From 2494caa5ef1d6a581645645c1e9f0295456d955b Mon Sep 17 00:00:00 2001
From: Andjelko Horvat <comel@vingd.com>
Date: Fri, 28 Oct 2011 14:29:53 +0000
Subject: [PATCH] openid: add prefer_http_redirect option (issue 444).

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2965 44740490-163a-0410-bde0-09ae8108e29a
---
 config-templates/authsources.php              |  2 +
 .../openid/lib/Auth/Source/OpenIDConsumer.php | 48 ++++++++++++-------
 2 files changed, 33 insertions(+), 17 deletions(-)

diff --git a/config-templates/authsources.php b/config-templates/authsources.php
index 72b14a75c..aa3a9be21 100644
--- a/config-templates/authsources.php
+++ b/config-templates/authsources.php
@@ -100,6 +100,8 @@ $config = array(
 		// 'sreg.validate' => FALSE,
 		'attributes.ax_required' => array('http://axschema.org/namePerson/friendly'),
 		'attributes.ax_optional' => array('http://axschema.org/namePerson','http://axschema.org/contact/email'),
+		// Prefer HTTP redirect over POST
+		// 'prefer_http_redirect' => FALSE,
 	),
 	*/
 
diff --git a/modules/openid/lib/Auth/Source/OpenIDConsumer.php b/modules/openid/lib/Auth/Source/OpenIDConsumer.php
index b983260a0..67a73b26c 100644
--- a/modules/openid/lib/Auth/Source/OpenIDConsumer.php
+++ b/modules/openid/lib/Auth/Source/OpenIDConsumer.php
@@ -61,6 +61,11 @@ class sspmod_openid_Auth_Source_OpenIDConsumer extends SimpleSAML_Auth_Source {
 	 */
 	private $extensionArgs;
 
+	/**
+	 * Prefer HTTP Redirect over HTML Form Redirection (POST)
+	 */
+	private $preferHttpRedirect;
+
 	/**
 	 * Constructor for this authentication source.
 	 *
@@ -87,6 +92,8 @@ class sspmod_openid_Auth_Source_OpenIDConsumer extends SimpleSAML_Auth_Source {
 		$this->validateSReg = $cfgParse->getBoolean('sreg.validate',TRUE);
 
 		$this->extensionArgs = $cfgParse->getArray('extension.args', array());
+
+		$this->preferHttpRedirect = $cfgParse->getBoolean('prefer_http_redirect', FALSE);
 	}
 
 
@@ -225,9 +232,12 @@ class sspmod_openid_Auth_Source_OpenIDConsumer extends SimpleSAML_Auth_Source {
 		// Store the token for this authentication so we can verify the
 		// response.
 
-		// For OpenID 1, send a redirect.  For OpenID 2, use a Javascript
-		// form to send a POST request to the server.
-		if ($auth_request->shouldSendRedirect()) {
+		// For OpenID 1, send a redirect.  For OpenID 2, use a Javascript form
+		// to send a POST request to the server or use redirect if
+		// prefer_http_redirect is enabled and redirect URL size
+		// is less than 2049
+		$should_send_redirect = $auth_request->shouldSendRedirect();
+		if ($this->preferHttpRedirect || $should_send_redirect) {
 			$redirect_url = $auth_request->redirectURL($this->getTrustRoot(), $this->getReturnTo($stateId));
 
 			// If the redirect URL can't be built, display an error message.
@@ -235,22 +245,26 @@ class sspmod_openid_Auth_Source_OpenIDConsumer extends SimpleSAML_Auth_Source {
 				throw new SimpleSAML_Error_AuthSource($this->authId, 'Could not redirect to server: ' . var_export($redirect_url->message, TRUE));
 			}
 
-			SimpleSAML_Utilities::redirect($redirect_url);
-		} else {
-			// Generate form markup and render it.
-			$form_id = 'openid_message';
-			$form_html = $auth_request->formMarkup($this->getTrustRoot(), $this->getReturnTo($stateId), FALSE, array('id' => $form_id));
-
-			// Display an error if the form markup couldn't be generated; otherwise, render the HTML.
-			if (Auth_OpenID::isFailure($form_html)) {
-				throw new SimpleSAML_Error_AuthSource($this->authId, 'Could not redirect to server: ' . var_export($form_html->message, TRUE));
-			} else {
-				echo '<html><head><title>OpenID transaction in progress</title></head>
-					<body onload=\'document.getElementById("' . $form_id . '").submit()\'>' .
-					$form_html . '</body></html>';
-				exit;
+			// For OpenID 2 failover to POST if redirect URL is longer than 2048
+			if ($should_send_redirect || strlen($redirect_url) <= 2048) {
+				SimpleSAML_Utilities::redirect($redirect_url);
+				assert('FALSE');
 			}
 		}
+
+		// Generate form markup and render it.
+		$form_id = 'openid_message';
+		$form_html = $auth_request->formMarkup($this->getTrustRoot(), $this->getReturnTo($stateId), FALSE, array('id' => $form_id));
+
+		// Display an error if the form markup couldn't be generated; otherwise, render the HTML.
+		if (Auth_OpenID::isFailure($form_html)) {
+			throw new SimpleSAML_Error_AuthSource($this->authId, 'Could not redirect to server: ' . var_export($form_html->message, TRUE));
+		} else {
+			echo '<html><head><title>OpenID transaction in progress</title></head>
+				<body onload=\'document.getElementById("' . $form_id . '").submit()\'>' .
+				$form_html . '</body></html>';
+			exit;
+		}
 	}
 
 
-- 
GitLab