-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathidp_proto.php
126 lines (90 loc) · 3.56 KB
/
idp_proto.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
<html>
<head>
<title>Proto IDP</title>
<link rel="stylesheet" type="text/css" href="mystyle.css">
</head>
<body>
<?php
# user is not authenticated
if(!isset($_COOKIE["session"])) {
# provide a login form
if(isset($_POST['returnUrl']) && isset($_POST['public_key']) && isset($_POST['nonce'])) {
# user has to provide credentials
if(!isset($_POST['username']) && !isset($_POST['password'])) {
?>
<h1>Login mask:</h1>
<form action="idp_proto.php" method="post">
<input type="text" name="username" placeholder="username" /><br>
<input type="text" name="password" placeholder="password" /><br>
<input type="hidden" name="returnUrl" value="<?php echo $_POST['returnUrl']; ?>"/>
<input type="hidden" name="public_key" value="<?php echo $_POST['public_key']; ?>"/>
<input type="hidden" name="nonce" value="<?php echo $_POST['nonce']; ?>"/>
<input type="submit" />
</form>
<?php
# user wants to login
} else {
$username = $_POST['username'];
$password = $_POST['password'];
# DEMO ONLY: do security checks for params depending on you DB
if($username == "johndoe" && $password == "foobar") {
setcookie('session', 'johndoe', (time() + 4000), '/', null, true, true);
?>
<form action="idp_proto.php" method="post">
<input type="hidden" name="returnUrl" value="<?php echo $_POST['returnUrl']; ?>"/>
<input type="hidden" name="public_key" value="<?php echo $_POST['public_key']; ?>"/>
<input type="hidden" name="nonce" value="<?php echo $_POST['nonce']; ?>"/>
</form>
<script type="text/javascript">window.onload = function () { document.forms[0].submit(); }</script>
<?php
} else {
# invalid credentials
echo '<h1>Sorry, invalid username or password!</h1>';
}
}
} else {
echo '<h1>Sorry, missing information!</h1>';
}
# user has a session cookie
} else {
# user has a valid session cookie
# DEMO ONLY: implement proper session management depending on your system
if($_COOKIE['session'] == 'johndoe') {
# DEMO ONLY: make sure to store your private key in a secure manner
$privkey = get_private_key();
# get params
$c_nonce = $_POST['nonce'];
$c_return_url = $_POST['returnUrl'];
$c_pubkey = $_POST['public_key'];
# 1. decrypt all input parameters
openssl_private_decrypt(base64_decode($c_nonce), $nonce, $privkey);
openssl_private_decrypt(base64_decode($c_return_url), $return_url, $privkey);
# 2. get public key from Service Provider
# DEMO ONLY: implement a function to read the public key from remote Service Provider
$pubkey_url = base64_decode($c_pubkey);
$pubkey = get_public_key_from_url($pubkey_url);
# 3. get user from DB
# DEMO ONLY
$user = '{"Id":123456,"Username":"Johnny","Prename":"John","Surname":"Doe","EMail":"[email protected]"}';
# 4. build signature
openssl_sign($user, $signature, $privkey, "RSA-SHA1");
# 5. encrypting all output parameters
$iv = substr(md5($nonce), 0, 32);
$c_user = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $nonce, $user, MCRYPT_MODE_CBC, $iv);
openssl_public_encrypt($nonce, $c_nonce, $pubkey);
?>
<form action="<?php echo $return_url ?>" method="post">
<input type="text" name="Nonce" value="<?php echo base64_encode($c_nonce) ?> "/>
<input type="text" name="User" value="<?php echo base64_encode($c_user) ?> "/>
<input type="text" name="Signature" value="<?php echo base64_encode($signature) ?>"/>
</form>
<script type="text/javascript">window.onload = function () { document.forms[0].submit(); } </script>
<?php
# cookie is not valid
} else {
echo '<h1>Sorry, suspicious cookie!</h1>';
}
}
?>
</body>
</html>