search

anunnakian / openid4java

Automatically exported from code.google.com/p/openid4java
Apache License 2.0
0 stars 0 forks source link

Exception in AssociationResponse when Open ID Provider supports only stateless #95

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Use an Open ID Provider that supports only stateless.
2. Use CustomerManager.associate to try to associate (it is not always 
known that the Open ID Provider only supports stateless, so trying to 
associate makes sense).
3. The Open ID Provider returns an error response with error_code and 
error parameters, see http://openid.net/specs/openid-authentication-
2_0.html 8.2.4
4. Message.validate throws an Exception that assoc_type is a required 
field because it is listed in the required fields of AssocationResponse

What is the expected output? What do you see instead?
An exception is thrown an logged, this is unnecessary: assoc_type isn't a 
required field for association responses, only for successful 
associations. ConsumerManager will however use stateless and continues.

What version of the product are you using? On what operating system?
0.9.5 on Windows XP.

Please provide any additional information below.
AssociationResponse should be able to accept unsuccessful association 
responses. It should have a method to check whether or not the response 
was successful.

Original issue reported on code.google.com by j...@net-v.com on 24 Jun 2009 at 12:24

GoogleCodeExporter commented 9 years ago 
I've looked at the code and ConsumerManager assumes that a failed association 
response has a HttpStatus.SC_BAD_REQUEST as status, but I don't see this 
requirement 
in the specifications. According to me, a HttpStatus.SC_OK status is valid for 
a 
failed association response.

I think the test should be if the error_code parameter is present.

Another problem with failed association responses is that the AssociationError 
class 
lists session_type as a required field. According to the 2.0 specification, 
this 
field isn't required, but optional.

Original comment by j...@net-v.com on 3 Jul 2009 at 2:27

GoogleCodeExporter commented 9 years ago 
Associations are defined as direct communication, direct error messages must 
have status code 400 per Section 5.1.2.2. See 
http://openid.net/specs/openid-authentication-2_0.html#direct_comm

The session_type has since been made optional in AssociationResponse.

Original comment by Johnny.B...@gmail.com on 5 Oct 2011 at 5:51