liveid.php

См. документацию.

<?php
 
/* TODO: Comments are out of date and incomplete. */


class WLL_User
{
    public function __construct($timestamp, $id, $flags, $context, $token)
    {
        $this->setTimestamp($timestamp);
        $this->setId($id);
        $this->setFlags($flags);
        $this->setContext($context);
        $this->setToken($token);
    }
 
    /*private*/
    var $_timestamp;

    /*public*/
    function getTimestamp()
    {
        return $this->_timestamp;
    }

    /*private*/
    function setTimestamp($timestamp)
    {
        if (!$timestamp) {
            //throw new Exception('Error: WLL_User: Null timestamp.');
            $this->setError('Error: WLL_User: Null timestamp.');
            return ;
        }
 
        if (!preg_match('/^\d+$/', $timestamp) || ($timestamp <= 0)) {
            //throw new Exception('Error: WLL_User: Invalid timestamp: ' . $timestamp);
            $this->setError('Error: WLL_User: Invalid timestamp: ' . $timestamp);
            return ;
        }
 
        $this->_timestamp = $timestamp;
    }
 
    /*private*/
    var $_id;

    /*public*/
    function getId()
    {
        return $this->_id;
    }

    /*private*/
    function setId($id)
    {
        if (!$id) {
            //throw new Exception('Error: WLL_User: Null id.');
            $this->setError('Error: WLL_User: Null id.');
            return ;
        }
 
        if (!preg_match('/^\w+$/', $id)) {
            //throw new Exception('Error: WLL_User: Invalid id: ' . $id);
            $this->setError('Error: WLL_User: Invalid id: ' . $id);
            return ;
        }
 
        $this->_id = $id;
    }
 
    /*private*/
    var $_usePersistentCookie;

    /*public*/
    function usePersistentCookie()
    {
        return $this->_usePersistentCookie;
    }

    /*private*/
    function setFlags($flags)
    {
        $this->_usePersistentCookie = false;
        if (preg_match('/^\d+$/', $flags)) {
            $this->_usePersistentCookie = (($flags % 2) == 1);
        }
    }
 
    /*private*/
    var $_context;

    /*public*/
    function getContext()
    {
        return $this->_context;
    }

    /*private*/
    function setContext($context)
    {
        $this->_context = $context;
    }
 
    /*private*/
    var $_token;

    /*public*/
    function getToken()
    {
        return $this->_token;
    }

    /*private*/
    function setToken($token)
    {
        $this->_token = $token;
    }
 
 
    var $_error = false;
 
    function setError($str)
    {
        $this->_error = $str;
    }
 
    function getError()
    {
        if ($this->_error !== false)
        {
            return $this->_error;
        }
    }
}

class WLL_ConsentToken
{
    /*public*/
    function isValid()
    {
        if (!$this->getDelegationToken()) {
            return false;
        }
 
        $now = time();
        return (($now-300) < $this->getExpiry());
    }

    /*public*/
    function refresh()
    {
        $wll = $this->_wll;
        $ct = $wll->refreshConsentToken($this);
        if (!$ct) {
            return false;
        }
        $this->copy($ct);
        return true;
    }
 
    /*private*/
    var $_wll;

    public function __construct(
                        $wll, $delegationtoken, $refreshtoken,
                        $sessionkey, $expiry, $offers, $locationID, $context,
                        $decodedtoken, $token
                )
    {
        $this->_wll = $wll;
        $this->setDelegationToken($delegationtoken);
        $this->setRefreshToken($refreshtoken);
        $this->setSessionKey($sessionkey);
        $this->setExpiry($expiry);
        $this->setOffers($offers);
        $this->setLocationID($locationID);
        $this->setContext($context);
        $this->setDecodedToken($decodedtoken);
        $this->setToken($token);
    }
 
    /*private*/
    var $_delegationtoken;

    /*public*/
    function getDelegationToken()
    {
        return $this->_delegationtoken;
    }

    /*private*/
    function setDelegationToken($delegationtoken)
    {
        if (!$delegationtoken) {
            //throw new Exception('Error: WLL_ConsentToken: Null delegation token.');
            $this->setError('Error: WLL_ConsentToken: Null delegation token.');
            return ;
        }
        $this->_delegationtoken = $delegationtoken;
    }
 
    /*private*/
    var $_refreshtoken;

    /*public*/
    function getRefreshToken()
    {
        return $this->_refreshtoken;
    }

    /*private*/
    function setRefreshToken($refreshtoken)
    {
        $this->_refreshtoken = $refreshtoken;
    }
 
    /*private*/
    var $_sessionkey;

    /*public*/
    function getSessionKey()
    {
        return $this->_sessionkey;
    }

    /*private*/
    function setSessionKey($sessionkey)
    {
        if (!$sessionkey) {
            //throw new Exception('Error: WLL_ConsentToken: Null session key.');
            $this->setError('Error: WLL_ConsentToken: Null session key.');
            return ;
        }
        $this->_sessionkey = base64_decode(urldecode($sessionkey));
    }
 
    /*private*/
    var $_expiry;

    /*public*/
    function getExpiry()
    {
        return $this->_expiry;
    }

    /*private*/
    function setExpiry($expiry)
    {
        if (!$expiry) {
            //throw new Exception('Error: WLL_ConsentToken: Null expiry time.');
            $this->setError('Error: WLL_ConsentToken: Null expiry time.');
            return ;
        }
 
        if (!preg_match('/^\d+$/', $expiry) || ($expiry <= 0)) {
            //throw new Exception('Error: WLL_ConsentToken: Invalid expiry time: ' . $expiry);
            $this->setError('Error: WLL_ConsentToken: Invalid expiry time: ' . $expiry);
            return ;
        }
        $this->_expiry = $expiry;
    }
 
    /*private*/
    var $_offers;

    /*public*/
    function getOffers()
    {
        return $this->_offers;
    }
 
    /*private*/
    var $_offers_string;

    /*public*/
    function getOffersString()
    {
        return $this->_offers_string;
    }

    /*private*/
    function setOffers($offers)
    {
        if (!$offers) {
            //throw new Exception('Error: WLL_ConsentToken: Null offers.');
            $this->setError('Error: WLL_ConsentToken: Null offers.');
            return ;
        }
 
        $offers = urldecode($offers);
 
        //Split $offers by ";" and then take only substring before first ":"
        if(preg_match_all("/(^|;)([^:;]*)/", $offers, $arMatch))
        {
            $this->_offers = $arMatch[2];
            $this->_offers_string = ltrim(implode(",", $arMatch[2]), ",");
        }
        else
        {
            $this->_offers = array();
            $this->_offers_string = "";
        }
    }
 
    /*private*/
    var $_locationID;
    /*public*/
    function getLocationID()
    {
        return $this->_locationID;
    }

    /*private*/
    function setLocationID($locationID)
    {
        if (!$locationID) {
            //throw new Exception('Error: WLL_ConsentToken: Null Location ID.');
            $this->setError('Error: WLL_ConsentToken: Null Location ID.');
            return ;
        }
        $this->_locationID = $locationID;
    }
 
    /*private*/
    var $_context;
    /*public*/
    function getContext()
    {
        return $this->_context;
    }

    /*private*/
    function setContext($context)
    {
        $this->_context = $context;
    }
 
    /*private*/
    var $_decodedtoken;
    /*public*/
    function getDecodedToken()
    {
        return $this->_decodedtoken;
    }

    /*private*/
    function setDecodedToken($decodedtoken)
    {
        $this->_decodedtoken = $decodedtoken;
    }
 
    /*private*/
    var $_token;

    /*public*/
    function getToken()
    {
        return $this->_token;
    }

    /*private*/
    function setToken($token)
    {
        $this->_token = $token;
    }

    /*private*/
    function copy($ct)
    {
        $this->_delegationtoken = $ct->_delegationtoken;
        $this->_refreshtoken = $ct->_refreshtoken;
        $this->_sessionkey = $ct->_sessionkey;
        $this->_expiry = $ct->_expiry;
        $this->_offers = $ct->_offers;
        $this->_offers_string = $ct->_offers_string;
        $this->_locationID = $ct->_locationID;
        $this->_decodedtoken = $ct->_decodedtoken;
        $this->_token = $ct->_token;
    }
 
    var $_error = false;
 
    function setError($str)
    {
        $this->_error = $str;
    }
 
    function getError()
    {
        if ($this->_error !== false)
        {
            return $this->_error;
        }
    }
}
 
class WindowsLiveLogin
{
    /* Implementation of basic methods for Web Authentication support. */
 
    /*private*/
    var $_debug = false;

    /*public*/
    function setDebug($debug)
    {
        $this->_debug = $debug;
    }

    /*private*/
    function debug($string)
    {
        if ($this->_debug) {
            echo "$string<br>";
            error_log($string);
        }
    }

    /*private*/
    function fatal($string)
    {
        $this->debug($string);
        //throw new Exception($string);
        $this->setError($string);
    }

    public function __construct(
                    $appid=null, $secret=null, $securityalgorithm=null,
                    $force_delauth_nonprovisioned=null,
                    $policyurl=null, $returnurl=null
                )
    {
        $this->setForceDelAuthNonProvisioned($force_delauth_nonprovisioned);
 
        if ($appid) {
            $this->setAppId($appid);
        }
        if ($secret) {
            $this->setSecret($secret);
        }
        if ($securityalgorithm) {
            $this->setSecurityAlgorithm($securityalgorithm);
        }
        if ($policyurl) {
            $this->setPolicyUrl($policyurl);
        }
        if ($returnurl) {
            $this->setReturnUrl($returnurl);
        }
    }

    /*public static*/
    function initFromXml($settingsFile)
    {
        $o = new WindowsLiveLogin();
        $settings = $o->parseSettings($settingsFile);
 
        if (@$settings['debug'] == 'true') {
            $o->setDebug(true);
        }
        else {
            $o->setDebug(false);
        }
 
        if (@$settings['force_delauth_nonprovisioned'] == 'true') {
            $o->setForceDelAuthNonProvisioned(true);
        }
        else {
            $o->setForceDelAuthNonProvisioned(false);
        }
 
        $o->setAppId(@$settings['appid']);
        $o->setSecret(@$settings['secret']);
        $o->setOldSecret(@$settings['oldsecret']);
        $o->setOldSecretExpiry(@$settings['oldsecretexpiry']);
        $o->setSecurityAlgorithm(@$settings['securityalgorithm']);
        $o->setPolicyUrl(@$settings['policyurl']);
        $o->setReturnUrl(@$settings['returnurl']);
        $o->setBaseUrl(@$settings['baseurl']);
        $o->setSecureUrl(@$settings['secureurl']);
        $o->setConsentBaseUrl(@$settings['consenturl']);
        return $o;
    }
 
    /*private*/
    var $_appid;

    /*public*/
    function setAppId($appid)
    {
        $_force_delauth_nonprovisioned = $this->_force_delauth_nonprovisioned;
        if (!$appid) {
            if ($_force_delauth_nonprovisioned) {
                return;
            }
            $this->fatal('Error: setAppId: Null application ID.');
        }
        if (!preg_match('/^\w+$/', $appid)) {
            $this->fatal("Error: setAppId: Application ID must be alpha-numeric: $appid");
        }
        $this->_appid = $appid;
    }

    /*public*/
    function getAppId()
    {
        if (!$this->_appid) {
            $this->fatal('Error: getAppId: Application ID was not set. Aborting.');
        }
        return $this->_appid;
    }
 
    /*private*/
    var $_signkey;
    /*private*/
    var $_cryptkey;

    /*public*/
    function setSecret($secret)
    {
        $_force_delauth_nonprovisioned = $this->_force_delauth_nonprovisioned;
        if (!$secret || (strlen($secret) < 16)) {
            if ($_force_delauth_nonprovisioned) {
                return;
            }
            $this->fatal("Error: setSecret: Secret key is expected to be non-null and longer than 16 characters.");
        }
 
        $this->_signkey  = $this->derive($secret, "SIGNATURE");
        $this->_cryptkey = $this->derive($secret, "ENCRYPTION");
    }
 
    /*private*/
    var $_oldsignkey;
    /*private*/
    var $_oldcryptkey;

    /*public*/
    function setOldSecret($secret)
    {
        if (!$secret) {
            return;
        }
        if (strlen($secret) < 16) {
            $this->fatal("Error: setOldSecret: Secret key is expected to be non-null and longer than 16 characters.");
        }
 
        $this->_oldsignkey  = $this->derive($secret, "SIGNATURE");
        $this->_oldcryptkey = $this->derive($secret, "ENCRYPTION");
    }
 
    /*private*/
    var $_oldsecretexpiry;

    /*public*/
    function setOldSecretExpiry($timestamp)
    {
        if (!$timestamp) {
            return;
        }
 
        if (!preg_match('/^\d+$/', $timestamp) || ($timestamp <= 0)) {
            $this->fatal('Error: setOldSecretExpiry Invalid timestamp: '
            . $timestamp);
        }
 
        $this->_oldsecretexpiry = $timestamp;
    }

    /*public*/
    function getOldSecretExpiry()
    {
        return $this->_oldsecretexpiry;
    }
 
    /*private*/
    var $_securityalgorithm;

    /*public*/
    function setSecurityAlgorithm($securityalgorithm)
    {
        $this->_securityalgorithm = $securityalgorithm;
    }

    /*public*/
    function getSecurityAlgorithm()
    {
        $securityalgorithm = $this->_securityalgorithm;
        if (!$securityalgorithm) {
            return 'wsignin1.0';
        }
        return $securityalgorithm;
    }
 
    /*private*/
    var $_force_delauth_nonprovisioned;

    /*public*/
    function setForceDelAuthNonProvisioned($force_delauth_nonprovisioned)
    {
        $this->_force_delauth_nonprovisioned = $force_delauth_nonprovisioned;
    }
 
    /*private*/
    var $_policyurl;

    /*public*/
    function setPolicyUrl($policyurl)
    {
        $_force_delauth_nonprovisioned = $this->_force_delauth_nonprovisioned;
        if (!$policyurl) {
            if ($_force_delauth_nonprovisioned) {
                $this->fatal("Error: setPolicyUrl: Null policy URL given.");
            }
        }
        $this->_policyurl = $policyurl;
    }

    /*public*/
    function getPolicyUrl()
    {
        $policyurl = $this->_policyurl;
        $_force_delauth_nonprovisioned = $this->_force_delauth_nonprovisioned;
        if (!$policyurl) {
            $this->debug("Warning: In the initial release of Delegated Auth, a Policy URL must be configured in the SDK for both provisioned and non-provisioned scenarios.");
            if ($_force_delauth_nonprovisioned) {
                $this->fatal("Error: getPolicyUrl: Policy URL must be set in a Del Auth non-provisioned scenario. Aborting.");
            }
        }
        return $policyurl;
    }
 
    /*private*/
    var $_returnurl;

    /*public*/
    function setReturnUrl($returnurl)
    {
        $_force_delauth_nonprovisioned = $this->_force_delauth_nonprovisioned;
        if (!$returnurl) {
            if ($_force_delauth_nonprovisioned) {
                $this->fatal("Error: setReturnUrl: Null return URL given.");
            }
        }
        $this->_returnurl = $returnurl;
    }

    /*public*/
    function getReturnUrl()
    {
        $_force_delauth_nonprovisioned = $this->_force_delauth_nonprovisioned;
        $returnurl = $this->_returnurl;
        if (!$returnurl) {
            if ($_force_delauth_nonprovisioned) {
                $this->fatal("Error: getReturnUrl: Return URL must be set in a Del Auth non-provisioned scenario. Aborting.");
            }
        }
        return $returnurl;
    }
 
    /*private*/
    var $_baseurl;

    /*public*/
    function setBaseUrl($baseurl)
    {
        $this->_baseurl = $baseurl;
    }

    /*public*/
    function getBaseUrl()
    {
        $baseurl = $this->_baseurl;
        if (!$baseurl) {
            return "http://login.live.com/";
        }
        return $baseurl;
    }
 
    /*private*/
    var $_secureurl;

    /*public*/
    function setSecureUrl($secureurl)
    {
        $this->_secureurl = $secureurl;
    }

    /*public*/
    function getSecureUrl()
    {
        $secureurl = $this->_secureurl;
        if (!$secureurl) {
            return "https://login.live.com/";
        }
        return $secureurl;
    }
 
    /*private*/
    var $_consenturl;

    /*public*/
    function setConsentBaseUrl($consenturl)
    {
        $this->_consenturl = $consenturl;
    }

    /*public*/
    function getConsentBaseUrl()
    {
        $consenturl = $this->_consenturl;
        if (!$consenturl) {
            return "https://consent.live.com/";
        }
        return $consenturl;
    }
 
    /* Methods for Web Authentication support. */

    /*public*/
    function getLoginUrl($context=null, $market=null)
    {
        $url  = $this->getBaseUrl();
        $url .= 'wlogin.srf?appid=' . $this->getAppId();
        $url .= '&alg=' . $this->getSecurityAlgorithm();
        $url .= ($context ? '&appctx=' . urlencode($context) : '');
        $url .= ($market ? '&mkt=' . urlencode($market) : '');
        return $url;
    }

    /*public*/
    function getLogoutUrl($market=null)
    {
        $url = $this->getBaseUrl();
        $url .= "logout.srf?appid=" . $this->getAppId();
        $url .= ($market ? '&mkt=' . urlencode($market) : '');
        return $url;
    }

    /*public*/
    function processLogin($query)
    {
        $action = @$query['action'];
        if ($action != 'login') {
            $this->debug("Warning: processLogin: query action ignored: $action");
            return;
        }
        $token  = @$query['stoken'];
        $context = urldecode(@$query['appctx']);
        return $this->processToken($token, $context);
    }

    /*public*/
    function processToken($token, $context=null)
    {
        if (!$token) {
            $this->debug('Error: processToken: Invalid token specified.');
            return;
        }
 
        $decodedToken = $this->decodeAndValidateToken($token);
        if (!$decodedToken) {
            $this->debug("Error: processToken: Failed to decode/validate token: $token");
            return;
        }
 
        $parsedToken = $this->parse($decodedToken);
        if (!$parsedToken) {
            $this->debug("Error: processToken: Failed to parse token after decoding: $token");
            return;
        }
 
        $appid = $this->getAppId();
        $tokenappid = @$parsedToken['appid'];
        if ($appid != $tokenappid) {
            $this->debug("Error: processToken: Application ID in token did not match ours: $tokenappid, $appid");
            return;
        }
 
        $user = null;
 
        //try {
        $user = new WLL_User(@$parsedToken['ts'],
            @$parsedToken['uid'],
            @$parsedToken['flags'],
            $context, $token);
        //} catch (Exception $e) {
        if ($user->getError() !== false)
            $this->debug("Error: processToken: Contents of token considered invalid: " + $user->getError());
        //}
 
        return $user;
    }

    /*public*/
    function getClearCookieResponse()
    {
        $type = "image/gif";
        $content = "R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAEALAAAAAABAAEAAAIBTAA7";
        $content = base64_decode($content);
        return array($type, $content);
    }
 
    /* Methods for Delegated Authentication. */
 
    /*
    * Returns the consent URL to use for Delegated Authentication for
    * the given comma-delimited list of offers.
    *
    * If you specify it, 'context' will be returned as-is in the consent
    * response for site-specific use.
    *
    * The registered/configured return URL can also be overridden by
    * specifying 'ru' here.
    *
    * You can change the language in which the consent page is displayed
    * by specifying a culture ID (For example, 'fr-fr' or 'en-us') in the
    * 'market' parameter.
    */
    /*public*/
    function getConsentUrl($offers, $context=null, $ru=null, $market=null)
    {
        if (!$offers) {
            //throw new Exception('Error: getConsentUrl: Invalid offers list.');
            $this->setError('Error: getConsentUrl: Invalid offers list.');
            return false;
        }
        $url  = $this->getConsentBaseUrl();
        $url .= 'Delegation.aspx?ps=' . urlencode($offers);
        $ru = ($ru ? $ru : $this->getReturnUrl());
        $url .= ($ru ? '&ru=' . urlencode($ru) : '');
        $pl = $this->getPolicyUrl();
        $url .= ($pl ? '&pl=' . urlencode($pl) : '');
        $url .= ($market ? '&mkt=' . urlencode($market) : '');
        if (!$this->_force_delauth_nonprovisioned) {
            $url .= '&app=' . $this->getAppVerifier();
        }
        $url .= ($context ? '&appctx=' . urlencode($context) : '');
        return $url;
    }
 
    /*
    * Returns the URL to use to download a new consent token, given the
    * offers and refresh token.
    *
    * The registered/configured return URL can also be overridden by
    * specifying 'ru' here.
    */
    /*public*/
    function getRefreshConsentTokenUrl($offers, $refreshtoken, $ru=null)
    {
        $_force_delauth_nonprovisioned = $this->_force_delauth_nonprovisioned;
        if (!$offers) {
            //throw new Exception('Error: getRefreshConsentTokenUrl: Invalid offers list.');
            $this->setError('Error: getRefreshConsentTokenUrl: Invalid offers list.');
            return false;
        }
        if (!$refreshtoken) {
            //throw new Exception('Error: getRefreshConsentTokenUrl: Invalid refresh token.');
            $this->setError('Error: getRefreshConsentTokenUrl: Invalid refresh token.');
            return false;
        }
 
        $url  = $this->getConsentBaseUrl();
        $url .= 'RefreshToken.aspx?ps=' . urlencode($offers);
        $url .= '&reft=' . $refreshtoken;
        $ru = ($ru ? $ru : $this->getReturnUrl());
        $url .= ($ru ? '&ru=' . urlencode($ru) : '');
 
        if (!$this->_force_delauth_nonprovisioned) {
            $url .= '&app=' . $this->getAppVerifier();
        }
 
        return $url;
    }
 
    /*
    * Returns the URL for the consent-management user interface.
    *
    * You can change the language in which the consent page is displayed
    * by specifying a culture ID (For example, 'fr-fr' or 'en-us') in the
    * 'market' parameter.
    */
    /*public*/
    function getManageConsentUrl($market=null)
    {
        $url  = $this->getConsentBaseUrl();
        $url .= 'ManageConsent.aspx';
        $url .= ($market ? '?mkt=' . urlencode($market) : '');
        return $url;
    }
 
    /*
    * Processes the POST response from the Delegated Authentication
    * service after a user has granted consent. The processConsent
    * function extracts the consent token string and returns the result
    * of invoking the processConsentToken method.
    */
    /*public*/
    function processConsent($query)
    {
        $action = @$query['action'];
        if ($action != 'delauth') {
            $this->debug("Warning: processConsent: query action ignored: $action");
            return;
        }
        $responsecode = @$query['ResponseCode'];
        if ($responsecode != 'RequestApproved') {
            $this->debug("Warning: processConsent: consent was not successfully granted: $responsecode");
            return;
        }
        $token  = @$query['ConsentToken'];
        $context = urldecode(@$query['appctx']);
        return $this->processConsentToken($token, $context);
    }
 
    /*
    * Processes the consent token string that is returned in the POST
    * response by the Delegated Authentication service after a
    * user has granted consent.
    */
    /*public*/
    function processConsentToken($token, $context=null)
    {
        if (!$token) {
            $this->debug('Error: processConsentToken: Null token.');
            return;
        }
 
        $decodedToken = $token;
        $parsedToken = $this->parse(urldecode($decodedToken));
        if (!$parsedToken) {
            $this->debug("Error: processConsentToken: Failed to parse token: $token");
            return;
        }
 
        $eact = @$parsedToken['eact'];
        if ($eact) {
            $decodedToken = $this->decodeAndValidateToken($eact);
            if (!$decodedToken) {
                $this->debug("Error: processConsentToken: Failed to decode/validate token: $token");
                return;
            }
            $parsedToken = $this->parse($decodedToken);
            if (!$parsedToken) {
                $this->debug("Error: processConsentToken: Failed to parse token after decoding: $token");
                return;
            }
            $decodedToken = urlencode($decodedToken);
        }
 
        $consenttoken = null;
 
        //try {
        $consenttoken = new WLL_ConsentToken($this,
            @$parsedToken['delt'],
            @$parsedToken['reft'],
            @$parsedToken['skey'],
            @$parsedToken['exp'],
            @$parsedToken['offer'],
            @$parsedToken['lid'],
            $context, $decodedToken, $token);
        //} catch (Exception $e) {
        if($consenttoken->getError() !== false)
            $this->debug("Error: processConsentToken: Contents of token considered invalid: " + $consenttoken->getError());
        //}
        return $consenttoken;
    }
 
    /*
    * Attempts to obtain a new, refreshed token and return it. The
    * original token is not modified.
    */
    /*public*/
    function refreshConsentToken($token, $ru=null)
    {
        if (!$token) {
            $this->debug("Error: refreshConsentToken: Null consent token.");
            return;
        }
        $this->refreshConsentToken2($token->getOffersString(), $token->getRefreshToken(), $ru);
    }
 
    /*
    * Helper function to obtain a new, refreshed token and return it.
    * The original token is not modified.
    */
    /*public*/
    function refreshConsentToken2($offers_string, $refreshtoken, $ru=null)
    {
        $body = $this->fetch($this->getRefreshConsentTokenUrl($offers_string, $refreshtoken, $ru));
        if (!$body) {
            $this->debug("Error: refreshConsentToken2: Failed to obtain a new token.");
            return;
        }
 
        preg_match('/\{"ConsentToken":"(.*)"\}/', $body, $matches);
        if(count($matches) == 2) {
            return $matches[1];
        }
        else {
            $this->debug("Error: refreshConsentToken2: Failed to extract token: $body");
            return;
        }
    }
 
    /* Common methods. */
 
    /*
    * Decodes and validates the token.
    */
    /*public*/
    function decodeAndValidateToken($token, $cryptkey=null, $signkey=null,
    $internal_allow_recursion=true)
    {
        if (!$cryptkey) {
            $cryptkey = $this->_cryptkey;
        }
        if (!$signkey) {
            $signkey = $this->_signkey;
        }
 
        $haveoldsecret = false;
        $oldsecretexpiry = $this->getOldSecretExpiry();
        $oldcryptkey = $this->_oldcryptkey;
        $oldsignkey = $this->_oldsignkey;
 
        if ($oldsecretexpiry and (time() < $oldsecretexpiry)) {
            if ($oldcryptkey and $oldsignkey) {
                $haveoldsecret = true;
            }
        }
        $haveoldsecret = ($haveoldsecret and $internal_allow_recursion);
 
        $stoken = $this->decodeToken($token, $cryptkey);
 
        if ($stoken) {
            $stoken = $this->validateToken($stoken, $signkey);
        }
 
        if (!$stoken and $haveoldsecret) {
            $this->debug("Warning: Failed to validate token with current secret, attempting old secret.");
            $stoken =
            $this->decodeAndValidateToken($token, $oldcryptkey, $oldsignkey, false);
        }
 
        return $stoken;
    }

    /*public*/
    function decodeToken($token, $cryptkey=null)
    {
        if (!$cryptkey) {
            $cryptkey = $this->_cryptkey;
        }
        if (!$cryptkey) {
            $this->fatal("Error: decodeToken: Secret key was not set. Aborting.");
        }
 
        $ivLen = 16;
        $token = $this->u64($token);
        $len = strlen($token);
 
        if (!$token || ($len <= $ivLen) || (($len % $ivLen) != 0)) {
            $this->debug("Error: decodeToken: Attempted to decode invalid token.");
            return;
        }
 
        $iv = substr($token, 0, 16);
        $crypted = substr($token, 16);
 
        return openssl_decrypt($crypted, "AES-128-CBC", $cryptkey, OPENSSL_RAW_DATA | OPENSSL_NO_PADDING, $iv);
    }

    /*public*/
    function signToken($token, $signkey=null)
    {
        if (!$signkey) {
            $signkey = $this->_signkey;
        }
        if (!$signkey) {
            $this->fatal("Error: signToken: Secret key was not set. Aborting.");
        }
 
        if (!$token) {
            $this->debug("Attempted to sign null token.");
            return;
        }
 
        return hash_hmac("sha256", $token, $signkey, true);
    }

    /*public*/
    function validateToken($token, $signkey=null)
    {
        if (!$signkey) {
            $signkey = $this->_signkey;
        }
        if (!$token) {
            $this->debug("Error: validateToken: Invalid token.");
            return;
        }
 
        $split = explode("&sig=", $token);
        if (count($split) != 2) {
            $this->debug("ERROR: validateToken: Invalid token: $token");
            return;
        }
        list($body, $sig) = $split;
 
        $sig = $this->u64($sig);
        if (!$sig) {
            $this->debug("Error: validateToken: Could not extract signature from token.");
            return;
        }
 
        $sig2 = $this->signToken($body, $signkey);
        if (!$sig2) {
            $this->debug("Error: validateToken: Could not generate signature for the token.");
            return;
        }
 
 
        if ($sig == $sig2) {
            return $token;
        }
 
        $this->debug("Error: validateToken: Signature did not match.");
        return;
    }
 
    /* Implementation of the methods needed to perform Windows Live
    application verification as well as trusted sign-in. */

    /*public*/
    function getAppVerifier($ip=null)
    {
        $token  = 'appid=' . $this->getAppId() . '&ts=' . $this->getTimestamp();
        $token .= ($ip ? "&ip={$ip}" : '');
        $token .= '&sig=' . $this->e64($this->signToken($token));
        return urlencode($token);
    }

    /*public*/
    function getAppLoginUrl($siteid=null, $ip=null, $js=null)
    {
        $url  = $this->getSecureUrl();
        $url .= 'wapplogin.srf?app=' . $this->getAppVerifier($ip);
        $url .= '&alg=' . $this->getSecurityAlgorithm();
        $url .= ($siteid ? "&id=$siteid" : '');
        $url .= ($js ? '&js=1' : '');
        return $url;
    }

    /*public*/
    function getAppSecurityToken($siteid=null, $ip=null)
    {
        $body = $this->fetch($this->getAppLoginUrl($siteid, $ip));
        if (!$body) {
            $this->debug("Error: getAppSecurityToken: Could not fetch the application security token.");
            return;
        }
 
        preg_match('/\{"token":"(.*)"\}/', $body, $matches);
        if(count($matches) == 2) {
            return $matches[1];
        }
        else {
            $this->debug("Error: getAppSecurityToken: Failed to extract token: $body");
            return;
        }
    }

    /*public*/
    function getAppRetCode()
    {
        return 'appid=' . $this->getAppId();
    }

    /*public*/
    function getTrustedParams($user, $retcode=null)
    {
        $token  = $this->getTrustedToken($user);
        if (!$token) {
            return;
        }
        $token = "<wst:RequestSecurityTokenResponse xmlns:wst=\"http://schemas.xmlsoap.org/ws/2005/02/trust\"><wst:RequestedSecurityToken><wsse:BinarySecurityToken xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\">$token</wsse:BinarySecurityToken></wst:RequestedSecurityToken><wsp:AppliesTo xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\"><wsa:EndpointReference xmlns:wsa=\"http://schemas.xmlsoap.org/ws/2004/08/addressing\"><wsa:Address>uri:WindowsLiveID</wsa:Address></wsa:EndpointReference></wsp:AppliesTo></wst:RequestSecurityTokenResponse>";
 
        $params = array();
        $params['wa']      = $this->getSecurityAlgorithm();
        $params['wresult'] = $token;
 
        if ($retcode) {
            $params['wctx'] = $retcode;
        }
 
        return $params;
    }

    /*public*/
    function getTrustedToken($user)
    {
        if (!$user) {
            $this->debug('Error: getTrustedToken: Null user specified.');
            return;
        }
 
        $token  = "appid=" . $this->getAppId() . "&uid=" . urlencode($user)
        . "&ts=". $this->getTimestamp();
        $token .= "&sig="  . $this->e64($this->signToken($token));
        return urlencode($token);
    }

    /*public*/
    function getTrustedLoginUrl()
    {
        return $this->getSecureUrl() . 'wlogin.srf';
    }

    /*public*/
    function getTrustedLogoutUrl()
    {
        return $this->getSecureUrl() . "logout.srf?appid=" + $this->getAppId();
    }
 
    /* Helper methods */

    /*private*/
    function parseSettings($settingsFile)
    {
        $settings = array(
            'appid' => '00163FFF8000E2C5',
            'secret' => '12345678901234567890',
            'securityalgorithm' => 'wsignin1.0',
        );
 
        return $settings;
 
        $doc = new DOMDocument();
        if (!$doc->load($settingsFile)) {
            $this->fatal("Error: parseSettings: Error while reading $settingsFile");
        }
 
        $nl = $doc->getElementsByTagName('windowslivelogin');
        if($nl->length != 1) {
            $this->fatal("error: parseSettings: Failed to parse settings file:"
            . $settingsFile);
        }
 
        $topnode = $nl->item(0);
        foreach ($topnode->childNodes as $node) {
            if ($node->nodeType == XML_ELEMENT_NODE) {
                $firstChild = $node->firstChild;
                if (!$firstChild) {
                    $this->fatal("error: parseSettings: Failed to parse settings file:"
                    . $settingsFile);
                }
                $settings[$node->nodeName] = $firstChild->nodeValue;
            }
        }
 
        return $settings;
    }

    /*private*/
    function derive($secret, $prefix)
    {
        if (!$secret || !$prefix) {
            $this->fatal("Error: derive: secret or prefix is null.");
        }
 
        $keyLen = 16;
        $key = $prefix . $secret;
 
        $key = hash("sha256", $key, true);
 
        if (!$key || (strlen($key) < $keyLen)) {
            $this->debug("Error: derive: Unable to derive key.");
            return;
        }
 
        return substr($key, 0, $keyLen);
    }

    /*private*/
    function parse($input)
    {
        if (!$input) {
            $this->debug("Error: parse: Null input.");
            return;
        }
 
        $input = explode('&', $input);
        $pairs = array();
 
        foreach ($input as $pair) {
            $kv = explode('=', $pair);
            if (count($kv) != 2) {
                $this->debug("Error: parse: Bad input to parse: " . $pair);
                return;
            }
            $pairs[$kv[0]] = $kv[1];
        }
 
        return $pairs;
    }

    /*private*/
    function getTimestamp()
    {
        return time();
    }

    /*private*/
    function e64($input)
    {
        if (is_null($input)) {
            return;
        }
        return urlencode(base64_encode($input));
    }

    /*private*/
    function u64($input)
    {
        if(is_null($input))
            return;
        return base64_decode(urldecode($input));
    }

    /*private*/
    function fetch($url)
    {
        /*
        if (!($handle = fopen($url, "rb"))) {
            WindowsLiveLogin::debug("error: fetch: Could not open url: $url");
            return;
        }
 
        if (!($contents = stream_get_contents($handle))) {
            WindowsLiveLogin::debug("Error: fetch: Could not read from url: $url");
        }
 
        fclose($handle);
        */
 
        //$str = $url."\n\n".$contents."\n\n\n";
        //file_put_contents(__FILE__ . '.ftech.log', $str, FILE_APPEND);
 
        $http = new \Bitrix\Main\Web\HttpClient([
            "redirect" => false,
        ]);
        $contents = $http->get($url);
 
        return $contents;
    }
 
    var $_error = false;
 
    function setError($str)
    {
        $this->_error = $str;
    }
 
    function getError()
    {
        if ($this->_error !== false)
        {
            return $this->_error;
        }
    }
 
    function OnExternalAuthList()
    {
        $arResult = Array();
        if (
            COption::GetOptionString('main', 'new_user_registration', 'Y') == 'Y' &&
            COption::GetOptionString('main', 'auth_liveid', 'N') == 'Y'
        )
        {
            $arResult[] = Array(
                'ID' => 'LIVEID',
                'NAME' => 'LiveID',
                );
        }
        return $arResult;
    }
 
    public static function IsAvailable()
    {
        return function_exists('hash');
    }
}