Add openid security
[contractdashboard.git] / lib / openid-php / Auth / OpenID / Server.php
blob:a/lib/openid-php/Auth/OpenID/Server.php -> blob:b/lib/openid-php/Auth/OpenID/Server.php
--- a/lib/openid-php/Auth/OpenID/Server.php
+++ b/lib/openid-php/Auth/OpenID/Server.php
@@ -1,1 +1,1766 @@
-
+<?php
+
+/**
+ * OpenID server protocol and logic.
+ * 
+ * Overview
+ *
+ * An OpenID server must perform three tasks:
+ *
+ *  1. Examine the incoming request to determine its nature and validity.
+ *  2. Make a decision about how to respond to this request.
+ *  3. Format the response according to the protocol.
+ * 
+ * The first and last of these tasks may performed by the {@link
+ * Auth_OpenID_Server::decodeRequest()} and {@link
+ * Auth_OpenID_Server::encodeResponse} methods.  Who gets to do the
+ * intermediate task -- deciding how to respond to the request -- will
+ * depend on what type of request it is.
+ *
+ * If it's a request to authenticate a user (a 'checkid_setup' or
+ * 'checkid_immediate' request), you need to decide if you will assert
+ * that this user may claim the identity in question.  Exactly how you
+ * do that is a matter of application policy, but it generally
+ * involves making sure the user has an account with your system and
+ * is logged in, checking to see if that identity is hers to claim,
+ * and verifying with the user that she does consent to releasing that
+ * information to the party making the request.
+ *
+ * Examine the properties of the {@link Auth_OpenID_CheckIDRequest}
+ * object, and if and when you've come to a decision, form a response
+ * by calling {@link Auth_OpenID_CheckIDRequest::answer()}.
+ *
+ * Other types of requests relate to establishing associations between
+ * client and server and verifing the authenticity of previous
+ * communications.  {@link Auth_OpenID_Server} contains all the logic
+ * and data necessary to respond to such requests; just pass it to
+ * {@link Auth_OpenID_Server::handleRequest()}.
+ *
+ * OpenID Extensions
+ * 
+ * Do you want to provide other information for your users in addition
+ * to authentication?  Version 1.2 of the OpenID protocol allows
+ * consumers to add extensions to their requests.  For example, with
+ * sites using the Simple Registration
+ * Extension
+ * (http://openid.net/specs/openid-simple-registration-extension-1_0.html),
+ * a user can agree to have their nickname and e-mail address sent to
+ * a site when they sign up.
+ *
+ * Since extensions do not change the way OpenID authentication works,
+ * code to handle extension requests may be completely separate from
+ * the {@link Auth_OpenID_Request} class here.  But you'll likely want
+ * data sent back by your extension to be signed.  {@link
+ * Auth_OpenID_ServerResponse} provides methods with which you can add
+ * data to it which can be signed with the other data in the OpenID
+ * signature.
+ *
+ * For example:
+ *
+ * <pre>  // when request is a checkid_* request
+ *  $response = $request->answer(true);
+ *  // this will a signed 'openid.sreg.timezone' parameter to the response
+ *  response.addField('sreg', 'timezone', 'America/Los_Angeles')</pre>
+ *
+ * Stores
+ *
+ * The OpenID server needs to maintain state between requests in order
+ * to function.  Its mechanism for doing this is called a store.  The
+ * store interface is defined in Interface.php.  Additionally, several
+ * concrete store implementations are provided, so that most sites
+ * won't need to implement a custom store.  For a store backed by flat
+ * files on disk, see {@link Auth_OpenID_FileStore}.  For stores based
+ * on MySQL, SQLite, or PostgreSQL, see the {@link
+ * Auth_OpenID_SQLStore} subclasses.
+ *
+ * Upgrading
+ *
+ * The keys by which a server looks up associations in its store have
+ * changed in version 1.2 of this library.  If your store has entries
+ * created from version 1.0 code, you should empty it.
+ *
+ * PHP versions 4 and 5
+ *
+ * LICENSE: See the COPYING file included in this distribution.
+ *
+ * @package OpenID
+ * @author JanRain, Inc. <openid@janrain.com>
+ * @copyright 2005-2008 Janrain, Inc.
+ * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
+ */
+
+/**
+ * Required imports
+ */
+require_once "Auth/OpenID.php";
+require_once "Auth/OpenID/Association.php";
+require_once "Auth/OpenID/CryptUtil.php";
+require_once "Auth/OpenID/BigMath.php";
+require_once "Auth/OpenID/DiffieHellman.php";
+require_once "Auth/OpenID/KVForm.php";
+require_once "Auth/OpenID/TrustRoot.php";
+require_once "Auth/OpenID/ServerRequest.php";
+require_once "Auth/OpenID/Message.php";
+require_once "Auth/OpenID/Nonce.php";
+
+define('AUTH_OPENID_HTTP_OK', 200);
+define('AUTH_OPENID_HTTP_REDIRECT', 302);
+define('AUTH_OPENID_HTTP_ERROR', 400);
+
+/**
+ * @access private
+ */
+global $_Auth_OpenID_Request_Modes;
+$_Auth_OpenID_Request_Modes = array('checkid_setup',
+                                    'checkid_immediate');
+
+/**
+ * @access private
+ */
+define('Auth_OpenID_ENCODE_KVFORM', 'kfvorm');
+
+/**
+ * @access private
+ */
+define('Auth_OpenID_ENCODE_URL', 'URL/redirect');
+
+/**
+ * @access private
+ */
+define('Auth_OpenID_ENCODE_HTML_FORM', 'HTML form');
+
+/**
+ * @access private
+ */
+function Auth_OpenID_isError($obj, $cls = 'Auth_OpenID_ServerError')
+{
+    return is_a($obj, $cls);
+}
+
+/**
+ * An error class which gets instantiated and returned whenever an
+ * OpenID protocol error occurs.  Be prepared to use this in place of
+ * an ordinary server response.
+ *
+ * @package OpenID
+ */
+class Auth_OpenID_ServerError {
+    /**
+     * @access private
+     */
+    function Auth_OpenID_ServerError($message = null, $text = null,
+                                     $reference = null, $contact = null)
+    {
+        $this->message = $message;
+        $this->text = $text;
+        $this->contact = $contact;
+        $this->reference = $reference;
+    }
+
+    function getReturnTo()
+    {
+        if ($this->message &&
+            $this->message->hasKey(Auth_OpenID_OPENID_NS, 'return_to')) {
+            return $this->message->getArg(Auth_OpenID_OPENID_NS,
+                                          'return_to');
+        } else {
+            return null;
+        }
+    }
+
+    /**
+     * Returns the return_to URL for the request which caused this
+     * error.
+     */
+    function hasReturnTo()
+    {
+        return $this->getReturnTo() !== null;
+    }
+
+    /**
+     * Encodes this error's response as a URL suitable for
+     * redirection.  If the response has no return_to, another
+     * Auth_OpenID_ServerError is returned.
+     */
+    function encodeToURL()
+    {
+        if (!$this->message) {
+            return null;
+        }
+
+        $msg = $this->toMessage();
+        return $msg->toURL($this->getReturnTo());
+    }
+
+    /**
+     * Encodes the response to key-value form.  This is a
+     * machine-readable format used to respond to messages which came
+     * directly from the consumer and not through the user-agent.  See
+     * the OpenID specification.
+     */
+    function encodeToKVForm()
+    {
+        return Auth_OpenID_KVForm::fromArray(
+                                      array('mode' => 'error',
+                                            'error' => $this->toString()));
+    }
+
+    function toFormMarkup($form_tag_attrs=null)
+    {
+        $msg = $this->toMessage();
+        return $msg->toFormMarkup($this->getReturnTo(), $form_tag_attrs);
+    }
+
+    function toHTML($form_tag_attrs=null)
+    {
+        return Auth_OpenID::autoSubmitHTML(
+                      $this->toFormMarkup($form_tag_attrs));
+    }
+
+    function toMessage()
+    {
+        // Generate a Message object for sending to the relying party,
+        // after encoding.
+        $namespace = $this->message->getOpenIDNamespace();
+        $reply = new Auth_OpenID_Message($namespace);
+        $reply->setArg(Auth_OpenID_OPENID_NS, 'mode', 'error');
+        $reply->setArg(Auth_OpenID_OPENID_NS, 'error', $this->toString());
+
+        if ($this->contact !== null) {
+            $reply->setArg(Auth_OpenID_OPENID_NS, 'contact', $this->contact);
+        }
+
+        if ($this->reference !== null) {
+            $reply->setArg(Auth_OpenID_OPENID_NS, 'reference',
+                           $this->reference);
+        }
+
+        return $reply;
+    }
+
+    /**
+     * Returns one of Auth_OpenID_ENCODE_URL,
+     * Auth_OpenID_ENCODE_KVFORM, or null, depending on the type of
+     * encoding expected for this error's payload.
+     */
+    function whichEncoding()
+    {
+        global $_Auth_OpenID_Request_Modes;
+
+        if ($this->hasReturnTo()) {
+            if ($this->message->isOpenID2() &&
+                (strlen($this->encodeToURL()) >
+                   Auth_OpenID_OPENID1_URL_LIMIT)) {
+                return Auth_OpenID_ENCODE_HTML_FORM;
+            } else {
+                return Auth_OpenID_ENCODE_URL;
+            }
+        }
+
+        if (!$this->message) {
+            return null;
+        }
+
+        $mode = $this->message->getArg(Auth_OpenID_OPENID_NS,
+                                       'mode');
+
+        if ($mode) {
+            if (!in_array($mode, $_Auth_OpenID_Request_Modes)) {
+                return Auth_OpenID_ENCODE_KVFORM;
+            }
+        }
+        return null;
+    }
+
+    /**
+     * Returns this error message.
+     */
+    function toString()
+    {
+        if ($this->text) {
+            return $this->text;
+        } else {
+            return get_class($this) . " error";
+        }
+    }
+}
+
+/**
+ * Error returned by the server code when a return_to is absent from a
+ * request.
+ *
+ * @package OpenID
+ */
+class Auth_OpenID_NoReturnToError extends Auth_OpenID_ServerError {
+    function Auth_OpenID_NoReturnToError($message = null,
+                                         $text = "No return_to URL available")
+    {
+        parent::Auth_OpenID_ServerError($message, $text);
+    }
+
+    function toString()
+    {
+        return "No return_to available";
+    }
+}
+
+/**
+ * An error indicating that the return_to URL is malformed.
+ *
+ * @package OpenID
+ */
+class Auth_OpenID_MalformedReturnURL extends Auth_OpenID_ServerError {
+    function Auth_OpenID_MalformedReturnURL($message, $return_to)
+    {
+        $this->return_to = $return_to;
+        parent::Auth_OpenID_ServerError($message, "malformed return_to URL");
+    }
+}
+
+/**
+ * This error is returned when the trust_root value is malformed.
+ *
+ * @package OpenID
+ */
+class Auth_OpenID_MalformedTrustRoot extends Auth_OpenID_ServerError {
+    function Auth_OpenID_MalformedTrustRoot($message = null,
+                                            $text = "Malformed trust root")
+    {
+        parent::Auth_OpenID_ServerError($message, $text);
+    }
+
+    function toString()
+    {
+        return "Malformed trust root";
+    }
+}
+
+/**
+ * The base class for all server request classes.
+ *
+ * @package OpenID
+ */
+class Auth_OpenID_Request {
+    var $mode = null;
+}
+
+/**
+ * A request to verify the validity of a previous response.
+ *
+ * @package OpenID
+ */
+class Auth_OpenID_CheckAuthRequest extends Auth_OpenID_Request {
+    var $mode = "check_authentication";
+    var $invalidate_handle = null;
+
+    function Auth_OpenID_CheckAuthRequest($assoc_handle, $signed,
+                                          $invalidate_handle = null)
+    {
+        $this->assoc_handle = $assoc_handle;
+        $this->signed = $signed;
+        if ($invalidate_handle !== null) {
+            $this->invalidate_handle = $invalidate_handle;
+        }
+        $this->namespace = Auth_OpenID_OPENID2_NS;
+        $this->message = null;
+    }
+
+    static function fromMessage($message, $server=null)
+    {
+        $required_keys = array('assoc_handle', 'sig', 'signed');
+
+        foreach ($required_keys as $k) {
+            if (!$message->getArg(Auth_OpenID_OPENID_NS, $k)) {
+                return new Auth_OpenID_ServerError($message,
+                    sprintf("%s request missing required parameter %s from \
+                            query", "check_authentication", $k));
+            }
+        }
+
+        $assoc_handle = $message->getArg(Auth_OpenID_OPENID_NS, 'assoc_handle');
+        $sig = $message->getArg(Auth_OpenID_OPENID_NS, 'sig');
+
+        $signed_list = $message->getArg(Auth_OpenID_OPENID_NS, 'signed');
+        $signed_list = explode(",", $signed_list);
+
+        $signed = $message;
+        if ($signed->hasKey(Auth_OpenID_OPENID_NS, 'mode')) {
+            $signed->setArg(Auth_OpenID_OPENID_NS, 'mode', 'id_res');
+        }
+
+        $result = new Auth_OpenID_CheckAuthRequest($assoc_handle, $signed);
+        $result->message = $message;
+        $result->sig = $sig;
+        $result->invalidate_handle = $message->getArg(Auth_OpenID_OPENID_NS,
+                                                      'invalidate_handle');
+        return $result;
+    }
+
+    function answer($signatory)
+    {
+        $is_valid = $signatory->verify($this->assoc_handle, $this->signed);
+
+        // Now invalidate that assoc_handle so it this checkAuth
+        // message cannot be replayed.
+        $signatory->invalidate($this->assoc_handle, true);
+        $response = new Auth_OpenID_ServerResponse($this);
+
+        $response->fields->setArg(Auth_OpenID_OPENID_NS,
+                                  'is_valid',
+                                  ($is_valid ? "true" : "false"));
+
+        if ($this->invalidate_handle) {
+            $assoc = $signatory->getAssociation($this->invalidate_handle,
+                                                false);
+            if (!$assoc) {
+                $response->fields->setArg(Auth_OpenID_OPENID_NS,
+                                          'invalidate_handle',
+                                          $this->invalidate_handle);
+            }
+        }
+        return $response;
+    }
+}
+
+/**
+ * A class implementing plaintext server sessions.
+ *
+ * @package OpenID
+ */
+class Auth_OpenID_PlainTextServerSession {
+    /**
+     * An object that knows how to handle association requests with no
+     * session type.
+     */
+    var $session_type = 'no-encryption';
+    var $needs_math = false;
+    var $allowed_assoc_types = array('HMAC-SHA1', 'HMAC-SHA256');
+
+    static function fromMessage($unused_request)
+    {
+        return new Auth_OpenID_PlainTextServerSession();
+    }
+
+    function answer($secret)
+    {
+        return array('mac_key' => base64_encode($secret));
+    }
+}
+
+/**
+ * A class implementing DH-SHA1 server sessions.
+ *
+ * @package OpenID
+ */
+class Auth_OpenID_DiffieHellmanSHA1ServerSession {
+    /**
+     * An object that knows how to handle association requests with
+     * the Diffie-Hellman session type.
+     */
+
+    var $session_type = 'DH-SHA1';
+    var $needs_math = true;
+    var $allowed_assoc_types = array('HMAC-SHA1');
+    var $hash_func = 'Auth_OpenID_SHA1';
+
+    function Auth_OpenID_DiffieHellmanSHA1ServerSession($dh, $consumer_pubkey)
+    {
+        $this->dh = $dh;
+        $this->consumer_pubkey = $consumer_pubkey;
+    }
+
+    static function getDH($message)
+    {
+        $dh_modulus = $message->getArg(Auth_OpenID_OPENID_NS, 'dh_modulus');
+        $dh_gen = $message->getArg(Auth_OpenID_OPENID_NS, 'dh_gen');
+
+        if ((($dh_modulus === null) && ($dh_gen !== null)) ||
+            (($dh_gen === null) && ($dh_modulus !== null))) {
+
+            if ($dh_modulus === null) {
+                $missing = 'modulus';
+            } else {
+                $missing = 'generator';
+            }
+
+            return new Auth_OpenID_ServerError($message,
+                                'If non-default modulus or generator is '.
+                                'supplied, both must be supplied.  Missing '.
+                                $missing);
+        }
+
+        $lib = Auth_OpenID_getMathLib();
+
+        if ($dh_modulus || $dh_gen) {
+            $dh_modulus = $lib->base64ToLong($dh_modulus);
+            $dh_gen = $lib->base64ToLong($dh_gen);
+            if ($lib->cmp($dh_modulus, 0) == 0 ||
+                $lib->cmp($dh_gen, 0) == 0) {
+                return new Auth_OpenID_ServerError(
+                  $message, "Failed to parse dh_mod or dh_gen");
+            }
+            $dh = new Auth_OpenID_DiffieHellman($dh_modulus, $dh_gen);
+        } else {
+            $dh = new Auth_OpenID_DiffieHellman();
+        }
+
+        $consumer_pubkey = $message->getArg(Auth_OpenID_OPENID_NS,
+                                            'dh_consumer_public');
+        if ($consumer_pubkey === null) {
+            return new Auth_OpenID_ServerError($message,
+                                  'Public key for DH-SHA1 session '.
+                                  'not found in query');
+        }
+
+        $consumer_pubkey =
+            $lib->base64ToLong($consumer_pubkey);
+
+        if ($consumer_pubkey === false) {
+            return new Auth_OpenID_ServerError($message,
+                                       "dh_consumer_public is not base64");
+        }
+
+        return array($dh, $consumer_pubkey);
+    }
+
+    static function fromMessage($message)
+    {
+        $result = Auth_OpenID_DiffieHellmanSHA1ServerSession::getDH($message);
+
+        if (is_a($result, 'Auth_OpenID_ServerError')) {
+            return $result;
+        } else {
+            list($dh, $consumer_pubkey) = $result;
+            return new Auth_OpenID_DiffieHellmanSHA1ServerSession($dh,
+                                                    $consumer_pubkey);
+        }
+    }
+
+    function answer($secret)
+    {
+        $lib = Auth_OpenID_getMathLib();
+        $mac_key = $this->dh->xorSecret($this->consumer_pubkey, $secret,
+                                        $this->hash_func);
+        return array(
+           'dh_server_public' =>
+                $lib->longToBase64($this->dh->public),
+           'enc_mac_key' => base64_encode($mac_key));
+    }
+}
+
+/**
+ * A class implementing DH-SHA256 server sessions.
+ *
+ * @package OpenID
+ */
+class Auth_OpenID_DiffieHellmanSHA256ServerSession
+      extends Auth_OpenID_DiffieHellmanSHA1ServerSession {
+
+    var $session_type = 'DH-SHA256';
+    var $hash_func = 'Auth_OpenID_SHA256';
+    var $allowed_assoc_types = array('HMAC-SHA256');
+
+    static function fromMessage($message)
+    {
+        $result = Auth_OpenID_DiffieHellmanSHA1ServerSession::getDH($message);
+
+        if (is_a($result, 'Auth_OpenID_ServerError')) {
+            return $result;
+        } else {
+            list($dh, $consumer_pubkey) = $result;
+            return new Auth_OpenID_DiffieHellmanSHA256ServerSession($dh,
+                                                      $consumer_pubkey);
+        }
+    }
+}
+
+/**
+ * A request to associate with the server.
+ *
+ * @package OpenID
+ */
+class Auth_OpenID_AssociateRequest extends Auth_OpenID_Request {
+    var $mode = "associate";
+
+    static function getSessionClasses()
+    {
+        return array(
+          'no-encryption' => 'Auth_OpenID_PlainTextServerSession',
+          'DH-SHA1' => 'Auth_OpenID_DiffieHellmanSHA1ServerSession',
+          'DH-SHA256' => 'Auth_OpenID_DiffieHellmanSHA256ServerSession');
+    }
+
+    function Auth_OpenID_AssociateRequest($session, $assoc_type)
+    {
+        $this->session = $session;
+        $this->namespace = Auth_OpenID_OPENID2_NS;
+        $this->assoc_type = $assoc_type;
+    }
+
+    static function fromMessage($message, $server=null)
+    {
+        if ($message->isOpenID1()) {
+            $session_type = $message->getArg(Auth_OpenID_OPENID_NS,
+                                             'session_type');
+
+            if ($session_type == 'no-encryption') {
+                // oidutil.log('Received OpenID 1 request with a no-encryption '
+                //             'assocaition session type. Continuing anyway.')
+            } else if (!$session_type) {
+                $session_type = 'no-encryption';
+            }
+        } else {
+            $session_type = $message->getArg(Auth_OpenID_OPENID_NS,
+                                             'session_type');
+            if ($session_type === null) {
+                return new Auth_OpenID_ServerError($message,
+                  "session_type missing from request");
+            }
+        }
+
+        $session_class = Auth_OpenID::arrayGet(
+           Auth_OpenID_AssociateRequest::getSessionClasses(),
+           $session_type);
+
+        if ($session_class === null) {
+            return new Auth_OpenID_ServerError($message,
+                                               "Unknown session type " .
+                                               $session_type);
+        }
+
+        $session = call_user_func(array($session_class, 'fromMessage'),
+                                  $message);
+        if (is_a($session, 'Auth_OpenID_ServerError')) {
+            return $session;
+        }
+
+        $assoc_type = $message->getArg(Auth_OpenID_OPENID_NS,
+                                       'assoc_type', 'HMAC-SHA1');
+
+        if (!in_array($assoc_type, $session->allowed_assoc_types)) {
+            $fmt = "Session type %s does not support association type %s";
+            return new Auth_OpenID_ServerError($message,
+              sprintf($fmt, $session_type, $assoc_type));
+        }
+
+        $obj = new Auth_OpenID_AssociateRequest($session, $assoc_type);
+        $obj->message = $message;
+        $obj->namespace = $message->getOpenIDNamespace();
+        return $obj;
+    }
+
+    function answer($assoc)
+    {
+        $response = new Auth_OpenID_ServerResponse($this);
+        $response->fields->updateArgs(Auth_OpenID_OPENID_NS,
+           array(
+                 'expires_in' => sprintf('%d', $assoc->getExpiresIn()),
+                 'assoc_type' => $this->assoc_type,
+                 'assoc_handle' => $assoc->handle));
+
+        $response->fields->updateArgs(Auth_OpenID_OPENID_NS,
+           $this->session->answer($assoc->secret));
+
+        if (! ($this->session->session_type == 'no-encryption' 
+               && $this->message->isOpenID1())) {
+            $response->fields->setArg(Auth_OpenID_OPENID_NS,
+                                      'session_type',
+                                      $this->session->session_type);
+        }
+
+        return $response;
+    }
+
+    function answerUnsupported($text_message,
+                               $preferred_association_type=null,
+                               $preferred_session_type=null)
+    {
+        if ($this->message->isOpenID1()) {
+            return new Auth_OpenID_ServerError($this->message);
+        }
+
+        $response = new Auth_OpenID_ServerResponse($this);
+        $response->fields->setArg(Auth_OpenID_OPENID_NS,
+                                  'error_code', 'unsupported-type');
+        $response->fields->setArg(Auth_OpenID_OPENID_NS,
+                                  'error', $text_message);
+
+        if ($preferred_association_type) {
+            $response->fields->setArg(Auth_OpenID_OPENID_NS,
+                                      'assoc_type',
+                                      $preferred_association_type);
+        }
+
+        if ($preferred_session_type) {
+            $response->fields->setArg(Auth_OpenID_OPENID_NS,
+                                      'session_type',
+                                      $preferred_session_type);
+        }
+        $response->code = AUTH_OPENID_HTTP_ERROR;
+        return $response;
+    }
+}
+
+/**
+ * A request to confirm the identity of a user.
+ *
+ * @package OpenID
+ */
+class Auth_OpenID_CheckIDRequest extends Auth_OpenID_Request {
+    /**
+     * Return-to verification callback.  Default is
+     * Auth_OpenID_verifyReturnTo from TrustRoot.php.
+     */
+    var $verifyReturnTo = 'Auth_OpenID_verifyReturnTo';
+
+    /**
+     * The mode of this request.
+     */
+    var $mode = "checkid_setup"; // or "checkid_immediate"
+
+    /**
+     * Whether this request is for immediate mode.
+     */
+    var $immediate = false;
+
+    /**
+     * The trust_root value for this request.
+     */
+    var $trust_root = null;
+
+    /**
+     * The OpenID namespace for this request.
+     * deprecated since version 2.0.2
+     */
+    var $namespace;
+    
+    static function make($message, $identity, $return_to, $trust_root = null,
+                  $immediate = false, $assoc_handle = null, $server = null)
+    {
+        if ($server === null) {
+            return new Auth_OpenID_ServerError($message,
+                                               "server must not be null");
+        }
+
+        if ($return_to &&
+            !Auth_OpenID_TrustRoot::_parse($return_to)) {
+            return new Auth_OpenID_MalformedReturnURL($message, $return_to);
+        }
+
+        $r = new Auth_OpenID_CheckIDRequest($identity, $return_to,
+                                            $trust_root, $immediate,
+                                            $assoc_handle, $server);
+
+        $r->namespace = $message->getOpenIDNamespace();
+        $r->message = $message;
+
+        if (!$r->trustRootValid()) {
+            return new Auth_OpenID_UntrustedReturnURL($message,
+                                                      $return_to,
+                                                      $trust_root);
+        } else {
+            return $r;
+        }
+    }
+
+    function Auth_OpenID_CheckIDRequest($identity, $return_to,
+                                        $trust_root = null, $immediate = false,
+                                        $assoc_handle = null, $server = null,
+                                        $claimed_id = null)
+    {
+        $this->namespace = Auth_OpenID_OPENID2_NS;
+        $this->assoc_handle = $assoc_handle;
+        $this->identity = $identity;
+        if ($claimed_id === null) {
+            $this->claimed_id = $identity;
+        } else {
+            $this->claimed_id = $claimed_id;
+        }
+        $this->return_to = $return_to;
+        $this->trust_root = $trust_root;
+        $this->server = $server;
+
+        if ($immediate) {
+            $this->immediate = true;
+            $this->mode = "checkid_immediate";
+        } else {
+            $this->immediate = false;
+            $this->mode = "checkid_setup";
+        }
+    }
+
+    function equals($other)
+    {
+        return (
+                (is_a($other, 'Auth_OpenID_CheckIDRequest')) &&
+                ($this->namespace == $other->namespace) &&
+                ($this->assoc_handle == $other->assoc_handle) &&
+                ($this->identity == $other->identity) &&
+                ($this->claimed_id == $other->claimed_id) &&
+                ($this->return_to == $other->return_to) &&
+                ($this->trust_root == $other->trust_root));
+    }
+
+    /*
+     * Does the relying party publish the return_to URL for this
+     * response under the realm? It is up to the provider to set a
+     * policy for what kinds of realms should be allowed. This
+     * return_to URL verification reduces vulnerability to data-theft
+     * attacks based on open proxies, corss-site-scripting, or open
+     * redirectors.
+     *
+     * This check should only be performed after making sure that the
+     * return_to URL matches the realm.
+     *
+     * @return true if the realm publishes a document with the
+     * return_to URL listed, false if not or if discovery fails
+     */
+    function returnToVerified()
+    {
+        $fetcher = Auth_Yadis_Yadis::getHTTPFetcher();
+        return call_user_func_array($this->verifyReturnTo,
+                                    array($this->trust_root, $this->return_to, $fetcher));
+    }
+
+    static function fromMessage($message, $server)
+    {
+        $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode');
+        $immediate = null;
+
+        if ($mode == "checkid_immediate") {
+            $immediate = true;
+            $mode = "checkid_immediate";
+        } else {
+            $immediate = false;
+            $mode = "checkid_setup";
+        }
+
+        $return_to = $message->getArg(Auth_OpenID_OPENID_NS,
+                                      'return_to');
+
+        if (($message->isOpenID1()) &&
+            (!$return_to)) {
+            $fmt = "Missing required field 'return_to' from checkid request";
+            return new Auth_OpenID_ServerError($message, $fmt);
+        }
+
+        $identity = $message->getArg(Auth_OpenID_OPENID_NS,
+                                     'identity');
+        $claimed_id = $message->getArg(Auth_OpenID_OPENID_NS, 'claimed_id');
+        if ($message->isOpenID1()) {
+            if ($identity === null) {
+                $s = "OpenID 1 message did not contain openid.identity";
+                return new Auth_OpenID_ServerError($message, $s);
+            }
+        } else {
+            if ($identity && !$claimed_id) {
+                $s = "OpenID 2.0 message contained openid.identity but not " .
+                  "claimed_id";
+                return new Auth_OpenID_ServerError($message, $s);
+            } else if ($claimed_id && !$identity) {
+                $s = "OpenID 2.0 message contained openid.claimed_id " .
+                  "but not identity";
+                return new Auth_OpenID_ServerError($message, $s);
+            }
+        }
+
+        // There's a case for making self.trust_root be a TrustRoot
+        // here.  But if TrustRoot isn't currently part of the
+        // "public" API, I'm not sure it's worth doing.
+        if ($message->isO