fritte02 / lightopenid

Automatically exported from code.google.com/p/lightopenid
0 stars 0 forks source link

validate() returns FALSE on realms with wildcard #45

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
When using 'http://*.example.com' realm validate() always returns FALSE from 
validate() method. It's because of this line in validate():
if ($this->data['openid_return_to'] != $this->returnUrl)

$this->returnUrl is improperly constructed in __construct()
$this->returnUrl = $this->trustRoot . $uri;
(trustRoot may contain wildcard).

Original issue reported on code.google.com by MKlepacz...@gmail.com on 21 Jul 2011 at 12:37

GoogleCodeExporter commented 9 years ago
It isn't improper in my opinion. In such case, there's no way to properly guess 
returnUrl, so the user must do so himself.

Or do you have any idea how to do it properly?

Original comment by mewp...@gmail.com on 21 Jul 2011 at 4:03

GoogleCodeExporter commented 9 years ago
Maybe it would be better to check if realm contains wildcard and fallback to 
$_SERVER['HTTP_HOST'] if it does?

In my case the real issue is not '$this->returnUrl' but failed validation. I 
think it would be ok to check in validate() if returnUrl/realm contains 
wildcard and if it does check if returnUrl (stripped of wildcard) is suffix of 
$this->data['openid_return_to'].

Another solution would be to throw exception if realm contains wildcard and 
returnUrl is not set explicitly by user. In this case user of LightOpenID 
object would be at least aware that it's necessary to set returnUrl properly 
(I've spent hour tracking cause of failed validation ;))

Original comment by MKlepacz...@gmail.com on 21 Jul 2011 at 6:33

GoogleCodeExporter commented 9 years ago
Created a merge request to fix this issue: 
https://gitorious.org/lightopenid/lightopenid/merge_requests/13

Original comment by woody.gilk on 2 Dec 2011 at 9:28