search

anunnakian / openid4java

Automatically exported from code.google.com/p/openid4java
Apache License 2.0
0 stars 0 forks source link

openid.signed incorrectly includes the claimed_id for OpenID v1 requests #49

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Go to an RP which uses v1 (e.g.: http://ma.gnolia.com)
2. Log in using a simple-openid identity url - from the sample openid4java
server - e.g. openid.open.ac.uk/simple-openid/user.jsp

What is the expected output? What do you see instead?
Rather than being authenticated - you get the error message "signature
mismatch" - more info, and other sites where this occurs:
http://groups.google.com/group/openid4java/browse_thread/thread/f61d594b183c4ad6
?hl=en

I attempted to get this fixed myself, but I didn't get very far. To start
with I was unsure as to whether the problem was just in the simple-openid
sample server code, or if it was something up in the java-openid-sxip.jar.
I attemtped to change the org.openid4java.server.ServerManager class
(line760) - so if it was a v1 request then the claimed_id field would be
removed from the list. Bt this didn't seem to make any difference.

I also looked at the AuthSuccess class to check which fields were included
in the buildSignedList() and these all seemed fine too (i.e. no cliamed_id
field)- so couldn't see if any changes were required here.

I think this may be related to issue #47 as it occurs in similar
circumstances (using JanRan as RP), although when using the sample RP
provided by JanRain I get the error "Server denied check_authentication",
but appears to be to do with the signature being invalid.

Original issue reported on code.google.com by AlextLit...@gmail.com on 31 Jan 2008 at 11:38

GoogleCodeExporter commented 9 years ago 
Alex, I believe the bug is in provider.jsp:15

newmgr.setSignFields("return_to,assoc_handle,claimed_id,identity"); // OpenID 
1.x

Can you comment out this line and then try again with one of your provier's 
identifiers?

Johnny

Original comment by Johnny.B...@gmail.com on 5 Feb 2008 at 12:29

GoogleCodeExporter commented 9 years ago 
Thanks Johnny, commenting the whole line out didn't work, but changing it to be:

newmgr.setSignFields("return_to,assoc_handle,identity"); // OpenID 1.x

seemed to do the trick (i.e. just removing the claimed_id field) - and it now 
works
with the 3 sites I was getting the sig mismatch error with.
Cheers,
Alex

Original comment by AlextLit...@gmail.com on 5 Feb 2008 at 11:41

GoogleCodeExporter commented 9 years ago 
That's strange -- the library should compose the right openid.signed value if 
an 
explicit list is not given by the user.

Can you please try again with the line commented out, and inspect the auth 
request 
message, using either DEBUG logs, or using a Firefox extension such as tamper 
data.

Thanks!

Original comment by Johnny.B...@gmail.com on 5 Feb 2008 at 6:52

GoogleCodeExporter commented 9 years ago 
That would be the auth *response*, not request, of course.

Original comment by Johnny.B...@gmail.com on 5 Feb 2008 at 6:57

GoogleCodeExporter commented 9 years ago 
Just given it another go - with line commented out completely and with just the 
edit
I made (and restarting tomcat after each change) and yes, as you say commenting 
the
line out completely works. Not really sure what was going on when I tried 
before.
Alex

Original comment by AlextLit...@gmail.com on 6 Feb 2008 at 9:20

GoogleCodeExporter commented 9 years ago 
Thanks Alex! This is fixed now in rev456.

Original comment by Johnny.B...@gmail.com on 6 Feb 2008 at 9:20