Issue 45: validate() returns FALSE on realms with wildcard
Status:  New
Owner: ----
Reported by MKlepacz...@gmail.com, Jul 21, 2011
When using 'http://*.example.com' realm validate() always returns FALSE from validate() method. It's because of this line in validate():
if ($this->data['openid_return_to'] != $this->returnUrl)

$this->returnUrl is improperly constructed in __construct()
$this->returnUrl = $this->trustRoot . $uri;
(trustRoot may contain wildcard).
Jul 21, 2011
Project Member #1 mewp...@gmail.com
It isn't improper in my opinion. In such case, there's no way to properly guess returnUrl, so the user must do so himself.

Or do you have any idea how to do it properly?
Jul 21, 2011
#2 MKlepacz...@gmail.com
Maybe it would be better to check if realm contains wildcard and fallback to $_SERVER['HTTP_HOST'] if it does?

In my case the real issue is not '$this->returnUrl' but failed validation. I think it would be ok to check in validate() if returnUrl/realm contains wildcard and if it does check if returnUrl (stripped of wildcard) is suffix of $this->data['openid_return_to'].

Another solution would be to throw exception if realm contains wildcard and returnUrl is not set explicitly by user. In this case user of LightOpenID object would be at least aware that it's necessary to set returnUrl properly (I've spent hour tracking cause of failed validation ;))
Dec 2, 2011
#3 woody.gilk
Created a merge request to fix this issue: https://gitorious.org/lightopenid/lightopenid/merge_requests/13