TheBeruriahIncident / openid4java

Automatically exported from code.google.com/p/openid4java
Apache License 2.0
0 stars 0 forks source link

PayPal Access verification fails - Namespace declaration MUST be signed #169

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?

1. openid4java 0.9.6 (from maven central)
2. Try to authenticate (as an RP) to PayPal Access requesting sreg or extensions

Discovery works with PayPal Access.  The sign-in URI is 
https://www.paypal.com/webapps/auth/server.  However, openid4java fails on 
verification:

org.openid4java.message.MessageException: 0x100: Namespace declaration for 
extension http://openid.net/sreg/1.0 MUST be signed
        at org.openid4java.message.Message.getExtension(Message.java:495)

This happens for other types as well, example:

MessageException: 0x100: Namespace declaration for extension 
http://openid.net/srv/ax/1.0 MUST be signed

It's not clear to me where the problem is: is openid4java being too strict, or 
is PayPal being too loose?  Reading through the OpenID 2.0 spec I really can't 
find a place that says that these .type fields MUST be signed.  I have tested 
with google, yahoo, and verisign so far, and all work fine except PayPal Access.

Original issue reported on code.google.com by cpigg...@gmail.com on 18 Nov 2011 at 3:49

GoogleCodeExporter commented 9 years ago
The SREG spec requires that its parameters must be signed. AX doesn't but 
openid4java enforces this anyhow, for security reasons.

Paypal should be signing its entire responses.

Original comment by Johnny.B...@gmail.com on 31 Oct 2012 at 8:58