search

teintinu / dyuproject

Automatically exported from code.google.com/p/dyuproject
Apache License 2.0
1 stars 0 forks source link

Infinite loop when Yahoo! authentication is aborted. #19

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Go to http://twetailer.appspot.com/console/golf/
2. Choose the Yahoo! OpenID provider
3. Log in
4. In the screen where you've to "Agree", choose "Sign out"
5. Once redirected to the Yahoo! homepage, go back to 
http://twetailer.appspot.com/console/golf/

What is the expected output? What do you see instead?
- The user being still associated to Yahoo!, the OpenIdSerletFilter 
redirects automatically to Yahoo! login page
- To break the loop, go to http://twetailer.appspot.com/logout

What version of the product are you using? On what operating system?
- Latest 1.1.6 version

Please provide any additional information below.
- Google authentication system provides a "Disagree" like button and the 
corresponding action is interpreted as a "Failed authentication" which is 
just fine.
- In absence of the corresponding feature with Yahoo! authentication page, 
there's no indication of the failure, and the filter redirects 
automatically...

In my application:
- I use the OpenIdServletFilter to protect URLs like /console/*
- In the login page, the form is submitted to /login a servlet that 
redirects to the OpenID provider, with a returnToURL == 
"http://twetailer.appspot.com/login?
fromPageURL=http://twetailer.appspot.com/console/golf/
- I can see the onPreAuthenticate() method from my registered 
RelyingParty.Listener is called when the 
http://twetailer.appspot.com/console/golf/ is called again, but that's too 
late because the page is going to be redirected to Yahoo! login page...

What can I do to break the loop?
- Customize the OpenIdServletFilter to just run 
"forwardUriHandler.handle(forwardUri, request, response);", as it does for 
new users (line 151) instead of calling 
"relyingParty.associateAndAuthenticate(...)" (line 185)? Then the control 
will be passed to the login page again?
- Is there a simplified filter that just display the login page (a JSP page 
with the form POSTing to /login, in my case)?

Note that I've tried to reproduce the behavior on own demo 
(http://dyuproject.appspot.com/openid) but it works just fine! ;)

Thanks for your help,
A+, Dom

Original issue reported on code.google.com by ryanreta...@gmail.com on 6 May 2010 at 3:41

GoogleCodeExporter commented 9 years ago 
Hi Dom,

On openid.properties, try enabling:
openid.automatic_redirect = false

Also the one deployed on appengine is the version on trunk.
Its openid config:
openid.automatic_redirect = false

#if openid identifier isn't resolved, check if the identifier is the 
openid.server
openid.identifier_as_server = true

Original comment by david.yu...@gmail.com on 7 May 2010 at 3:43

GoogleCodeExporter commented 9 years ago 
Hi David,

Forgive me to not followed back earlier!

Just to let you know that turning off openid.automatic_redirect made it for 
Yahoo!

Again thanks for your help ;)
A+, Dom

Original comment by dominiqu...@gmail.com on 18 May 2010 at 9:50

GoogleCodeExporter commented 9 years ago 
No worries.
I'm glad its working for you.

Cheers

Original comment by david.yu...@gmail.com on 19 May 2010 at 2:29