php - How does the validate() function stop fake authentication requests? -

php - How does the validate() function stop fake authentication requests? -

i have debugged piece of php code login code not validating request properly. had somehow skipped using ->validate() function , 1 of website testers managed log admin business relationship getting response google (below) , changing email admin email.

http://mydomain/login/?openid.ns=http%3a%2f%2fspecs.openid.net%2fauth%2f2.0&openid.mode=id_res&openid.op_endpoint=https%3a%2f%2fwww.google.com%2faccounts%2fo8%2fud&openid.response_nonce=2013-02-15t03%3a56%3a27zy153c0jfi0g5wa&openid.return_to=http%3a%2f%2flocalhost%2flogin%2f&openid.assoc_handle=amlya9ui33ww3xfuqgjitxsgb0a0x8nsqd91iuwk9mdvwybm4eebk08g&openid.signed=op_endpoint%2cclaimed_id%2cidentity%2creturn_to%2cresponse_nonce%2cassoc_handle%2cns.ext1%2cext1.mode%2cext1.type.nameperson_first%2cext1.value.nameperson_first%2cext1.type.nameperson_last%2cext1.value.nameperson_last%2cext1.type.contact_email%2cext1.value.contact_email&openid.sig=laamatkmfjoprkpsmaieg%3d&openid.identity=https3a%2f%2fwww.google.com%2faccounts%2fo8%2fid%3fid%3daawnug6mr7_yno1mn-fthr9wboo&openid.claimed_id=https%3a%2f%2fwww.google.com%2faccounts%2fo8%2fid%3fid%oawnug6mr7_ymub1mn-ftfhr9wboo&openid.ns.ext1=http%3a%2f%2fopenid.net%2fsrv%2fax%2f1.0&openid.ext1.mode=fetch_response&openid.ext1.type.nameperson_first=http%3a%2f%2faxschema.org%2fnameperson%2ffirst&openid.ext1.value.nameperson_first=t&openid.ext1.type.nameperson_last=http%3a%2f%2faxschema.org%2fnameperson%2flast&openid.ext1.value.nameperson_last=m&openid.ext1.type.contact_email=http%3a%2f%2faxschema.org%2fcontact%2femail&openid.ext1.value.contact_email=**myemail%email.com**

this got interested in how open id validates, using validate() function, request came from, , gets sent right source, , catches not sent straight openid server? sig or idenitiy variables beingness used sort public/private key system?

if help me understand cool.

thanks alot

a positive assertion that's returned provider contains field called openid.signed used on consumer side verify signature held in openid.sig. process of generating / verifying signature outlined here.

from assertion you've shown, these signed fields:

op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle,ns.ext1, ext1.mode,ext1.type.nameperson_first,ext1.value.nameperson_first, ext1.type.nameperson_last,ext1.value.nameperson_last,ext1.type.contact_email, ext1.value.contact_email

you can see ext1.value.contact_email 1 of signed fields , hence part of signature, if signature matches can sure value has not been tampered with.

the assoc_handle refers shared secret that's established between consumer , provider during associate method. shared secret used generate keyed hash of signed field values, forming signature compare against.

if shared secret cannot found, check_authentication method must used, outlined here , used here.

php authentication openid lightopenid