function openid_verify_assertion_return_url
Verify that openid.return_to matches the current URL.
See OpenID Authentication 2.0, section 11.1. While OpenID Authentication 1.1, section 4.3 does not mandate return_to verification, the received return_to should still match these constraints.
Parameters
$service: Array describing the OpenID provider.
$response: Array of response values from the provider.
Return value
TRUE if return_to is valid, FALSE otherwise.
1 call to openid_verify_assertion_return_url()
- openid_verify_assertion in modules/
openid/ openid.module - Attempt to verify the response received from the OpenID Provider.
File
-
modules/
openid/ openid.module, line 1008
Code
function openid_verify_assertion_return_url($service, $response) {
global $base_url;
$return_to_parts = parse_url($response['openid.return_to']);
$base_url_parts = parse_url($base_url);
$current_parts = parse_url($base_url_parts['scheme'] . '://' . $base_url_parts['host'] . request_uri());
if ($return_to_parts['scheme'] != $current_parts['scheme'] || $return_to_parts['host'] != $current_parts['host'] || $return_to_parts['path'] != $current_parts['path']) {
return FALSE;
}
// Verify that all query parameters in the openid.return_to URL have
// the same value in the current URL. In addition, the current URL
// contains a number of other parameters added by the OpenID Provider.
parse_str(isset($return_to_parts['query']) ? $return_to_parts['query'] : '', $return_to_query_parameters);
foreach ($return_to_query_parameters as $name => $value) {
if (!isset($_GET[$name]) || $_GET[$name] != $value) {
return FALSE;
}
}
return TRUE;
}Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.