AlexKovic / openid4java

Automatically exported from code.google.com/p/openid4java
Apache License 2.0
0 stars 0 forks source link

Claimed_id and identity equality check fail with default port #98

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
Issue being that in case the identity and claimed_id being set in the 
Authentication Response are 
both:

https://foo.com:443/openid?id=xxx

This results in the ConsumerManager.verify failing in verifyDiscovered2.

        Identifier respClaimed =
            _discovery.parseIdentifier(authResp.getClaimed(), true);

This code will normalized the URI to https://foo.com/openid?id=xxx
Whilst the identity has :443 still added.

Original issue reported on code.google.com by wim.vand...@gmail.com on 3 Sep 2009 at 8:54

GoogleCodeExporter commented 8 years ago
The normal form for HTTP(S) URLs does not contain the default ports (per 
RFC3986 
Section 6.2.3).

URL Claimed Identifiers are, by definition, normalized (http://openid.net/specs/
openid-authentication-2_0.html#terminology)

An authentication response containing a claimed_id field with a non-normalized 
value 
is thus invalid, and verification failure is expected.

Original comment by Johnny.B...@gmail.com on 3 Sep 2009 at 8:41