If a claimed_id that is different from what was sent fails discovery on line 369 of openid_module, line 378 will throw a PHP notice and warning because $uris was not defined:
// OpenID Authentication, section 11.2:
// If the returned Claimed Identifier is different from the one sent
// to the OpenID Provider, we need to do discovery on the returned
// identififer to make sure that the provider is authorized to
// respond on behalf of this.
if ($response_claimed_id != $claimed_id) {
$discovery = openid_discovery($response['openid.claimed_id']);
if ($discovery && !empty($discovery['services'])) {
$uris = array();
foreach ($discovery['services'] as $discovered_service) {
if (in_array('http://specs.openid.net/auth/2.0/server', $discovered_service['types']) || in_array('http://specs.openid.net/auth/2.0/signon', $discovered_service['types'])) {
$uris[] = $discovered_service['uri'];
}
}
}
if (!in_array($service['uri'], $uris)) {
return $response;
}
}
The errors displayed are: Notice: Undefined variables: uris in openid_complete() (line 378...) Warning: in_array() expects parameter 2 to be array, null given in openid_complete() (line 378...)
The solution would be to define $uris outside of the if statement, which appears to be how it was created in the patch that introduced this code: #728278: openid_complete should normalize $response['openid.claimed_id'] before discovery
The error occurred when I tried to login to Yahoo!'s OpenID service (https://me.yahoo.com/) immediately after clearing the cache. The admin account used to clear cache was not logged out beforehand. I'd like to know why discovery failed and a subsequent request threw the error "Sorry, that is not a valid OpenID..." with https://me.yahoo.com/; a fresh install on localhost just throws that latter error a few times right after the cache clear. However this issue is not about that failure (unless somebody has a fast idea what the problem might be).
Comments