| Issue 5: | validate() failes on delegate because of returnUrl rewriting | |
| 1 person starred this issue and may be notified of changes. | Back to list |
On openid delegation authUrl_v1 appends the openid.claim_id to the returnUrl. validate(), however, failes because it does not expect that addition.
Workaround in validate():
if (strpos($this->data['openid_return_to'], $this->returnUrl) !== 0) {
Note: I don't know if that has a security impact
Sep 25, 2010
Project Member
#1
mewp...@gmail.com
Status:
Fixed
Sep 26, 2010
Thank you for the quick fix. In my case http://nhnb.de --> http://nhnb.myopenid.com, $this->data['openid_op_endpoint'] is set, too. So the code is not executed because of the "else": # Even though we should know location of the endpoint, # we still need to verify it by discovery, so $server is not set here $params['openid.ns'] = 'http://specs.openid.net/auth/2.0'; - } elseif(isset($this->data['openid_claimed_id'])) { + } + if(isset($this->data['openid_claimed_id'])) { # If it's an OpenID 1 provider, and we've got claimed_id, # we have to append it to the returnUrl, like authUrl_v1 does. $this->returnUrl .= (strpos($this->returnUrl, '?') ? '&' : '?') I am not sure if I have messed up something elsewhere. While myopenid and google work, trying to use Yahoo or AOL ends up with "No server found" (still need to investigate that further).
Sep 26, 2010
authUrl_v1() only appends the openid.claimed_id on delegation, so validate() has to do the same:
- } elseif(isset($this->data['openid_claimed_id'])) {
+ }
+ if(isset($this->data['openid_claimed_id'])
+ && ($this->data['openid_claimed_id'] != $this->data['openid_identity'])) {
Sep 26, 2010
Though your fix would break OpenID 2.0, which can contain openid.claimed_id and it won't be part of return_to. Anyway, the OP shouldn't return openid_op_endpoint in OpenID 1.1. I'll try to change detection method and see if this works.
Status:
Started
Sep 27, 2010
It seems to work now. By the way, while the bug is valid, you could easily avoid it by using OpenID 2.0 delegation.
Status:
Fixed
|