My favorites | Sign in
Project Logo
Project Home
  
Downloads
  
Wiki
  
Issues
  
Source
    
New issue | Search
for
| Advanced search | Search tips
Issue 95: Exception in AssociationResponse when Open ID Provider supports only stateless
1 person starred this issue and may be notified of changes. Back to list
Status:  New
Owner:  ----
Type-Defect
Priority-Medium


Sign in to add a comment
 
Reported by j...@net-v.com, Jun 24, 2009 
What steps will reproduce the problem?
1. Use an Open ID Provider that supports only stateless.
2. Use CustomerManager.associate to try to associate (it is not always 
known that the Open ID Provider only supports stateless, so trying to 
associate makes sense).
3. The Open ID Provider returns an error response with error_code and 
error parameters, see http://openid.net/specs/openid-authentication-
2_0.html 8.2.4
4. Message.validate throws an Exception that assoc_type is a required 
field because it is listed in the required fields of AssocationResponse

What is the expected output? What do you see instead?
An exception is thrown an logged, this is unnecessary: assoc_type isn't a 
required field for association responses, only for successful 
associations. ConsumerManager will however use stateless and continues.

What version of the product are you using? On what operating system?
0.9.5 on Windows XP.

Please provide any additional information below.
AssociationResponse should be able to accept unsuccessful association 
responses. It should have a method to check whether or not the response 
was successful.
Comment 1 by j...@net-v.com, Jul 03, 2009 
I've looked at the code and ConsumerManager assumes that a failed association 
response has a HttpStatus.SC_BAD_REQUEST as status, but I don't see this requirement 
in the specifications. According to me, a HttpStatus.SC_OK status is valid for a 
failed association response.

I think the test should be if the error_code parameter is present.

Another problem with failed association responses is that the AssociationError class 
lists session_type as a required field. According to the 2.0 specification, this 
field isn't required, but optional.
Sign in to add a comment

Hosted by Google Code