[BUGFIX] OpenID service uses incorrect priorities to check returned data 06/41406/2
authorDmitry Dulepov <dmitry.dulepov@gmail.com>
Thu, 16 Jul 2015 08:57:36 +0000 (11:57 +0300)
committerMarkus Klein <markus.klein@typo3.org>
Fri, 17 Jul 2015 15:09:53 +0000 (17:09 +0200)
OpenID servers return several identifiers that can be used for user
authentication. According to the speciciation openid.claimed_id
is authoritative for authentication if it is set. openid.identity
can be used but openid.claimed_id is more authoritative.

Usually those two identifiers are the same. But some OpenID servers
(namely UNINETT AS server) provide different values for these
identifiers. In such cases preferred value is in the
openid.claimed_id as defined by the specification. However the code
in the OpenID service fails to properly test that because of wrong
priorities during checks.

This fix changes priorities of checks.

Change-Id: I61461f3258ffbd6caad89cd3163e79bfdc70d555
Resolves: #68205
Releases: master, 6.2
Reviewed-on: http://review.typo3.org/41406
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>

index 73c4b96..64c6c72 100644 (file)
@@ -502,9 +502,9 @@ class OpenidService extends AbstractService {
         * @return string
        protected function getFinalOpenIDIdentifier() {
-               $result = $this->getSignedParameter('openid_identity');
+               $result = $this->getSignedParameter('openid_claimed_id');
                if (!$result) {
-                       $result = $this->getSignedParameter('openid_claimed_id');
+                       $result = $this->getSignedParameter('openid_identity');
                if (!$result) {
                        $result = $this->getSignedClaimedOpenIDIdentifier();