ZF-3687: The OpenId provider class does not properly handle multiple scripts w/OpenId v2.0 and op_endpoint

Issue Type: Bug Created: 2008-07-19T10:45:47.000+0000 Last Updated: 2008-11-13T14:10:02.000+0000 Status: Resolved Fix version(s): - 1.7.0 (17/Nov/08)

Reporter: Mike Coakley (mcoakley) Assignee: Dmitry Stogov (dmitry) Tags: - Zend_OpenId

Related issues: Attachments:


If you have three different (or multiple) scripts that will handle the OpenId authentication process (an handler script - for dispatching the OpenId mode/action, a login script and a trust script) the op_endpoint OpenId parameter will be incorrectly set in the OpenId response to the Consumer causing the OpenId authentication to fail on the Consumer side. This happens in the Zend_OpenId_Provider::_respond method. The current code does this to set the op_endpoint parameter:

if ($version >= 2.0) { $ret["openid.op_endpoint"] = Zend_OpenId::selfUrl(); }

Which will return the current script that is processing. If there are multiple scripts involved the discovered OpenId server by the Consumer code will be whatever the OpenId server has in its link tag in the HTML header. If the trust script is not the same as what is present in the link tag of the header (most likely not if they are different scripts) then the returned op_endpoint will not be the same and the checks on the Consumer side will fail.

I've added a property to the Zend_OpenId_Provider class called "_op_endpoint" and allowed this to be set during construction. If it isn't set it defaults to Zend_OpenId::selfUrl() and this way follows the original design. I also changed the code in the Zend_OpenId_Provider::_respond to be:

    if ($version >= 2.0) {
        $ret["openid.op_endpoint"] = $this->_op_endpoint;

So this way the op_endpoint can be specified by the programmer and therefore match the discovered server (or endpoint) in a multi-script design.




Posted by Wil Sinclair (wil) on 2008-11-13T14:10:02.000+0000

Changing issues in preparation for the 1.7.0 release.

Have you found an issue?

See the Overview section for more details.


© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.