how to verify google openid response_问答_开发者

开发者 https://www.devze.com 2023-01-01 17:52 出处：网络

I\'m trying to add authorization throw google openid to my users. I\'m receiving id (https://www.开发者_运维问答google.com/accounts/o8/id?id=AIt...Ew-Bo) but how can i check that it\'s legit. I mean u

I'm trying to add authorization throw google openid to my users. I'm receiving id (https://www.开发者_运维问答google.com/accounts/o8/id?id=AIt...Ew-Bo) but how can i check that it's legit. I mean user can create malicious request with email of another user, how can i check that returning email and claimed id is legit?

Rather than trying to implement discovery and signature verification by yourself, you really ought to use one of the many libraries that have already been created for this purpose. Here are a bunch for various programming languages:

http://openid.net/developers/libraries/

public function verify_response()
       {$params=$_REQUEST;
        $query=array('openid.signed'=>$params['openid.signed'],
                     'openid.sig'=>$params['openid.sig'],
                     'openid.mode'=>'check_authentication'
                    );
        $keys=explode(',', 'openid.'.strtr($params['openid.signed'], array(','=>',openid.')));
        foreach ($params as $k=>$v)
                {if (in_array($k, $keys))
                    {$query[$k]=$v;
                    }
                }
        $query=http_build_query($query);
        $response=file_get_contents($params['openid.op_endpoint'].'?'.$query);
        return stripos($response, 'is_valid:true')!==false;
       }

Google's OpenID (Google Apps for Domains OpenID excepted) is just standard OpenID. You should take all the precautions that any other OpenID requires to make sure the assertion is legit. You're right... anyone can craft an OpenID positive assertion to fool your RP unless your RP verifies the signature, performs discovery on the identifier and matches the authorized OP Endpoint for that identifier with the one that signed the response.

As for whether you can trust the email address, that's up to you. You can choose to trust the Google OP endpoint, and then you know.

function ValidateWithServer(){
    $params = array(
        'openid.assoc_handle' => urlencode($_REQUEST['openid_assoc_handle']),
        'openid.signed' => urlencode($_REQUEST['openid_signed']),
        'openid.sig' => urlencode($_REQUEST['openid_sig'])
    );
    // Send only required parameters to confirm validity
    $arr_signed = explode(",",str_replace('sreg.','sreg_',$_REQUEST['openid_signed']));
    for ($i=0; $i<count($arr_signed); $i++){
        $s = str_replace('sreg_','sreg.', $arr_signed[$i]);
        $c = $_REQUEST['openid_' . $arr_signed[$i]];
        // if ($c != ""){
            $params['openid.' . $s] = urlencode($c);
        // }
    }
    $params['openid.mode'] = "check_authentication";

    $openid_server = $this->GetOpenIDServer();
    if ($openid_server == false){
        return false;
    }
    $response = $this->CURL_Request($openid_server,'POST',$params);
    $data = $this->splitResponse($response);

    if ($data['is_valid'] == "true") {
        return true;
    }else{
        return false;
    }
}