问题
I'm trying to add authorization throw google openid to my users. I'm receiving id (https://www.google.com/accounts/o8/id?id=AIt...Ew-Bo) but how can i check that it's legit. I mean user can create malicious request with email of another user, how can i check that returning email and claimed id is legit?
回答1:
Rather than trying to implement discovery and signature verification by yourself, you really ought to use one of the many libraries that have already been created for this purpose. Here are a bunch for various programming languages:
http://openid.net/developers/libraries/
回答2:
public function verify_response()
{$params=$_REQUEST;
$query=array('openid.signed'=>$params['openid.signed'],
'openid.sig'=>$params['openid.sig'],
'openid.mode'=>'check_authentication'
);
$keys=explode(',', 'openid.'.strtr($params['openid.signed'], array(','=>',openid.')));
foreach ($params as $k=>$v)
{if (in_array($k, $keys))
{$query[$k]=$v;
}
}
$query=http_build_query($query);
$response=file_get_contents($params['openid.op_endpoint'].'?'.$query);
return stripos($response, 'is_valid:true')!==false;
}
回答3:
Google's OpenID (Google Apps for Domains OpenID excepted) is just standard OpenID. You should take all the precautions that any other OpenID requires to make sure the assertion is legit. You're right... anyone can craft an OpenID positive assertion to fool your RP unless your RP verifies the signature, performs discovery on the identifier and matches the authorized OP Endpoint for that identifier with the one that signed the response.
As for whether you can trust the email address, that's up to you. You can choose to trust the Google OP endpoint, and then you know.
回答4:
function ValidateWithServer(){
$params = array(
'openid.assoc_handle' => urlencode($_REQUEST['openid_assoc_handle']),
'openid.signed' => urlencode($_REQUEST['openid_signed']),
'openid.sig' => urlencode($_REQUEST['openid_sig'])
);
// Send only required parameters to confirm validity
$arr_signed = explode(",",str_replace('sreg.','sreg_',$_REQUEST['openid_signed']));
for ($i=0; $i<count($arr_signed); $i++){
$s = str_replace('sreg_','sreg.', $arr_signed[$i]);
$c = $_REQUEST['openid_' . $arr_signed[$i]];
// if ($c != ""){
$params['openid.' . $s] = urlencode($c);
// }
}
$params['openid.mode'] = "check_authentication";
$openid_server = $this->GetOpenIDServer();
if ($openid_server == false){
return false;
}
$response = $this->CURL_Request($openid_server,'POST',$params);
$data = $this->splitResponse($response);
if ($data['is_valid'] == "true") {
return true;
}else{
return false;
}
}
来源:https://stackoverflow.com/questions/2957358/how-to-verify-google-openid-response