function openid_verify_assertion_return_url

openid_verify_assertion_return_url($service, $response)

Verify that openid.return_to matches the current URL.

See OpenID Authentication 2.0, section 11.1. While OpenID Authentication 1.1, section 4.3 does not mandate return_to verification, the received return_to should still match these constraints.

Parameters

$service: Array describing the OpenID provider.

$response: Array of response values from the provider.

Return value

TRUE if return_to is valid, FALSE otherwise.

File

modules/openid/openid.module, line 1008: Implement OpenID Relying Party support for Drupal

Code

function openid_verify_assertion_return_url($service, $response) {
  global $base_url;

  $return_to_parts = parse_url($response['openid.return_to']);

  $base_url_parts = parse_url($base_url);
  $current_parts = parse_url($base_url_parts['scheme'] . '://' . $base_url_parts['host'] . request_uri());

  if ($return_to_parts['scheme'] != $current_parts['scheme'] || $return_to_parts['host'] != $current_parts['host'] || $return_to_parts['path'] != $current_parts['path']) {
    return FALSE;
  }
  // Verify that all query parameters in the openid.return_to URL have
  // the same value in the current URL. In addition, the current URL
  // contains a number of other parameters added by the OpenID Provider.
  parse_str(isset($return_to_parts['query']) ? $return_to_parts['query'] : '', $return_to_query_parameters);
  foreach ($return_to_query_parameters as $name => $value) {
    if (!isset($_GET[$name]) || $_GET[$name] != $value) {
      return FALSE;
    }
  }
  return TRUE;
}

© 2001–2016 by the original authors
Licensed under the GNU General Public License, version 2 and later.
Drupal is a registered trademark of Dries Buytaert.
https://api.drupal.org/api/drupal/modules!openid!openid.module/function/openid_verify_assertion_return_url/7.x