ZF-12276: OpenID Sreg extension:: parseRequest overwrites provided credentials when used in the provider context


It appears that when providing the requested credentials to sreg extension in the provider context it overrides those credentials with booleans. Provider example: //... pull user info $user_params = array( 'nickname' => $user->getNickName(), 'fullname' => $user->getFullName(), 'email' => $user->getEmail() ); $sreg = new iChain_OpenId_Sreg($user_params); $ret = $provider->handle(null, $sreg); Consumer example: $props = array( "nickname"=>false, "email"=>true, "fullname"=>true, );
$sreg = new iChain_OpenId_Sreg($props, null, 2.0); $consumer = new Zend_OpenId_Consumer(); if($consumer->verify($_GET, $id, $sreg)){ // $_GET[openid_sreg_email] => 1 // $_GET[openid_sreg_fullname] => 1 }

The problem appears to be in Zend_OpenId_Extensions_Sreg::parseRequest. The unit tests only test the provided version number and policy url. When used in the consumer context it populates the $_props with a key/value array of attributes and booleans (if those are required). When using it in the provider context that same property is used to hold the actual values the provider should be sending. Instead it sends those booleans back.

A simple solution is to remove the following line from Zend_OpenId_Extensions_Sreg::parseRequest: $this->_props = (count($props2) > 0) ? $props2 : null; However it was put there for a reason and I am unsure why. I'm guessing to provide backwards compatibility with sreg 1.0 when used in the consumer context.


No comments to display