validate() failes on delegate because of returnUrl rewriting

chantasaur / lightopenid

Automatically exported from code.google.com/p/lightopenid

0 stars 0 forks source link

validate() failes on delegate because of returnUrl rewriting #5

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago

On openid delegation authUrl_v1 appends the openid.claim_id to the returnUrl. 
validate(), however, failes because it does not expect that addition.

Workaround in validate():
if (strpos($this->data['openid_return_to'], $this->returnUrl) !== 0) {

Note: I don't know if that has a security impact

Original issue reported on code.google.com by HendrikU...@nexgo.de on 25 Sep 2010 at 9:14

GoogleCodeExporter commented 8 years ago

Fixed now, using different fix however.

Since I'm able to detect the protocol version being used and read the 
claimed_id, I've just appended it to the returnUrl.

Thanks for reporting it.

Original comment by mewp...@gmail.com on 25 Sep 2010 at 10:21

Changed state: Fixed

GoogleCodeExporter commented 8 years ago

Thank you for the quick fix.

In my case http://nhnb.de --> http://nhnb.myopenid.com, 
$this->data['openid_op_endpoint'] is set, too. So the code is not executed 
because of the "else":

             # Even though we should know location of the endpoint,
             # we still need to verify it by discovery, so $server is not set here
             $params['openid.ns'] = 'http://specs.openid.net/auth/2.0';
-        } elseif(isset($this->data['openid_claimed_id'])) {
+        }
+        if(isset($this->data['openid_claimed_id'])) {
             # If it's an OpenID 1 provider, and we've got claimed_id,
             # we have to append it to the returnUrl, like authUrl_v1 does.
             $this->returnUrl .= (strpos($this->returnUrl, '?') ? '&' : '?')

I am not sure if I have messed up something elsewhere. While myopenid and 
google work, trying to use Yahoo or AOL ends up with "No server found" (still 
need to investigate that further).

Original comment by HendrikU...@nexgo.de on 26 Sep 2010 at 5:28

GoogleCodeExporter commented 8 years ago

authUrl_v1() only appends the openid.claimed_id on delegation, so validate() 
has to do the same:

-        } elseif(isset($this->data['openid_claimed_id'])) {
+        }
+        if(isset($this->data['openid_claimed_id'])
+           && ($this->data['openid_claimed_id'] != 
$this->data['openid_identity'])) {

Original comment by HendrikU...@nexgo.de on 26 Sep 2010 at 5:44

GoogleCodeExporter commented 8 years ago

Though your fix would break OpenID 2.0, which can contain openid.claimed_id and 
it won't be part of return_to.

Anyway, the OP shouldn't return openid_op_endpoint in OpenID 1.1.

I'll try to change detection method and see if this works.

Original comment by mewp...@gmail.com on 26 Sep 2010 at 6:21

Changed state: Started

GoogleCodeExporter commented 8 years ago

It seems to work now.

By the way, while the bug is valid, you could easily avoid it by using OpenID 
2.0 delegation.

Original comment by mewp...@gmail.com on 27 Sep 2010 at 11:01

Changed state: Fixed