Skip to content
Snippets Groups Projects
Commit 7b56a623 authored by Andjelko Horvat's avatar Andjelko Horvat
Browse files

modules/openid: new exceptions, separate linkback endpoint and some cleaning (issue 398).

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2831 44740490-163a-0410-bde0-09ae8108e29a
parent 664163c6
Branches
Tags
No related merge requests found
...@@ -102,10 +102,14 @@ class sspmod_openid_Auth_Source_OpenIDConsumer extends SimpleSAML_Auth_Source { ...@@ -102,10 +102,14 @@ class sspmod_openid_Auth_Source_OpenIDConsumer extends SimpleSAML_Auth_Source {
$state['openid:AuthId'] = $this->authId; $state['openid:AuthId'] = $this->authId;
if ($this->target !== NULL) { if ($this->target !== NULL) {
/* We know our OpenID target URL. Skip the page where we ask for it. */
$this->doAuth($state, $this->target); $this->doAuth($state, $this->target);
/* doAuth() never returns. */
assert('FALSE');
} }
$id = SimpleSAML_Auth_State::saveState($state, 'openid:state'); $id = SimpleSAML_Auth_State::saveState($state, 'openid:init');
$url = SimpleSAML_Module::getModuleURL('openid/consumer.php'); $url = SimpleSAML_Module::getModuleURL('openid/consumer.php');
SimpleSAML_Utilities::redirect($url, array('AuthState' => $id)); SimpleSAML_Utilities::redirect($url, array('AuthState' => $id));
...@@ -133,8 +137,7 @@ class sspmod_openid_Auth_Source_OpenIDConsumer extends SimpleSAML_Auth_Source { ...@@ -133,8 +137,7 @@ class sspmod_openid_Auth_Source_OpenIDConsumer extends SimpleSAML_Auth_Source {
private function getReturnTo($stateId) { private function getReturnTo($stateId) {
assert('is_string($stateId)'); assert('is_string($stateId)');
return SimpleSAML_Module::getModuleURL('openid/consumer.php', array( return SimpleSAML_Module::getModuleURL('openid/linkback.php', array(
'returned' => 1,
'AuthState' => $stateId, 'AuthState' => $stateId,
)); ));
} }
...@@ -163,7 +166,7 @@ class sspmod_openid_Auth_Source_OpenIDConsumer extends SimpleSAML_Auth_Source { ...@@ -163,7 +166,7 @@ class sspmod_openid_Auth_Source_OpenIDConsumer extends SimpleSAML_Auth_Source {
public function doAuth(array &$state, $openid) { public function doAuth(array &$state, $openid) {
assert('is_string($openid)'); assert('is_string($openid)');
$stateId = SimpleSAML_Auth_State::saveState($state, 'openid:state'); $stateId = SimpleSAML_Auth_State::saveState($state, 'openid:auth');
$consumer = $this->getConsumer($state); $consumer = $this->getConsumer($state);
...@@ -172,7 +175,7 @@ class sspmod_openid_Auth_Source_OpenIDConsumer extends SimpleSAML_Auth_Source { ...@@ -172,7 +175,7 @@ class sspmod_openid_Auth_Source_OpenIDConsumer extends SimpleSAML_Auth_Source {
// No auth request means we can't begin OpenID. // No auth request means we can't begin OpenID.
if (!$auth_request) { if (!$auth_request) {
throw new Exception("Authentication error; not a valid OpenID."); throw new SimpleSAML_Error_BadRequest('Not a valid OpenID: ' . var_export($openid, TRUE));
} }
$sreg_request = Auth_OpenID_SRegRequest::build( $sreg_request = Auth_OpenID_SRegRequest::build(
...@@ -229,7 +232,7 @@ class sspmod_openid_Auth_Source_OpenIDConsumer extends SimpleSAML_Auth_Source { ...@@ -229,7 +232,7 @@ class sspmod_openid_Auth_Source_OpenIDConsumer extends SimpleSAML_Auth_Source {
// If the redirect URL can't be built, display an error message. // If the redirect URL can't be built, display an error message.
if (Auth_OpenID::isFailure($redirect_url)) { if (Auth_OpenID::isFailure($redirect_url)) {
throw new Exception("Could not redirect to server: " . $redirect_url->message); throw new SimpleSAML_Error_AuthSource($this->authId, 'Could not redirect to server: ' . var_export($redirect_url->message, TRUE));
} }
SimpleSAML_Utilities::redirect($redirect_url); SimpleSAML_Utilities::redirect($redirect_url);
...@@ -240,7 +243,7 @@ class sspmod_openid_Auth_Source_OpenIDConsumer extends SimpleSAML_Auth_Source { ...@@ -240,7 +243,7 @@ class sspmod_openid_Auth_Source_OpenIDConsumer extends SimpleSAML_Auth_Source {
// Display an error if the form markup couldn't be generated; otherwise, render the HTML. // Display an error if the form markup couldn't be generated; otherwise, render the HTML.
if (Auth_OpenID::isFailure($form_html)) { if (Auth_OpenID::isFailure($form_html)) {
throw new Exception("Could not redirect to server: " . $form_html->message); throw new SimpleSAML_Error_AuthSource($this->authId, 'Could not redirect to server: ' . var_export($form_html->message, TRUE));
} else { } else {
echo '<html><head><title>OpenID transaction in progress</title></head> echo '<html><head><title>OpenID transaction in progress</title></head>
<body onload=\'document.getElementById("' . $form_id . '").submit()\'>' . <body onload=\'document.getElementById("' . $form_id . '").submit()\'>' .
...@@ -269,12 +272,12 @@ class sspmod_openid_Auth_Source_OpenIDConsumer extends SimpleSAML_Auth_Source { ...@@ -269,12 +272,12 @@ class sspmod_openid_Auth_Source_OpenIDConsumer extends SimpleSAML_Auth_Source {
// Check the response status. // Check the response status.
if ($response->status == Auth_OpenID_CANCEL) { if ($response->status == Auth_OpenID_CANCEL) {
// This means the authentication was cancelled. // This means the authentication was cancelled.
throw new Exception('Verification cancelled.'); throw new SimpleSAML_Error_UserAborted();
} else if ($response->status == Auth_OpenID_FAILURE) { } else if ($response->status == Auth_OpenID_FAILURE) {
// Authentication failed; display the error message. // Authentication failed; display the error message.
throw new Exception("OpenID authentication failed: " . $response->message); throw new SimpleSAML_Error_AuthSource($this->authId, 'Authentication failed: ' . var_export($response->message, TRUE));
} else if ($response->status != Auth_OpenID_SUCCESS) { } else if ($response->status != Auth_OpenID_SUCCESS) {
throw new Exceptioon('General error. Try again.'); throw new SimpleSAML_Error_AuthSource($this->authId, 'General error. Try again.');
} }
// This means the authentication succeeded; extract the // This means the authentication succeeded; extract the
......
...@@ -177,7 +177,7 @@ class sspmod_openid_StateStore extends Auth_OpenID_OpenIDStore{ ...@@ -177,7 +177,7 @@ class sspmod_openid_StateStore extends Auth_OpenID_OpenIDStore{
$this->associations[$server_url][$handle] = $association->serialize(); $this->associations[$server_url][$handle] = $association->serialize();
/* We rely on saveState saving with the same id as before. */ /* We rely on saveState saving with the same id as before. */
SimpleSAML_Auth_State::saveState($this->state, 'openid:state'); SimpleSAML_Auth_State::saveState($this->state, 'openid:auth');
return TRUE; return TRUE;
} }
......
<?php <?php
$config = SimpleSAML_Configuration::getInstance();
/* Find the authentication state. */ /* Find the authentication state. */
if (!array_key_exists('AuthState', $_REQUEST)) { if (!array_key_exists('AuthState', $_REQUEST) || empty($_REQUEST['AuthState'])) {
throw new SimpleSAML_Error_BadRequest('Missing mandatory parameter: AuthState'); throw new SimpleSAML_Error_BadRequest('Missing mandatory parameter: AuthState');
} }
$state = SimpleSAML_Auth_State::loadState($_REQUEST['AuthState'], 'openid:state');
$authState = $_REQUEST['AuthState']; $authState = $_REQUEST['AuthState'];
$authSource = SimpleSAML_Auth_Source::getById($state['openid:AuthId']); $state = SimpleSAML_Auth_State::loadState($authState, 'openid:init');
$sourceId = $state['openid:AuthId'];
$authSource = SimpleSAML_Auth_Source::getById($sourceId);
if ($authSource === NULL) { if ($authSource === NULL) {
throw new SimpleSAML_Error_BadRequest('Invalid AuthId \'' . $state['openid:AuthId'] . '\' - not found.'); throw new SimpleSAML_Error_BadRequest('Invalid AuthId \'' . $sourceId . '\' - not found.');
} }
try { try {
if (array_key_exists('returned', $_GET)) { if (!empty($_GET['openid_url'])) {
$authSource->postAuth($state);
} elseif (!empty($_GET['openid_url'])) {
$authSource->doAuth($state, (string)$_GET['openid_url']); $authSource->doAuth($state, (string)$_GET['openid_url']);
} }
} catch (Exception $e) { } catch (Exception $e) {
......
<?php
$config = SimpleSAML_Configuration::getInstance();
/* Find the authentication state. */
if (!array_key_exists('AuthState', $_REQUEST) || empty($_REQUEST['AuthState'])) {
throw new SimpleSAML_Error_BadRequest('Missing mandatory parameter: AuthState');
}
$authState = $_REQUEST['AuthState'];
$state = SimpleSAML_Auth_State::loadState($authState, 'openid:auth');
$sourceId = $state['openid:AuthId'];
$authSource = SimpleSAML_Auth_Source::getById($sourceId);
if ($authSource === NULL) {
throw new SimpleSAML_Error_BadRequest('Invalid AuthId \'' . $sourceId . '\' - not found.');
}
try {
$authSource->postAuth($state);
/* postAuth() should never return. */
assert('FALSE');
} catch (SimpleSAML_Error_Exception $e) {
SimpleSAML_Auth_State::throwException($state, $e);
} catch (Exception $e) {
SimpleSAML_Auth_State::throwException($state, new SimpleSAML_Error_AuthSource($sourceId, 'Error on OpenID linkback endpoint.', $e));
}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment