Resolving authorization issues in phpBB 3.0.X forums via Loginza

Friends, recently it was required to establish authorization on the social networks for the forum. Of all the plug-ins that could be found according to the requirements, only the Loginza plugin came up . For those who do not know:

Loginza is an identification system that provides unified access to popular WEB services. Using the Loginza account, you can visit a large number of blog sites and forums that support OpenID login and the Loginza widget, which means you do not need to go through the same type of registration on each resource and monitor the relevance of contact and other profile information on each of the sites.

After reading a little about him, I was very happy - what we need. Installation on the local machine was almost in 1 click, everything worked just perfect. But after transferring to a really working server, for some reason authorization and registration has flown away. When I tried to log in, the forum said that the user was identified, but the next time I went to the forum, the authorization crashed. After sitting for a couple of hours and digging through the code, I found the cause of the problem.

By the way, I just want to note that this solution beats a little on security, since the safe token check mode is disabled in it. In general, I will not describe my theories about how I came to this, I will immediately turn my attention to the API. We are interested in this item (Checking the token via Loginza.API).
')
It says that in order to confirm successful authorization you need to make a request for a URL:
loginza.ru/api/authinfo?token=[TOKEN_KEY_VALUE]&id=[WIDGET_ID]&sig=[API_SIGNATURE]
Where, [TOKEN_KEY_VALUE] is the token value to be checked;
[WIDGET_ID] - widget ID;
[API_SIGNATURE] - API request signature. It is calculated as MD5 from the addition of strings token values ​​and the widget's private key. Example: md5 (token + skey).

In general, this address is generated in the \ includes \ loginza \ libs \ LoginzaAPI.class.php class in line 113:

$url = str_replace('%method%', $method, self::API_URL).'?'.http_build_query($params);

As a result of several experiments, it was found that this address is generated incorrectly. It does not add the [WIDGET_ID] and [API_SIGNATURE] parameters. Although even with the manual addition of these parameters, nothing happened - Loginza replied that sig is wrong. It was decided to neglect safety.

So, if authorization on the Loginza forum does not work for you, do the following:

1) In the settings of the profile of your widgets (did you create it, confirmed the rights to the site?) In the infusions of the site, remove the tick “Safe token verification mode”.

2) File \ includes \ loginza \ libs \ LoginzaAPI.class.php, line 38. Replace the line:
return $this->apiRequert('authinfo', array('token' => $token));
On
return $this->apiRequert('authinfo', $token);

3) 113 line of the same file is replaced with
$url = str_replace('%method%', $method, self::API_URL).'?'.http_build_query($params);
On
$url .= 'http://loginza.ru/api/authinfo?token='.$params;

Problem solved! :)