function openid_verify_assertion_return_url
openid_verify_assertion_return_url($service, $response)
Verify that openid.return_to matches the current URL.
See OpenID Authentication 2.0, section 11.1. While OpenID Authentication 1.1, section 4.3 does not mandate return_to verification, the received return_to should still match these constraints.
Parameters
$service: Array describing the OpenID provider.
$response: Array of response values from the provider.
Return value
TRUE if return_to is valid, FALSE otherwise.
File
- modules/openid/openid.module, line 1008
- Implement OpenID Relying Party support for Drupal
Code
function openid_verify_assertion_return_url($service, $response) { global $base_url; $return_to_parts = parse_url($response['openid.return_to']); $base_url_parts = parse_url($base_url); $current_parts = parse_url($base_url_parts['scheme'] . '://' . $base_url_parts['host'] . request_uri()); if ($return_to_parts['scheme'] != $current_parts['scheme'] || $return_to_parts['host'] != $current_parts['host'] || $return_to_parts['path'] != $current_parts['path']) { return FALSE; } // Verify that all query parameters in the openid.return_to URL have // the same value in the current URL. In addition, the current URL // contains a number of other parameters added by the OpenID Provider. parse_str(isset($return_to_parts['query']) ? $return_to_parts['query'] : '', $return_to_query_parameters); foreach ($return_to_query_parameters as $name => $value) { if (!isset($_GET[$name]) || $_GET[$name] != $value) { return FALSE; } } return TRUE; }
© 2001–2016 by the original authors
Licensed under the GNU General Public License, version 2 and later.
Drupal is a registered trademark of Dries Buytaert.
https://api.drupal.org/api/drupal/modules!openid!openid.module/function/openid_verify_assertion_return_url/7.x