Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Doesn't handle invalidate.handle requests correctly #42

Open
docwhat opened this issue Nov 26, 2012 · 5 comments
Open

Doesn't handle invalidate.handle requests correctly #42

docwhat opened this issue Nov 26, 2012 · 5 comments

Comments

@docwhat
Copy link

docwhat commented Nov 26, 2012

This is complicated, bare with me.

My openid server, based on the blah ruby gem, had a bug where it would lose track of associations and nonces every so often.

This lead to already remembered associations being invalid. We were fixing it by removing /tmp/mod_auth_openid.db when this happened, but this is not an ideal situation. :-)

The debug log for this looked like so:

[Mon Nov 26 10:39:12 2012] [mod_auth_openid] Queueing endpoint http://specs.openid.net/auth/2.0/identifier_select : http://specs.openid.net/auth/2.0/identifier_select @ https://openid.example.com/server
[Mon Nov 26 10:39:12 2012] [mod_auth_openid] INSERT INTO authentication_sessions (nonce,uri,claimed_id,local_id,expires_on) VALUES('yN1SYmjSxv','https://openid.example.com/server','http://specs.openid.net/auth/2.0/identifier_select','http://specs.openid.net/auth/2.0/identifier_select',1353947952)
[Mon Nov 26 10:39:12 2012] [mod_auth_openid] Set normalized id to: https://openid.example.com/
[Mon Nov 26 10:39:12 2012] [mod_auth_openid] UPDATE authentication_sessions SET normalized_id='https://openid.example.com/' WHERE nonce='yN1SYmjSxv'
[Mon Nov 26 10:39:12 2012] [mod_auth_openid] Fetching endpoint
[Mon Nov 26 10:39:12 2012] [mod_auth_openid] looking up association: server = https://openid.example.com/server
[Mon Nov 26 10:39:12 2012] [mod_auth_openid] found a handle for server "https://openid.example.com/server" in db.
[Mon Nov 26 10:39:12 2012] [mod_auth_openid] Fetching endpoint
[Mon Nov 26 10:39:12 2012] [mod_auth_openid] https://openid.example.com/server is a trusted identity provider
[Mon Nov 26 10:39:12 2012] [mod_auth_openid] Redirecting via HTTP_MOVED_TEMPORARILY to: https://openid.example.com/server?openid.assoc_handle=%%7BHMAC-SHA256%%7D%%7B50abf113%%7D%%7BbSPw2Q%%3D%%3D%%7D&openid.claimed_id=http%%3A%%2F%%2Fspecs.openid.net%%2Fauth%%2F2.0%%2Fidentifier_select&openid.identity=http%%3A%%2F%%2Fspecs.openid.net%%2Fauth%%2F2.0%%2Fidentifier_select&openid.mode=checkid_setup&openid.ns=http%%3A%%2F%%2Fspecs.openid.net%%2Fauth%%2F2.0&openid.realm=https%%3A%%2F%%2Fpaste.example.com%%2F&openid.return_to=https%%3A%%2F%%2Fpaste.example.com%%2F%%3F%%26modauthopenid.nonce%%3DyN1SYmjSxv&openid.trust_root=https%%3A%%2F%%2Fpaste.example.com%%2F&openid.ax.mode=fetch_request&openid.ax.required=email&openid.ax.type.email=http%%3A%%2F%%2Fopenid.net%%2Fschema%%2Fcontact%%2Finternet%%2Femail&openid.ns.ax=http%%3A%%2F%%2Fopenid.net%%2Fsrv%%2Fax%%2F1.0
[Mon Nov 26 10:39:12 2012] [mod_auth_openid] Request GET params: &modauthopenid.nonce=yN1SYmjSxv&openid.assoc_handle=%%7BHMAC-SHA1%%7D%%7B50b38d20%%7D%%7B6Oo6eA%%3D%%3D%%7D&openid.ax.mode=fetch_response&openid.ax.type.email=http%%3A%%2F%%2Fopenid.net%%2Fschema%%2Fcontact%%2Finternet%%2Femail&openid.ax.value.email=docwhat%%40corp.example.com&openid.claimed_id=https%%3A%%2F%%2Fopenid.example.com%%2Fuser%%2F1&openid.identity=https%%3A%%2F%%2Fopenid.example.com%%2Fuser%%2F1&openid.invalidate_handle=%%7BHMAC-SHA256%%7D%%7B50abf113%%7D%%7BbSPw2Q%%3D%%3D%%7D&openid.mode=id_res&openid.ns=http%%3A%%2F%%2Fspecs.openid.net%%2Fauth%%2F2.0&openid.ns.ax=http%%3A%%2F%%2Fopenid.net%%2Fsrv%%2Fax%%2F1.0&openid.op_endpoint=https%%3A%%2F%%2Fopenid.example.com%%2Fserver&openid.response_nonce=2012-11-26T15%%3A39%%3A12ZEk6eQy&openid.return_to=https%%3A%%2F%%2Fpaste.example.com%%2F%%3F%%26modauthopenid.nonce%%3DyN1SYmjSxv&openid.sig=Ghyx%%2Fve4mi4UV1q6vek68IOm%%2BdI%%3D&openid.signed=assoc_handle%%2Cax.mode%%2Cax.type.email%%2Cax.value.email%%2Cclaimed_id%%2Cidentity%%2Cinvalidate_handle%%2Cmode%%2Cns%%2Cns.ax%%2Cop_endpoint%%2Cresponse_nonce%%2Creturn_to%%2Csigned
[Mon Nov 26 10:39:12 2012] [mod_auth_openid] looking up association: server = https://openid.example.com/server handle = {HMAC-SHA1}{50b38d20}{6Oo6eA==}
[Mon Nov 26 10:39:12 2012] [mod_auth_openid] could not find server "https://openid.example.com/server" and handle "{HMAC-SHA1}{50b38d20}{6Oo6eA==}" in db.
[Mon Nov 26 10:39:12 2012] [error] [client workstation.example.com] Error in authentication: openid.modauthopenid.nonce: no such field
[Mon Nov 26 10:39:13 2012] [mod_auth_openid] Request GET params: &modauthopenid.nonce=gejodtGc5q&openid.assoc_handle=%%7BHMAC-SHA1%%7D%%7B50b38d21%%7D%%7BrVcaQQ%%3D%%3D%%7D&openid.ax.mode=fetch_response&openid.ax.type.email=http%%3A%%2F%%2Fopenid.net%%2Fschema%%2Fcontact%%2Finternet%%2Femail&openid.ax.value.email=docwhat%%40corp.example.com&openid.claimed_id=https%%3A%%2F%%2Fopenid.example.com%%2Fuser%%2F1&openid.identity=https%%3A%%2F%%2Fopenid.example.com%%2Fuser%%2F1&openid.invalidate_handle=%%7BHMAC-SHA256%%7D%%7B50abf113%%7D%%7BbSPw2Q%%3D%%3D%%7D&openid.mode=id_res&openid.ns=http%%3A%%2F%%2Fspecs.openid.net%%2Fauth%%2F2.0&openid.ns.ax=http%%3A%%2F%%2Fopenid.net%%2Fsrv%%2Fax%%2F1.0&openid.op_endpoint=https%%3A%%2F%%2Fopenid.example.com%%2Fserver&openid.response_nonce=2012-11-26T15%%3A39%%3A13Z8AVmce&openid.return_to=https%%3A%%2F%%2Fpaste.example.com%%2Ffavicon.ico%%3F%%26modauthopenid.nonce%%3DgejodtGc5q&openid.sig=OC%%2BJlWjo%%2F4mWtoFjfeLu%%2BvDFdSg%%3D&openid.signed=assoc_handle%%2Cax.mode%%2Cax.type.email%%2Cax.value.email%%2Cclaimed_id%%2Cidentity%%2Cinvalidate_handle%%2Cmode%%2Cns%%2Cns.ax%%2Cop_endpoint%%2Cresponse_nonce%%2Creturn_to%%2Csigned
[Mon Nov 26 10:39:13 2012] [mod_auth_openid] looking up association: server = https://openid.example.com/server handle = {HMAC-SHA1}{50b38d21}{rVcaQQ==}
[Mon Nov 26 10:39:13 2012] [mod_auth_openid] could not find server "https://openid.example.com/server" and handle "{HMAC-SHA1}{50b38d21}{rVcaQQ==}" in db.
[Mon Nov 26 10:39:13 2012] [error] [client workstation.example.com] Error in authentication: openid.modauthopenid.nonce: no such field

As you can see, the openid server is requesting a new handle and invalidating the old handle (openid.invalidate_handle) because it doesn't know it.

I feel like the mod_auth_openid should be able to deal with this.

Meanwhile, I'm off to fix my openid server so it stops forgetting associations.

Ciao!
@nov
Copy link

nov commented Feb 5, 2015

Same issue here.
No fix for 2+ years?

@bmuller
Copy link
Owner

bmuller commented Feb 5, 2015

@nov this is not an actively maintained project (see the notice on http://findingscience.com/mod_auth_openid/). PR's welcome, though.

@docwhat
Copy link
Author

docwhat commented Feb 5, 2015

@bmuller can you add that to the readme?

@bmuller
Copy link
Owner

bmuller commented Feb 5, 2015

It's there.

@docwhat
Copy link
Author

docwhat commented Feb 5, 2015

D'oh

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nov @docwhat @bmuller