search

yorkie1 / openid4java

Automatically exported from code.google.com/p/openid4java
Apache License 2.0
0 stars 0 forks source link

Error verifiing authentication response from google hosted domains #143

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Having a webapp which uses openId for authentication (see details)
2. Having hosted domain google email account
3. Try to login in the webapp by using your email account (see details)
4. User is redirected to google's login in page
5. Put user name and password
6. Usr is athenticated and redirect to webapp

What is the expected output? What do you see instead?
The user should be authenticated in the webapp. But authentication fails, the 
following message is logged:
"No service element found to match the ClaimedID / OP-endpoint in the 
assertion."

What version of the product are you using? On what operating system?
Webapp is using spring security framework 3.0

Details:
-------
In order to yadis can discover openId provider, hosted domain may redirect 
discovering requests to google as specified in 
http://groups.google.com/group/google-federated-login-api/web/openid-discovery-f
or-hosted-domains?pli=1

http://example.com -> 
https://www.google.com/accounts/o8/site-xrds?hd=example.com
http://example.com/openid?id=108441225163454056756 -> 
https://www.google.com/accounts/o8/user-xrds?uri=http%3a%2f%2fexample.com%2fopen
id%3fid%3d108441225163454056756

With this redirection the system succesfully perfoms ldP Discovery and user 
Discovery. However when google's get back to site with authentication response, 
claimed identifier assertion fails
Please see at ConsumerManager.verifyDiscovered2(line:1715):
 if ( ! opSpecific.equals(assertId) || 
   ! service.isVersion2() ||        
   !service.getOPEndpoint().toString().equals(respEndpoint) )
     continue;

On this scenario: 
 assertId = http://example.com/openid?id=108441225163454056756
 opSpecific = https://www.google.com/accounts/o8/user-xrds?uri=http%3a%2f%2fexample.com%2fopenid%3fid%3d108441225163454056756

The problem on is that opSpecific should be endpoint's cannonical id, as 
described in above link, instead of the url.

I solved the problem by issuing following code change on 
YadisResult.getDiscoveredInformation(line:170)

167  result.add(new DiscoveryInformation(
168    new URL(endpoint.getUri()),
169    DiscoveryInformation.OPENID_SIGNON_TYPES.contains(type) ?
170    ( endpoint.getCanonicalId()!=null ? new 
UrlIdentifier(endpoint.getCanonicalId()) : new UrlIdentifier(_normalizedUrl) ) 
: null,
171    DiscoveryInformation.OPENID2.equals(type) ? endpoint.getLocalId() :
172    DiscoveryInformation.OPENID1_SIGNON_TYPES.contains(type) ? 
endpoint.getDelegate() : null,
173    type,
174    endpoint.getTypes()));

Original issue reported on code.google.com by suri...@gmail.com on 20 Jan 2011 at 6:30

GoogleCodeExporter commented 9 years ago 
Your proposed fix on line 170 is incorrect, the claimed ID must always be the 
normalized URL.

Canonical ID is only used with XRIs; this looks like a mismatch between 
google's local ID discovery configuration and response messages.

Original comment by Johnny.B...@gmail.com on 31 Oct 2012 at 10:41