[BUGFIX] OpenID service uses incorrect priorities to check returned data 78/41578/2
authorDmitry Dulepov <dmitry.dulepov@gmail.com>
Thu, 16 Jul 2015 08:57:36 +0000 (11:57 +0300)
committerMarkus Klein <markus.klein@typo3.org>
Fri, 17 Jul 2015 15:12:45 +0000 (17:12 +0200)
OpenID servers return several identifiers that can be used for user
authentication. According to the speciciation openid.claimed_id
is authoritative for authentication if it is set. openid.identity
can be used but openid.claimed_id is more authoritative.

Usually those two identifiers are the same. But some OpenID servers
(namely UNINETT AS server) provide different values for these
identifiers. In such cases preferred value is in the
openid.claimed_id as defined by the specification. However the code
in the OpenID service fails to properly test that because of wrong
priorities during checks.

This fix changes priorities of checks.

Change-Id: I61461f3258ffbd6caad89cd3163e79bfdc70d555
Resolves: #68205
Releases: master, 6.2
Reviewed-on: http://review.typo3.org/41578
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
typo3/sysext/openid/Classes/OpenidService.php

index d96a9c5..a4e2acf 100644 (file)
@@ -491,9 +491,9 @@ class OpenidService extends \TYPO3\CMS\Core\Service\AbstractService {
         * @return string
         */
        protected function getFinalOpenIDIdentifier() {
-               $result = $this->getSignedParameter('openid_identity');
+               $result = $this->getSignedParameter('openid_claimed_id');
                if (!$result) {
-                       $result = $this->getSignedParameter('openid_claimed_id');
+                       $result = $this->getSignedParameter('openid_identity');
                }
                if (!$result) {
                        $result = $this->getSignedClaimedOpenIDIdentifier();