alchemycs · November 24, 2011 03:16
diff --git a/validate_assertion.php b/validate_assertion.php
 <?php
 /**
 * Server side validation of browser id assertions
 * 
 * @author @AlchemyCS <https://github.com/alchemycs>
 * @see GitHub <https://gist.github.com/alchemycs>
 * @see Mozilla Browser ID <https://browserid.org>
 * 
 */

 //Use your favourite framework (hello agavi.org!) to validate and retrieve this:
 $assertion = $_POST['assertion'];

 $hCurl = curl_init("https://browserid.org/verify");
 $browserIDParams = array(
    'assertion' => $assertion,
    'audience' => $_SERVER['SCRIPT_URI']);
 curl_setopt($hCurl, CURLOPT_POST, true);
 curl_setopt($hCurl, CURLOPT_RETURNTRANSFER, true);
 curl_setopt($hCurl, CURLOPT_HEADER, false);
 curl_setopt($hCurl, CURLOPT_POSTFIELDS, "assertion=" . $browserIDParams['assertion'] . "&audience=" . $browserIDParams['audience']);
 //curl_setopt($hCurl, CURLOPT_SSL_VERIFYPEER, false); //Maybe you dev machine doesn't have SSL certs etc...
 if (!$hCurl) {
  $error_no = curl_errorno($hCurl);
  $error = curl_error($hCurl);
  throw new Exception("Curl error: $error ($error_no)");
 }
 $response = json_decode(curl_exec($hCurl));
 if (!$response) {
  throw new Exception('Unable to parse response');
 }

 if ($response->status == 'okay') {
    //W00t! Now you can use your frameworks authentication to sign in the user
    $signInWith = $response->email; //You should probably sanitise this before asking your database to do stuff with it
    /*
    You may also want to double check $response->expires, $response->audience
    and $response->issuer
    */    
 }
	<?php
	/**
	* Server side validation of browser id assertions
	*
	* @author @AlchemyCS <https://github.com/alchemycs>
	* @see GitHub <https://gist.github.com/alchemycs>
	* @see Mozilla Browser ID <https://browserid.org>
	*
	*/

	//Use your favourite framework (hello agavi.org!) to validate and retrieve this:
	$assertion = $_POST['assertion'];

	$hCurl = curl_init("https://browserid.org/verify");
	$browserIDParams = array(
	'assertion' => $assertion,
	'audience' => $_SERVER['SCRIPT_URI']);
	curl_setopt($hCurl, CURLOPT_POST, true);
	curl_setopt($hCurl, CURLOPT_RETURNTRANSFER, true);
	curl_setopt($hCurl, CURLOPT_HEADER, false);
	curl_setopt($hCurl, CURLOPT_POSTFIELDS, "assertion=" . $browserIDParams['assertion'] . "&audience=" . $browserIDParams['audience']);
	//curl_setopt($hCurl, CURLOPT_SSL_VERIFYPEER, false); //Maybe you dev machine doesn't have SSL certs etc...
	if (!$hCurl) {
	$error_no = curl_errorno($hCurl);
	$error = curl_error($hCurl);
	throw new Exception("Curl error: $error ($error_no)");
	}
	$response = json_decode(curl_exec($hCurl));
	if (!$response) {
	throw new Exception('Unable to parse response');
	}

	if ($response->status == 'okay') {
	//W00t! Now you can use your frameworks authentication to sign in the user
	$signInWith = $response->email; //You should probably sanitise this before asking your database to do stuff with it
	/*
	You may also want to double check $response->expires, $response->audience
	and $response->issuer
	*/
	}