asanso / openid4java

Automatically exported from code.google.com/p/openid4java
Apache License 2.0
0 stars 0 forks source link

Return_to URL fails verification if RP is behind a reverse proxy #133

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. Have the RP behind a reverse proxy
2. Start an OpenID authentication request to an OpenID provider
3. The return_to call received by the RP fails verification.

What is the expected output? What do you see instead?
The verification fails and returned data are not processed.

What version of the product are you using? On what operating system?
0.9.5

Please provide any additional information below.
In case the RP is behind a reverse proxy, the return_to call received by the RP 
fails verification.
It happens since the public return_to URL invoked by the OpenID provider is 
always different from the real URL received by the RP (forwarded by the reverse 
proxy to the machine in charge of processing the request).
It should be probably provided some method in ConsumerManager class in order to 
declare the real URL to be compared to the received one, in such case without 
considering the public one.

A workaround for the user is to modify the received URL with the public 
return_to URL before verification, as follows:
///////////
// PATCH //
///////////
int i = receivingURL.indexOf("?");
receivingURL.replace(0, i, [DECLARED_RETURNTO_URL]);

// verify the response... as usual
VerificationResult verification = manager.verify(receivingURL
        .toString(), response, discovered);

Original issue reported on code.google.com by tilab...@gmail.com on 5 Nov 2010 at 5:12

GoogleCodeExporter commented 8 years ago
ConsumerManager API allows the receivingURL that's appropriate for a deployment 
to be passed to verify().

Original comment by Johnny.B...@gmail.com on 31 Oct 2012 at 11:05