5 * OpenID utility functions.
9 * Diffie-Hellman Key Exchange Default Value.
11 * This is used to establish an association between the Relying Party and the
14 * See RFC 2631: http://www.ietf.org/rfc/rfc2631.txt
16 define('OPENID_DH_DEFAULT_MOD', '155172898181473697471232257763715539915724801' .
17 '966915404479707795314057629378541917580651227423698188993727816152646631' .
18 '438561595825688188889951272158842675419950341258706556549803580104870537' .
19 '681476726513255747040765857479291291572334510643245094715007229621094194' .
20 '349783925984760375594985848253359305585439638443');
23 * Diffie-Hellman generator; used for Diffie-Hellman key exchange computations.
25 define('OPENID_DH_DEFAULT_GEN', '2');
28 * SHA-1 hash block size; used for Diffie-Hellman key exchange computations.
30 define('OPENID_SHA1_BLOCKSIZE', 64);
33 * Random number generator; used for Diffie-Hellman key exchange computations.
35 define('OPENID_RAND_SOURCE', '/dev/urandom');
38 * OpenID Authentication 2.0 namespace URL.
40 define('OPENID_NS_2_0', 'http://specs.openid.net/auth/2.0');
43 * OpenID Authentication 1.1 namespace URL; used for backwards-compatibility.
45 define('OPENID_NS_1_1', 'http://openid.net/signon/1.1');
48 * OpenID Authentication 1.0 namespace URL; used for backwards-compatibility.
50 define('OPENID_NS_1_0', 'http://openid.net/signon/1.0');
53 * OpenID namespace used in Yadis documents.
55 define('OPENID_NS_OPENID', 'http://openid.net/xmlns/1.0');
58 * OpenID Simple Registration extension.
60 define('OPENID_NS_SREG', 'http://openid.net/extensions/sreg/1.1');
63 * OpenID Attribute Exchange extension.
65 define('OPENID_NS_AX', 'http://openid.net/srv/ax/1.0');
68 * Extensible Resource Descriptor documents.
70 define('OPENID_NS_XRD', 'xri://$xrd*($v*2.0)');
73 * Performs an HTTP 302 redirect (for the 1.x protocol).
75 function openid_redirect_http($url, $message) {
77 foreach ($message as $key => $val) {
78 $query[] = $key . '=' . urlencode($val);
81 $sep = (strpos($url, '?') === FALSE) ? '?' : '&';
82 header('Location: ' . $url . $sep . implode('&', $query), TRUE, 302);
88 * Creates a js auto-submit redirect for (for the 2.x protocol)
90 function openid_redirect($url, $message) {
93 $output = '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">' . "\n";
94 $output .= '<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="' . $language->language . '" lang="' . $language->language . '">' . "\n";
95 $output .= "<head>\n";
96 $output .= "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />\n";
97 $output .= "<title>" . t('OpenID redirect') . "</title>\n";
98 $output .= "</head>\n";
99 $output .= "<body>\n";
100 $elements = drupal_get_form('openid_redirect_form', $url, $message);
101 $output .= drupal_render($elements);
102 $output .= '<script type="text/javascript">document.getElementById("openid-redirect-form").submit();</script>' . "\n";
103 $output .= "</body>\n";
104 $output .= "</html>\n";
110 function openid_redirect_form($form, &$form_state, $url, $message) {
111 $form['#action'] = $url;
112 $form['#method'] = "post";
113 foreach ($message as $key => $value) {
120 $form['actions'] = array('#type' => 'actions');
121 $form['actions']['submit'] = array(
123 '#prefix' => '<noscript><div>',
124 '#suffix' => '</div></noscript>',
125 '#value' => t('Send'),
132 * Parse an XRDS document.
135 * A string containing the XRDS document.
137 * An array of service entries.
139 function _openid_xrds_parse($raw_xml) {
142 // For PHP version >= 5.2.11, we can use this function to protect against
143 // malicious doctype declarations and other unexpected entity loading.
144 // However, we will not rely on it, and reject any XML with a DOCTYPE.
145 $disable_entity_loader = function_exists('libxml_disable_entity_loader');
146 if ($disable_entity_loader) {
147 $load_entities = libxml_disable_entity_loader(TRUE);
150 // Load the XML into a DOM document.
151 $dom = new DOMDocument();
152 @$dom->loadXML($raw_xml);
154 // Since DOCTYPE declarations from an untrusted source could be malicious, we
155 // stop parsing here and treat the XML as invalid since XRDS documents do not
156 // require, and are not expected to have, a DOCTYPE.
157 if (isset($dom->doctype)) {
161 // Also stop parsing if there is an unreasonably large number of tags.
162 if ($dom->getElementsByTagName('*')->length > variable_get('openid_xrds_maximum_tag_count', 30000)) {
166 // Parse the DOM document for the information we need.
167 if ($xml = simplexml_import_dom($dom)) {
168 foreach ($xml->children(OPENID_NS_XRD)->XRD as $xrd) {
169 foreach ($xrd->children(OPENID_NS_XRD)->Service as $service_element) {
171 'priority' => $service_element->attributes()->priority ? (int)$service_element->attributes()->priority : PHP_INT_MAX,
173 'uri' => (string)$service_element->children(OPENID_NS_XRD)->URI,
174 'service' => $service_element,
177 foreach ($service_element->Type as $type) {
178 $service['types'][] = (string)$type;
180 if ($service_element->children(OPENID_NS_XRD)->LocalID) {
181 $service['identity'] = (string)$service_element->children(OPENID_NS_XRD)->LocalID;
183 elseif ($service_element->children(OPENID_NS_OPENID)->Delegate) {
184 $service['identity'] = (string)$service_element->children(OPENID_NS_OPENID)->Delegate;
187 $service['identity'] = FALSE;
189 $services[] = $service;
194 // Return the LIBXML options to the previous state before returning.
195 if ($disable_entity_loader) {
196 libxml_disable_entity_loader($load_entities);
203 * Select a service element.
205 * The procedure is described in OpenID Authentication 2.0, section 7.3.2.
207 * A new entry is added to the returned array with the key 'version' and the
208 * value 1 or 2 specifying the protocol version used by the service.
211 * An array of service arrays as returned by openid_discovery().
213 * The selected service array, or NULL if no valid services were found.
215 function _openid_select_service(array $services) {
216 // Extensible Resource Identifier (XRI) Resolution Version 2.0, section 4.3.3:
217 // Find the service with the highest priority (lowest integer value). If there
218 // is a tie, select a random one, not just the first in the XML document.
220 $selected_service = NULL;
221 $selected_type_priority = FALSE;
223 // Search for an OP Identifier Element.
224 foreach ($services as $service) {
225 if (!empty($service['uri'])) {
226 $type_priority = FALSE;
227 if (in_array('http://specs.openid.net/auth/2.0/server', $service['types'])) {
228 $service['version'] = 2;
231 elseif (in_array('http://specs.openid.net/auth/2.0/signon', $service['types'])) {
232 $service['version'] = 2;
235 elseif (in_array(OPENID_NS_1_0, $service['types']) || in_array(OPENID_NS_1_1, $service['types'])) {
236 $service['version'] = 1;
241 && (!$selected_service
242 || $type_priority < $selected_type_priority
243 || ($type_priority == $selected_type_priority && $service['priority'] < $selected_service['priority']))) {
244 $selected_service = $service;
245 $selected_type_priority = $type_priority;
250 if ($selected_service) {
251 // Unset SimpleXMLElement instances that cannot be saved in $_SESSION.
252 unset($selected_service['xrd']);
253 unset($selected_service['service']);
256 return $selected_service;
260 * Determine if the given identifier is an XRI ID.
262 function _openid_is_xri($identifier) {
263 // Strip the xri:// scheme from the identifier if present.
264 if (stripos($identifier, 'xri://') === 0) {
265 $identifier = substr($identifier, 6);
268 // Test whether the identifier starts with an XRI global context symbol or (.
269 $firstchar = substr($identifier, 0, 1);
270 if (strpos("=@+$!(", $firstchar) !== FALSE) {
278 * Normalize the given identifier.
280 * The procedure is described in OpenID Authentication 2.0, section 7.2.
282 function openid_normalize($identifier) {
283 $methods = module_invoke_all('openid_normalization_method_info');
284 drupal_alter('openid_normalization_method_info', $methods);
286 // Execute each method in turn, stopping after the first method accepted
288 foreach ($methods as $method) {
289 $result = $method($identifier);
290 if ($result !== NULL) {
291 $identifier = $result;
300 * OpenID normalization method: normalize XRI identifiers.
302 function _openid_xri_normalize($identifier) {
303 if (_openid_is_xri($identifier)) {
304 if (stristr($identifier, 'xri://') !== FALSE) {
305 $identifier = substr($identifier, 6);
312 * OpenID normalization method: normalize URL identifiers.
314 function _openid_url_normalize($url) {
315 $normalized_url = $url;
317 if (stristr($url, '://') === FALSE) {
318 $normalized_url = 'http://' . $url;
321 // Strip the fragment and fragment delimiter if present.
322 $normalized_url = strtok($normalized_url, '#');
324 if (substr_count($normalized_url, '/') < 3) {
325 $normalized_url .= '/';
328 return $normalized_url;
332 * Create a serialized message packet as per spec: $key:$value\n .
334 function _openid_create_message($data) {
337 foreach ($data as $key => $value) {
338 if ((strpos($key, ':') !== FALSE) || (strpos($key, "\n") !== FALSE) || (strpos($value, "\n") !== FALSE)) {
341 $serialized .= "$key:$value\n";
347 * Encode a message from _openid_create_message for HTTP Post
349 function _openid_encode_message($message) {
350 $encoded_message = '';
352 $items = explode("\n", $message);
353 foreach ($items as $item) {
354 $parts = explode(':', $item, 2);
356 if (count($parts) == 2) {
357 if ($encoded_message != '') {
358 $encoded_message .= '&';
360 $encoded_message .= rawurlencode(trim($parts[0])) . '=' . rawurlencode(trim($parts[1]));
364 return $encoded_message;
368 * Convert a direct communication message
369 * into an associative array.
371 function _openid_parse_message($message) {
372 $parsed_message = array();
374 $items = explode("\n", $message);
375 foreach ($items as $item) {
376 $parts = explode(':', $item, 2);
378 if (count($parts) == 2) {
379 $parsed_message[$parts[0]] = $parts[1];
383 return $parsed_message;
387 * Return a nonce value - formatted per OpenID spec.
389 * NOTE: This nonce is not cryptographically secure and only suitable for use
390 * by the test framework.
392 function _openid_nonce() {
393 // YYYY-MM-DDThh:mm:ssZ, plus some optional extra unique characters.
394 return gmdate('Y-m-d\TH:i:s\Z') .
395 chr(mt_rand(0, 25) + 65) .
396 chr(mt_rand(0, 25) + 65) .
397 chr(mt_rand(0, 25) + 65) .
398 chr(mt_rand(0, 25) + 65);
402 * Pull the href attribute out of an html link element.
404 function _openid_link_href($rel, $html) {
405 $rel = preg_quote($rel);
406 preg_match('|<link\s+rel=["\'](.*)' . $rel . '(.*)["\'](.*)/?>|iUs', $html, $matches);
407 if (isset($matches[3])) {
408 preg_match('|href=["\']([^"]+)["\']|iU', $matches[3], $href);
409 return trim($href[1]);
415 * Pull the http-equiv attribute out of an html meta element
417 function _openid_meta_httpequiv($equiv, $html) {
418 preg_match('|<meta\s+http-equiv=["\']' . $equiv . '["\'](.*)/?>|iUs', $html, $matches);
419 if (isset($matches[1])) {
420 preg_match('|content=["\']([^"]+)["\']|iUs', $matches[1], $content);
421 if (isset($content[1])) {
429 * Sign certain keys in a message
430 * @param $association - object loaded from openid_association or openid_server_association table
431 * - important fields are ->assoc_type and ->mac_key
432 * @param $message_array - array of entire message about to be sent
433 * @param $keys_to_sign - keys in the message to include in signature (without
434 * 'openid.' appended)
436 function _openid_signature($association, $message_array, $keys_to_sign) {
438 $sign_data = array();
440 foreach ($keys_to_sign as $key) {
441 if (isset($message_array['openid.' . $key])) {
442 $sign_data[$key] = $message_array['openid.' . $key];
446 $message = _openid_create_message($sign_data);
447 $secret = base64_decode($association->mac_key);
448 $signature = _openid_hmac($secret, $message);
450 return base64_encode($signature);
453 function _openid_hmac($key, $text) {
454 if (strlen($key) > OPENID_SHA1_BLOCKSIZE) {
455 $key = sha1($key, TRUE);
458 $key = str_pad($key, OPENID_SHA1_BLOCKSIZE, chr(0x00));
459 $ipad = str_repeat(chr(0x36), OPENID_SHA1_BLOCKSIZE);
460 $opad = str_repeat(chr(0x5c), OPENID_SHA1_BLOCKSIZE);
461 $hash1 = sha1(($key ^ $ipad) . $text, TRUE);
462 $hmac = sha1(($key ^ $opad) . $hash1, TRUE);
467 function _openid_dh_base64_to_long($str) {
468 $b64 = base64_decode($str);
470 return _openid_dh_binary_to_long($b64);
473 function _openid_dh_long_to_base64($str) {
474 return base64_encode(_openid_dh_long_to_binary($str));
477 function _openid_dh_binary_to_long($str) {
478 $bytes = array_merge(unpack('C*', $str));
481 foreach ($bytes as $byte) {
482 $n = _openid_math_mul($n, pow(2, 8));
483 $n = _openid_math_add($n, $byte);
489 function _openid_dh_long_to_binary($long) {
490 $cmp = _openid_math_cmp($long, 0);
501 while (_openid_math_cmp($long, 0) > 0) {
502 array_unshift($bytes, _openid_math_mod($long, 256));
503 $long = _openid_math_div($long, pow(2, 8));
506 if ($bytes && ($bytes[0] > 127)) {
507 array_unshift($bytes, 0);
511 foreach ($bytes as $byte) {
512 $string .= pack('C', $byte);
518 function _openid_dh_xorsecret($shared, $secret) {
519 $dh_shared_str = _openid_dh_long_to_binary($shared);
520 $sha1_dh_shared = sha1($dh_shared_str, TRUE);
522 for ($i = 0; $i < strlen($secret); $i++) {
523 $xsecret .= chr(ord($secret[$i]) ^ ord($sha1_dh_shared[$i]));
529 function _openid_dh_rand($stop) {
530 $duplicate_cache = &drupal_static(__FUNCTION__, array());
532 // Used as the key for the duplicate cache
533 $rbytes = _openid_dh_long_to_binary($stop);
535 if (isset($duplicate_cache[$rbytes])) {
536 list($duplicate, $nbytes) = $duplicate_cache[$rbytes];
539 if ($rbytes[0] == "\x00") {
540 $nbytes = strlen($rbytes) - 1;
543 $nbytes = strlen($rbytes);
546 $mxrand = _openid_math_pow(256, $nbytes);
548 // If we get a number less than this, then it is in the
550 $duplicate = _openid_math_mod($mxrand, $stop);
552 if (count($duplicate_cache) > 10) {
553 $duplicate_cache = array();
556 $duplicate_cache[$rbytes] = array($duplicate, $nbytes);
560 $bytes = "\x00" . drupal_random_bytes($nbytes);
561 $n = _openid_dh_binary_to_long($bytes);
562 // Keep looping if this value is in the low duplicated range.
563 } while (_openid_math_cmp($n, $duplicate) < 0);
565 return _openid_math_mod($n, $stop);
568 function _openid_get_bytes($num_bytes) {
569 return drupal_random_bytes($num_bytes);
572 function _openid_response($str = NULL) {
575 if (isset($_SERVER['REQUEST_METHOD'])) {
576 $data = _openid_get_params($_SERVER['QUERY_STRING']);
578 if ($_SERVER['REQUEST_METHOD'] == 'POST') {
579 $str = file_get_contents('php://input');
582 if ($str !== FALSE) {
583 $post = _openid_get_params($str);
586 $data = array_merge($data, $post);
593 function _openid_get_params($str) {
594 $chunks = explode("&", $str);
597 foreach ($chunks as $chunk) {
598 $parts = explode("=", $chunk, 2);
600 if (count($parts) == 2) {
601 list($k, $v) = $parts;
602 $data[$k] = urldecode($v);
609 * Extract all the parameters belonging to an extension in a response message.
611 * OpenID 2.0 defines a simple extension mechanism, based on a namespace prefix.
613 * Each request or response can define a prefix using:
615 * openid.ns.[prefix] = [extension_namespace]
616 * openid.[prefix].[key1] = [value1]
617 * openid.[prefix].[key2] = [value2]
621 * This function extracts all the keys belonging to an extension namespace in a
622 * response, optionally using a fallback prefix if none is provided in the response.
624 * Note that you cannot assume that a given extension namespace will use the same
625 * prefix on the response and the request: each party may use a different prefix
626 * to refer to the same namespace.
629 * The response array.
630 * @param $extension_namespace
631 * The namespace of the extension.
632 * @param $fallback_prefix
633 * An optional prefix that will be used in case no prefix is found for the
634 * target extension namespace.
635 * @param $only_signed
636 * Return only keys that are included in the message signature in openid.sig.
637 * Unsigned fields may have been modified or added by other parties than the
641 * An associative array containing all the parameters in the response message
642 * that belong to the extension. The keys are stripped from their namespace
645 * @see http://openid.net/specs/openid-authentication-2_0.html#extensions
647 function openid_extract_namespace($response, $extension_namespace, $fallback_prefix = NULL, $only_signed = FALSE) {
648 $signed_keys = explode(',', $response['openid.signed']);
650 // Find the namespace prefix.
651 $prefix = $fallback_prefix;
652 foreach ($response as $key => $value) {
653 if ($value == $extension_namespace && preg_match('/^openid\.ns\.([^.]+)$/', $key, $matches)) {
654 $prefix = $matches[1];
655 if ($only_signed && !in_array('ns.' . $matches[1], $signed_keys)) {
656 // The namespace was defined but was not signed as required. In this
657 // case we do not fall back to $fallback_prefix.
664 // Now extract the namespace keys from the response.
666 if (!isset($prefix)) {
669 foreach ($response as $key => $value) {
670 if (preg_match('/^openid\.' . $prefix . '\.(.+)$/', $key, $matches)) {
671 $local_key = $matches[1];
672 if (!$only_signed || in_array($prefix . '.' . $local_key, $signed_keys)) {
673 $output[$local_key] = $value;
682 * Extracts values from an OpenID AX Response.
684 * The values can be returned in two forms:
685 * - only openid.ax.value.<alias> (for single-valued answers)
686 * - both openid.ax.count.<alias> and openid.ax.value.<alias>.<count> (for both
687 * single and multiple-valued answers)
690 * An array as returned by openid_extract_namespace(..., OPENID_NS_AX).
692 * An array of identifier URIs.
694 * An array of values.
695 * @see http://openid.net/specs/openid-attribute-exchange-1_0.html#fetch_response
697 function openid_extract_ax_values($values, $uris) {
699 foreach ($values as $key => $value) {
700 if (in_array($value, $uris) && preg_match('/^type\.([^.]+)$/', $key, $matches)) {
701 $alias = $matches[1];
702 if (isset($values['count.' . $alias])) {
703 for ($i = 1; $i <= $values['count.' . $alias]; $i++) {
704 $output[] = $values['value.' . $alias . '.' . $i];
707 elseif (isset($values['value.' . $alias])) {
708 $output[] = $values['value.' . $alias];
717 * Determine the available math library GMP vs. BCMath, favouring GMP for performance.
719 function _openid_get_math_library() {
720 // Not drupal_static(), because a function is not going to disappear and
721 // change the output of this under any circumstances.
724 if (empty($library)) {
725 if (function_exists('gmp_add')) {
728 elseif (function_exists('bcadd')) {
737 * Calls the add function from the available math library for OpenID.
739 function _openid_math_add($x, $y) {
740 $library = _openid_get_math_library();
743 return gmp_strval(gmp_add($x, $y));
745 return bcadd($x, $y);
750 * Calls the mul function from the available math library for OpenID.
752 function _openid_math_mul($x, $y) {
753 $library = _openid_get_math_library();
756 return gmp_mul($x, $y);
758 return bcmul($x, $y);
763 * Calls the div function from the available math library for OpenID.
765 function _openid_math_div($x, $y) {
766 $library = _openid_get_math_library();
769 return gmp_div($x, $y);
771 return bcdiv($x, $y);
776 * Calls the cmp function from the available math library for OpenID.
778 function _openid_math_cmp($x, $y) {
779 $library = _openid_get_math_library();
782 return gmp_cmp($x, $y);
784 return bccomp($x, $y);
789 * Calls the mod function from the available math library for OpenID.
791 function _openid_math_mod($x, $y) {
792 $library = _openid_get_math_library();
795 return gmp_mod($x, $y);
797 return bcmod($x, $y);
802 * Calls the pow function from the available math library for OpenID.
804 function _openid_math_pow($x, $y) {
805 $library = _openid_get_math_library();
808 return gmp_pow($x, $y);
810 return bcpow($x, $y);
815 * Calls the mul function from the available math library for OpenID.
817 function _openid_math_powmod($x, $y, $z) {
818 $library = _openid_get_math_library();
821 return gmp_powm($x, $y, $z);
823 return bcpowmod($x, $y, $z);
828 * Provides transition for accounts with possibly invalid OpenID identifiers in authmap.
830 * This function provides a less safe but more unobtrusive procedure for users
831 * who cannot login with their OpenID identifiers. OpenID identifiers in the
832 * authmap could be incomplete due to invalid OpenID implementation in previous
833 * versions of Drupal (e.g. fragment part of the identifier could be missing).
834 * For more information see http://drupal.org/node/1120290.
836 * @param string $identity
837 * The user's claimed OpenID identifier.
840 * A fully-loaded user object if the user is found or FALSE if not found.
842 function _openid_invalid_openid_transition($identity, $response) {
844 $fallback_account = NULL;
845 $fallback_identity = $identity;
847 // Try to strip the fragment if it is present.
848 if (strpos($fallback_identity, '#') !== FALSE) {
849 $fallback_identity = preg_replace('/#.*/', '', $fallback_identity);
850 $fallback_account = user_external_load($fallback_identity);
853 // Try to replace HTTPS with HTTP. OpenID providers often redirect
854 // from http to https, but Drupal didn't follow the redirect.
855 if (!$fallback_account && strpos($fallback_identity, 'https://') !== FALSE) {
856 $fallback_identity = str_replace('https://', 'http://', $fallback_identity);
857 $fallback_account = user_external_load($fallback_identity);
860 // Try to use original identifier.
861 if (!$fallback_account && isset($_SESSION['openid']['user_login_values']['openid_identifier'])) {
862 $fallback_identity = openid_normalize($_SESSION['openid']['user_login_values']['openid_identifier']);
863 $fallback_account = user_external_load($fallback_identity);
866 if ($fallback_account) {
867 // Try to extract e-mail address from Simple Registration (SREG) or
868 // Attribute Exchanges (AX) keys.
870 $sreg_values = openid_extract_namespace($response, OPENID_NS_SREG, 'sreg', TRUE);
871 $ax_values = openid_extract_namespace($response, OPENID_NS_AX, 'ax', TRUE);
872 if (!empty($sreg_values['email']) && valid_email_address($sreg_values['email'])) {
873 $email = $sreg_values['email'];
875 elseif ($ax_mail_values = openid_extract_ax_values($ax_values, array('http://axschema.org/contact/email', 'http://schema.openid.net/contact/email'))) {
876 $email = current($ax_mail_values);
879 // If this e-mail address is the same as the e-mail address found in user
880 // account, login the user and update the claimed identifier.
881 if ($email && ($email == $fallback_account->mail || $email == $fallback_account->init)) {
882 $query = db_insert('authmap')
884 'authname' => $identity,
885 'uid' => $fallback_account->uid,
886 'module' => 'openid',
889 drupal_set_message(t('New OpenID identifier %identity was added as a replacement for invalid identifier %invalid_identity. To finish the invalid OpenID transition process, please go to your <a href="@openid_url">OpenID identities page</a> and remove the old identifier %invalid_identity.', array('%invalid_identity' => $fallback_identity, '%identity' => $identity, '@openid_url' => 'user/' . $fallback_account->uid . '/openid')));
890 // Set the account to the found one.
891 $account = $fallback_account;
894 drupal_set_message(t('There is already an existing account associated with the OpenID identifier that you have provided. However, due to a bug in the previous version of the authentication system, we can\'t be sure that this account belongs to you. If you are new on this site, please continue registering the new user account. If you already have a registered account on this site associated with the provided OpenID identifier, please try to <a href="@url_password">reset the password</a> or contact the site administrator.', array('@url_password' => 'user/password')), 'warning');