jmpcn / openid4java

Automatically exported from code.google.com/p/openid4java
Apache License 2.0
0 stars 0 forks source link

manager.authenticate causes exception when redirect URL contains a Hash ("#") history token? #127

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. Set-up OpenID authentication with Google as the provider:
"https://www.google.com/accounts/o8/id"

using code like this:
     // obtain a AuthRequest message to be sent to the OpenID provider
     AuthRequest authReq = manager.authenticate(discovered, returnToUrl);

2. have "returnToUrl" contain an applications History token using the # 
character in the url. An example Url is:

http://127.0.0.1:8888/landing.html#Module-Inspections-

where the string after the # is an application specific History token.

3. The call to manager.authenticate causes the following exception (running on 
GAE locally):

INFO: Creating authentication request for OP-endpoint: 
https://www.google.com/accounts/o8/ud claimedID: 
http://specs.openid.net/auth/2.0/identifier_select OP-specific ID: 
http://specs.openid.net/auth/2.0/identifier_select
Sep 11, 2010 9:53:58 PM org.openid4java.server.RealmVerifier validate
SEVERE: Return URL: 
http://127.0.0.1:8888/login/verify?redirectTo=http://127.0.0.1:8888/landing.html
#Module-Inspections- does not match realm: 
http://127.0.0.1:8888/login/verify?redirectTo=http://127.0.0.1:8888/landing.html
#Module-Inspections-
org.openid4java.message.MessageException: 0x301: Realm verification failed (4) 
for: 
http://127.0.0.1:8888/login/verify?redirectTo=http://127.0.0.1:8888/landing.html
#Module-Inspections-
    at org.openid4java.message.AuthRequest.validate(AuthRequest.java:353)
    at org.openid4java.message.AuthRequest.createAuthRequest(AuthRequest.java:100)
    at org.openid4java.consumer.ConsumerManager.authenticate(ConsumerManager.java:1097)
    at org.openid4java.consumer.ConsumerManager.authenticate(ConsumerManager.java:1024)
    at com.bcntouch.ta.Users.server.UserAuthenticationServiceImpl.loginOpenId(UserAuthenticationServiceImpl.java:73)

What is the expected output? 
Authentication request created OK.

What do you see instead?
Exception.

What version of the product are you using? On what operating system?

Please provide any additional information below.

If you provide a url with query parameters like this:

http://127.0.0.1:8888/landing.html?test=true

then it all works fine...

Original issue reported on code.google.com by aute...@gmail.com on 11 Sep 2010 at 9:57

GoogleCodeExporter commented 8 years ago
Realm in the sample also contains a fragment, which is illegal per 
http://openid.net/specs/openid-authentication-2_0.html#realms

Original comment by Johnny.B...@gmail.com on 31 Oct 2012 at 11:37