Issues

ZF-3687: The OpenId provider class does not properly handle multiple scripts w/OpenId v2.0 and op_endpoint

Description

If you have three different (or multiple) scripts that will handle the OpenId authentication process (an handler script - for dispatching the OpenId mode/action, a login script and a trust script) the op_endpoint OpenId parameter will be incorrectly set in the OpenId response to the Consumer causing the OpenId authentication to fail on the Consumer side. This happens in the Zend_OpenId_Provider::_respond method. The current code does this to set the op_endpoint parameter:

if ($version >= 2.0) { $ret["openid.op_endpoint"] = Zend_OpenId::selfUrl(); }

Which will return the current script that is processing. If there are multiple scripts involved the discovered OpenId server by the Consumer code will be whatever the OpenId server has in its link tag in the HTML header. If the trust script is not the same as what is present in the link tag of the header (most likely not if they are different scripts) then the returned op_endpoint will not be the same and the checks on the Consumer side will fail.

I've added a property to the Zend_OpenId_Provider class called "_op_endpoint" and allowed this to be set during construction. If it isn't set it defaults to Zend_OpenId::selfUrl() and this way follows the original design. I also changed the code in the Zend_OpenId_Provider::_respond to be:

    if ($version >= 2.0) {
        $ret["openid.op_endpoint"] = $this->_op_endpoint;
    }

So this way the op_endpoint can be specified by the programmer and therefore match the discovered server (or endpoint) in a multi-script design.

Thanks,

Mike

Comments

Changing issues in preparation for the 1.7.0 release.