jbufu / openid4java

Automatically exported from code.google.com/p/openid4java
Apache License 2.0
98 stars 58 forks source link

Identity verification is too restrictive and results in false-positive verification failures #202

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. If your openID is "http://foo/bar/zot", try to assert that you are 
"http://foo:80/bar/zot"
2. Let the OpenID protocol runs its course
3. Observe that openid4java reports an error "No service element found to match 
the identifier in the assertion."

What is the expected output? What do you see instead?
ConsumerManager should verify me as http://foo/bar/zot

What version of the product are you using? On what operating system?
0.9.4

Please provide any additional information below.
The problem is in ConsumerManager.verifyDiscovered1 Discover.discover(String 
identifier) performs an URL normalization, so "http://foo:80/bar/zot" gets 
normalized into UrlIdentifier of "http://foo/bar/zot", and this is what the 
discovery will be based on.

Yet a few lines down below, a check is done between pre-normalized assertId and 
Identifier.getIdentifier() as a String comparison:

! assertId.equals(service.getClaimedIdentifier().getIdentifier()))

If we just let the comparison happen between two Identifier objects, the 
normalization will correctly ignore these pointless differences.

I've attached the patch to fix this problem.

Original issue reported on code.google.com by kohsuke....@gmail.com on 4 Dec 2013 at 3:54

GoogleCodeExporter commented 9 years ago
Patch attached.

Original comment by kohsuke....@gmail.com on 4 Dec 2013 at 3:54

Attachments:

GoogleCodeExporter commented 9 years ago
assertId is the claimed identifier obtained from the response, which must be in 
normalized form (per claimed identifier definition) and must match exactly the 
(normalized) claimed identifier obtained via discovery, per:
http://openid.net/specs/openid-authentication-2_0.html#terminology
http://openid.net/specs/openid-authentication-2_0.html#verify_disco

OpenID providers asserting invalid claimed identifiers (in non-normalized form) 
are not complying to the above, so their responses will fail verification as 
expected.

Original comment by Johnny.B...@gmail.com on 4 Dec 2013 at 4:38

GoogleCodeExporter commented 9 years ago
Okay.

In this case the OpenID provider is also openid4java. I guess I need to dig a 
bit deeper and file a separate issue.

Original comment by kohsuke....@gmail.com on 4 Dec 2013 at 4:42