TheBeruriahIncident / openid4java

Automatically exported from code.google.com/p/openid4java
Apache License 2.0
0 stars 0 forks source link

SSO no longer working with Google after security fix #196

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
We are using the openid4java library for Google based SSO. Because of the way 
the applications are developed, the same ConsumerManager is not shared between 
the openid request and response processing. Therefore openid4java uses a Direct 
verification for validating the signature. Unfortunately Google has issued a 
security fix at the beginning of the week that causes this verification to fail.

What is the expected output? What do you see instead?
Direct verification fails. 

What version of the product are you using? On what operating system?
0.9.7

Please provide any additional information below.
ISee forum for additional information:
https://groups.google.com/forum/?fromgroups=#!topic/google-federated-login-api/q
XZDD7_K7jU

Original issue reported on code.google.com by yleble...@smartwavesa.com on 21 Apr 2013 at 6:20

GoogleCodeExporter commented 9 years ago
Invalid, this is not a openid4java library issue.

The referenced forum thread contains the solution: configure the RP not to use 
associations and send the assoc_handle in requests; this can be done with:

ConsumerManager.setAllowStateless(true)
ConsumerManager.setMaxAssocAttempts(0)

Original comment by Johnny.B...@gmail.com on 21 Apr 2013 at 7:42

GoogleCodeExporter commented 9 years ago
Great. 

Indeed, I guess we were not correctly using the lib. I'll try this ASAP.

Thanks for your help. 

Original comment by y...@le-blevec.com on 21 Apr 2013 at 8:13