yadis/xrds/server', array('absolute' => TRUE)), 2, 'http://specs.openid.net/auth/2.0/identifier_select', $identity); variable_set('openid_test_response', array()); |