Positive Authentication Assertion is always invalid if RP supports OpenID Auth. 1.1

[GoogleCodeExporter]

The "openid.response_nonce" prm is always generated in method 
ServerManager.authResponse(..):

return AuthSuccess.createAuthSuccess(
  opEndpoint, claimed, id, !authReq.isVersion2(),
  authReq.getReturnTo(), _nonceGenerator.next(),  // ### !!! ###
  invalidateHandle, assoc, _signList);

But next in AuthSuccess.isValid this prm will be considered as invalid.
        // nonce optional or not?
        String nonce = getNonce();
        if ( !compatibility )
        {
            if (nonce == null) return false;

            // nonce format
            InternetDateFormat _dateFormat = new InternetDateFormat();
            try
            {
                _dateFormat.parse(nonce.substring(0, 20));
            } catch (ParseException e)
            {
                return false;
            }
        } else if (nonce != null) // ### !!! ###
        {
            return false;
        }

I think the right behaviour is:

ServerManager.authResponse(..){
  return AuthSuccess.createAuthSuccess(
    opEndpoint, claimed, id, !authReq.isVersion2(),
    authReq.getReturnTo(), 
    isVersion2 ? _nonceGenerator.next() : null,  // ### !!! ###
    invalidateHandle, assoc, _signList);
}

Also in AuthSuccess constructor move call 
  setNonce(nonce);
in branch "! compatibility"

if (! compatibility)
{
  set("openid.ns", OPENID2_NS);
  setOpEndpoint(opEndpoint);
  setClaimed(claimedId);
  setNonce(nonce);             // ### !!! ###
}

Original issue reported on code.google.com by alisi...@gmail.com on 13 Dec 2006 at 10:08

[GoogleCodeExporter]

Sorry for the late response and for spotting this bug! It's fixed now in 
rev 78.

If you're interested in becoming a project member and submittig patches, we
could use your help.

Thanks,
Johnny

Original comment by Johnny.B...@gmail.com on 22 Jan 2007 at 4:45

• Changed state: Fixed