OpenID check_authentication不工作

Question

我试图让一个check_authentication响应正常工作，但是到目前为止，所有的消费者都拒绝它，并且说我的服务器拒绝了check_authentication。

这是我的服务器文件接收到的GET和POST数据：

$_GET:
Array
(
    [mode] => profile
    [username] => hachque
    [domain] => roket-enterprises.com
)
$_POST:
Array
(
    [openid_assoc_handle] => {HMAC-SHA1}{4b00d7b2}{vo1FEQ==}
    [openid_identity] => http://www.roket-enterprises.com/openaccount/openid:hachque
    [openid_mode] => check_authentication
    [openid_response_nonce] => 2009-11-16T04:40:18Zrrz8R4
    [openid_return_to] => http://openiddirectory.com:80/openidauth/id/c/finish_auth.php?nonce=adCevd6T
    [openid_sig] => SgFE5iT9IGd5EftkrZ72mgCHiLk=
    [openid_signed] => assoc_handle,identity,mode,response_nonce,return_to,signed,sreg.email,sreg.fullname,sreg.nickname
    [openid_sreg_email] => jrhodes@roket-enterprises.com
    [openid_sreg_fullname] => James Rhodes
    [openid_sreg_nickname] => jrhodes
)

这是我输出的标题响应(包含POST数据，因为在IRC上对我解释过，不应该将键值作为头发送到使用者服务器编辑：想起来了，用POST数据进行响应没有多大意义。也许这里的一些人可以清楚地解释check_authentication的整个过程)。

  Content-Type: text/plain;
  Content-Length: 675;
  openid.mode=id_res&openid.assoc_handle=%7BHMAC-SHA1%7D%7B4b00d7b2%7D%7Bvo1FEQ%3D%3D%7D&openid.identity=http%3A%2F%2Fwww.roket-enterprises.com%2Fopenaccount%2Fopenid%3Ahachque&openid.response_nonce=2009-11-16T04%3A40%3A18Zrrz8R4&openid.return_to=http%3A%2F%2Fopeniddirectory.com%3A80%2Fopenidauth%2Fid%2Fc%2Ffinish_auth.php%3Fnonce%3DadCevd6T&openid.signed=assoc_handle%2Cidentity%2Cmode%2Cresponse_nonce%2Creturn_to%2Csigned%2Csreg.email%2Csreg.fullname%2Csreg.nickname&openid.sreg_email=jrhodes%40roket-enterprises.com&openid.sreg_fullname=James+Rhodes&openid.sreg_nickname=jrhodes&openid.sig=MGVhMmQ1Mzg4ZWFlMWY1OWVlYjlmZmY0Njc3OTc5YWIzMjM3NGFjMQ%3D%3D&openid.is_valid=true;

这是我的文件用于处理check_authentication的PHP代码(请记住，PHP会将所有操作都完成)。字符into _ for $_GET和$_POST变量，因为它们在PHP数组键中不是有效字符)：

        // Retrieve the OpenID information from the $_REQUEST data
        // I'm not sure whether it's possible that this data might
        // come in on the $_GET parameter instead of $_POST, so that's
        // what it uses $_REQUEST.

        $assoc_handle = $_REQUEST['openid_assoc_handle'];
        $sig = $_REQUEST['openid_sig'];
        $signed = $_REQUEST['openid_signed'];

        // The method for returning data is via the headers outputted
        // by the webserver.  Create an array that stores the headers
        // to be returned.

        $keys = array(
            'openid.mode' => 'id_res',
            'openid.assoc_handle' => $_REQUEST['openid_assoc_handle'],
            'openid.identity' => $_REQUEST['openid_identity'],
            'openid.response_nonce' => $_REQUEST['openid_response_nonce'],
            'openid.return_to' => $_REQUEST['openid_return_to'],
            'openid.signed' => $_REQUEST['openid_signed'],
            'openid.sreg_email' => $_REQUEST['openid_sreg_email'],
            'openid.sreg_fullname' => $_REQUEST['openid_sreg_fullname'],
            'openid.sreg_nickname' => $_REQUEST['openid_sreg_nickname']
            //'openid_mode' => 'id_res'
        );

        // The server may request that we invalidate the user's session
        // via $_REQUEST['openid_invalidate_handle'].  In this case we
        // will clear the session data (you may need to change this
        // depending on how you implement the session).  After doing so
        // we continue and tell the server we did via a variable

        if (strlen($_REQUEST['openid_invalidate_handle']) > 0)
        {
            // Reset the session
            session_unset();
            session_name('openid_server');
            session_start();

            // Set the header we need to return
            $keys['openid.invalidate_handle'] = $_REQUEST['openid_invalidate_handle'];
        }

        // We need to validate the signature now.  This constructs a token_contents
        // for signing the data.  The signing key is returned as openid.sig
        // and is generated with base64(HMAC(secret(assoc_handle), token_contents)

        $token_contents = '';
        foreach (explode(',', $signed) as $param) {
            $post = preg_replace('/\./', '_', $param);
            $token_contents .= sprintf("%s:%s\n", $param, $_REQUEST['openid_' . $post]);
        }

        // Generate our openid.sig and add it to the list of keys to
        // return.

        $keys['openid.sig'] = base64_encode(hash_hmac('sha1',$token_contents,$assoc_handle));

        // Add the data that we are sharing (via SReg) to the headers.
        // For now this is fixed data (see action_authorization.php).
        //$keys["sreg.fullname"] = 'James Rhodes';
        //$keys["sreg.nickname"] = 'jrhodes';
        //$keys["sreg.email"] = 'jrhodes@roket-enterprises.com';

        // Just accept the request for now..
        // phpMyID does some kind of secret-shared-key thing
        // here to determine whether it is valid.  I'm not
        // quite sure how that process works yet, so we are just
        // going to say go ahead.
        $keys["openid.is_valid"] = "true";

        // We need to format the $keys array into POST format
        $keys_post = "";
        $keys_post_first = true;
        foreach ($keys as $name => $value)
        {
            if ($keys_post_first)
                $keys_post_first = false;
            else
                $keys_post .= "&";
            $keys_post .= urlencode($name) . "=" . urlencode($value);
        }

        // Now output the POST data
        header('Content-Type: application/x-www-form-urlencoded');
        header('Content-Length: ' . strlen($keys_post));
        header($keys_post);

有人能帮我解决我的问题吗？几个月来，我一直在努力让它发挥作用，但对于OpenID身份验证的这一阶段是如何工作的，我无法得到一个直接的答案。

Answer 1

首先，尽管PHP在参数名称中将句点转换为下划线，但要确保发送的是句点而不是下划线。

其次，您的check_authentication响应应该只有三个参数，但是您有六个参数。检查规格并修复您的响应，看看这是否有帮助。

Answer 2

安德鲁·阿诺特你错了！来自openid.net的文档：

11.4.2.1.请求参数

openid.mode值："check_authentication“

身份验证响应中所有字段的精确副本，但"openid.mode“除外。

可能有三个以上的领域！

Answer 3

我也有过类似的问题。在我的示例中，客户端(依赖方)未能将OpenId提供程序的名称解析为正确的ip。虽然这种情况不太可能发生，但请检查依赖服务器上的名称解析。