Local signature verification failed

468 views
Skip to first unread message

Olaf

unread,
Jan 11, 2010, 6:32:59 AM1/11/10
to OpenID4Java
For a GWT application I use the OpenID4Java library to provide a
simple one click login for users with existing accounts at Google,
Yahoo or other OpenID providers. Everything worked fine in GWT
development mode until I deployed a first test system on a Tomcat
server.

On the GWT development server (Jetty) I had no problems signing in
with my Google account. When running the app in Tomcat I get the
following error: "Local signature verification failed", although I
receive positive auth response and Google delivers my name and email
address. But only when I sign in with my Google Account. Yahoo and
other OpenID providers work without problems as on the development
system.

Logs when signing in via Google:

11:20:06,541 http-8080-1 WARN RealmVerifier:107 - RP discovery /
realm validation disabled;
11:20:07,677 http-8080-1 INFO Discovery:128 - Starting discovery on
URL identifier: https://www.google.com/accounts/o8/id
11:20:08,676 http-8080-1 INFO YadisResolver:245 - Yadis discovered 1
endpoints from: https://www.google.com/accounts/o8/id
11:20:08,676 http-8080-1 INFO Discovery:151 - Discovered 1 OpenID
endpoints.
11:20:08,677 http-8080-1 INFO ConsumerManager:707 - Trying to
associate with https://www.google.com/accounts/o8/ud attempts left: 4
11:20:09,051 http-8080-1 INFO ConsumerManager:804 - Associated with
https://www.google.com/accounts/o8/ud handle: [ASSOCIATION HANDLE
GOOGLE]
11:20:09,052 http-8080-1 INFO ConsumerManager:1065 - Creating
authentication request for OP-endpoint: https://www.google.com/accounts/o8/ud
claimedID: http://specs.openid.net/auth/2.0/identifier_select OP-
specific ID: http://specs.openid.net/auth/2.0/identifier_select
11:20:09,054 http-8080-1 INFO RealmVerifier:278 - Return URL:
http://localhost:8080/egm/biz.egnition.egm.client.gwt.Masterplan/authenticate?authenticated=true
matches realm: http://localhost:8080/egm/biz.egnition.egm.client.gwt.Masterplan/authenticate?authenticated=true
11:20:19,899 http-8080-1 INFO ConsumerManager:1123 - Verifying
authentication response...
11:20:19,901 http-8080-1 INFO ConsumerManager:1147 - Received
positive auth response.
11:20:19,904 http-8080-1 INFO Discovery:128 - Starting discovery on
URL identifier: https://www.google.com/accounts/o8/id?id=[ID AT
GOOGLE]
11:20:20,275 http-8080-1 INFO YadisResolver:245 - Yadis discovered 5
endpoints from: https://www.google.com/accounts/o8/id?id=[ID AT
GOOGLE]
11:20:20,276 http-8080-1 INFO Discovery:151 - Discovered 5 OpenID
endpoints.
11:20:20,276 http-8080-1 INFO ConsumerManager:1782 - Found
association: [ASSOCIATION HANDLE GOOGLE] verifying signature
locally...
11:20:20,279 http-8080-1 ERROR ConsumerManager:1853 - Verification
failed for: https://www.google.com/accounts/o8/id?id=[ID AT GOOGLE]
reason: Local signature verification failed

Logs when signing in via Yahoo:

11:21:29,573 http-8080-1 INFO Discovery:128 - Starting discovery on
URL identifier: https://www.yahoo.com/
11:21:32,780 http-8080-1 INFO YadisResolver:245 - Yadis discovered 1
endpoints from: https://www.yahoo.com/
11:21:32,781 http-8080-1 INFO Discovery:151 - Discovered 1 OpenID
endpoints.
11:21:32,781 http-8080-1 INFO ConsumerManager:707 - Trying to
associate with https://open.login.yahooapis.com/openid/op/auth
attempts left: 4
11:21:33,669 http-8080-1 WARN HttpMethodBase:676 - Going to buffer
response body of large or unknown size. Using getResponseBodyAsStream
instead is recommended.
11:21:33,676 http-8080-1 INFO ConsumerManager:804 - Associated with
https://open.login.yahooapis.com/openid/op/auth handle: [ASSOCIATION
HANDLE YAHOO]
11:21:33,677 http-8080-1 INFO ConsumerManager:1065 - Creating
authentication request for OP-endpoint: https://open.login.yahooapis.com/openid/op/auth
claimedID: http://specs.openid.net/auth/2.0/identifier_select OP-
specific ID: http://specs.openid.net/auth/2.0/identifier_select
11:21:33,677 http-8080-1 INFO RealmVerifier:278 - Return URL:
http://localhost:8080/egm/biz.egnition.egm.client.gwt.Masterplan/authenticate?authenticated=true
matches realm: http://localhost:8080/egm/biz.egnition.egm.client.gwt.Masterplan/authenticate?authenticated=true
11:21:41,053 http-8080-1 INFO ConsumerManager:1123 - Verifying
authentication response...
11:21:41,055 http-8080-1 INFO ConsumerManager:1147 - Received
positive auth response.
11:21:41,057 http-8080-1 INFO Discovery:128 - Starting discovery on
URL identifier: https://me.yahoo.com/a/[ID AT YAHOO]
11:21:42,650 http-8080-1 INFO YadisResolver:245 - Yadis discovered 1
endpoints from: https://me.yahoo.com/a/[ID AT YAHOO]
11:21:42,650 http-8080-1 INFO Discovery:151 - Discovered 1 OpenID
endpoints.
11:21:42,652 http-8080-1 INFO ConsumerManager:1782 - Found
association: [ASSOCIATION HANDLE YAHOO] verifying signature locally...
11:21:42,654 http-8080-1 INFO ConsumerManager:1850 - Verification
succeeded for: https://me.yahoo.com/a/[ID AT YAHOO]#5bdd2

Any ideas?

Johnny Bufu

unread,
Jan 12, 2010, 2:03:04 PM1/12/10
to openi...@googlegroups.com
Try enabling debug logs and see if there's any meaningful difference
between the Yahoo and Google logs.

Johnny

Olaf

unread,
Jan 13, 2010, 7:55:12 AM1/13/10
to OpenID4Java
Jonny,

the signature to verify is different from the calculated signature:

http-8080-1 DEBUG Association:278 - Verifying signature:
J4U7TGOW3jnbdsvvpWccGDulZfctFwTatt10c90yLEw=
http-8080-1 DEBUG Association:267 - Calculated signature:
RpPGBpsRYC0QfVWRlP5rTNca1g3NGONGC71YzZJQU9M=
http-8080-1 DEBUG ConsumerManager:1794 - Local signature verification
failed.

but only when running on Tomcat. I made sure that's the same
ConsumerManager object. In GWT hosted mode it runs perfectly
with all OpenID providers and I get a

DEBUG ConsumerManager:1790 - Local signature verification succeeded.

when signing in with my Google account.


As I went through the debug logs I saw a difference in encoding a
german umlaut
in the returned data from my Google account. After removing this
german umlaut I
can log in on the test system on Tomcat. So I found the reason, but
removing umlauts
in the user accounts cannot be the solution. I'll write an update as
soon as I know how
to handle such special characters in the fetched attribute data.

Olaf

Johnny Bufu

unread,
Jan 13, 2010, 1:20:14 PM1/13/10
to openi...@googlegroups.com
On Wed, Jan 13, 2010 at 04:55:12AM -0800, Olaf wrote:
> As I went through the debug logs I saw a difference in encoding a
> german umlaut in the returned data from my Google account.

So the proper fix involves pinpointing where the incorrect encoding
originates and then making sure the umlaut is encoded correctly. From what
you're saying it sounds like a tomcat deployment/configuration issue.

Johnny

Olaf

unread,
Jan 14, 2010, 4:01:01 AM1/14/10
to OpenID4Java
Adding the attribute URIEncoding="UTF-8" to the connector
element in Tomcat's server.xml fixed it. Thanks,

Olaf

Reply all
Reply to author
Forward
0 new messages