我刚刚调试了一段我的php代码,我的登录代码没有正确验证请求。我以某种方式跳过使用 - > validate()函数,我的一个网站测试人员通过从谷歌(下方)获取响应并将其电子邮件更改为管理员电子邮件,设法登录管理员帐户。
http://mydomain/login/?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud&openid.response_nonce=2013-02-15T03%3A56%3A27ZY153c0JFI0G5wA&openid.return_to=http%3A%2F%2Flocalhost%2Flogin%2F&openid.assoc_handle=AMlYA9UI33WW3XfuQGjITXSgB0a0x8nsqD91iuWK9mdvwyBm4EEbk08g&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cns.ext1%2Cext1.mode%2Cext1.type.namePerson_first%2Cext1.value.namePerson_first%2Cext1.type.namePerson_last%2Cext1.value.namePerson_last%2Cext1.type.contact_email%2Cext1.value.contact_email&openid.sig=laAMatkmFjOPrKPsmaIEg%3D&openid.identity=https3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAawnUG6Mr7_ynO1mN-fThr9wbOo&openid.claimed_id=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%OawnUG6Mr7_ymuB1mN-fTFhr9wbOo&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext1.mode=fetch_response&openid.ext1.type.namePerson_first=http%3A%2F%2Faxschema.org%2FnamePerson%2Ffirst&openid.ext1.value.namePerson_first=T&openid.ext1.type.namePerson_last=http%3A%2F%2Faxschema.org%2FnamePerson%2Flast&openid.ext1.value.namePerson_last=M&openid.ext1.type.contact_email=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ext1.value.contact_email=**myemail%email.com**
这让我们对open id如何验证感兴趣,使用validate()函数,请求来自何处,并被发送回正确的源,并捕获任何未直接从openid服务器发回的内容? sig或idenitiy变量是否被用作某种公钥/私钥系统?
如果有人能帮我理解那会很酷。
非常感谢
答案 0 :(得分:2)
从提供程序返回的肯定断言包含一个名为openid.signed的字段,在消费者端使用该字段来验证openid.sig中保存的签名。生成/验证签名的过程概述为here。
根据你所显示的断言,这些是签名字段:
op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle,ns.ext1,
ext1.mode,ext1.type.namePerson_first,ext1.value.namePerson_first,
ext1.type.namePerson_last,ext1.value.namePerson_last,ext1.type.contact_email,
ext1.value.contact_email
您可以看到ext1.value.contact_email是签名字段之一,因此是签名的一部分,因此如果签名匹配,您可以确定该值未被篡改。
assoc_handle是指在associate方法期间在消费者和提供者之间建立的共享秘密。此共享密钥用于生成有符号字段值的键控散列,形成要进行比较的签名。