Google Groups

Re: [google-federated-login-api] OpenID validation became broken on my site


Andrey Pohilko Apr 22, 2012 11:58 PM
Posted in group: Google Federated Login API
Breno,

I've sent you full logs example that I have.

понедельник, 23 апреля 2012 г., 3:33:26 UTC+3 пользователь Breno написал:
Unfortunately I cannot reproduce the issue from my computer yet. When I try check_authentication it succeeds.

I will continue looking into this.

On Saturday, April 21, 2012 1:04:41 PM UTC-7, Andrey Pohilko wrote:
Breno,

I have made detailed tracing for communication with Google OpenID server. Here's scenario:
1. Loadosophia.org (my server) makes HEAD request to https://www.google.com/accounts/o8/id and gets response headers.
2. Loadosophia.org makes GET request to the same address, receives XRDS document with <URI>https://www.google.com/accounts/o8/ud</URI> inside it.
3. Loadosophia redirects user to Google (here I have a question if this must be 'id' or 'ud' URI?): 
https://www.google.com/accounts/o8/ud?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=checkid_setup&openid.return_to=https%3A%2F%2Floadosophia.org%2Fservice%2F&openid.realm=https%3A%2F%2Floadosophia.org&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_request&openid.ax.type.contact_email=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ax.type.namePerson_friendly=http%3A%2F%2Faxschema.org%2FnamePerson%2Ffriendly&openid.ax.type.namePerson_first=http%3A%2F%2Faxschema.org%2FnamePerson%2Ffirst&openid.ax.type.namePerson_last=http%3A%2F%2Faxschema.org%2FnamePerson%2Flast&openid.ax.type.contact_country_home=http%3A%2F%2Faxschema.org%2Fcontact%2Fcountry%2Fhome&openid.ax.type.pref_language=http%3A%2F%2Faxschema.org%2Fpref%2Flanguage&openid.ax.required=contact_email%2CnamePerson_friendly%2CnamePerson_first%2CnamePerson_last%2Ccontact_country_home%2Cpref_language&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select
4. User confirms at Google page that he allows Loadosophia.org to authenticate him. 
5. Google redirects user back to Loadosophia with following data:
openid_ns => http://specs.openid.net/auth/2.0
openid_mode => id_res
openid_op_endpoint => https://www.google.com/accounts/o8/ud
openid_response_nonce => 2012-04-21T19:46:45***********
openid_return_to => https://loadosophia.org/service/
openid_assoc_handle => ***********
openid_signed => op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle,ns.ext1,ext1.mode,ext1.type.namePerson_first,ext1.value.namePerson_first,ext1.type.contact_email,ext1.value.contact_email,ext1.type.pref_language,ext1.value.pref_language,ext1.type.contact_country_home,ext1.value.contact_country_home,ext1.type.namePerson_last,ext1.value.namePerson_last
openid_sig => ************=
openid_identity => https://www.google.com/accounts/o8/id?id=***************
openid_claimed_id => https://www.google.com/accounts/o8/id?id=******************
openid_ns_ext1 => http://openid.net/srv/ax/1.0
openid_ext1_mode => fetch_response
openid_ext1_type_namePerson_first => http://axschema.org/namePerson/first
openid_ext1_value_namePerson_first => User
openid_ext1_type_contact_email => http://axschema.org/contact/email
openid_ext1_value_contact_email => some...@apc.kg
openid_ext1_type_pref_language => http://axschema.org/pref/language
openid_ext1_value_pref_language => ru
openid_ext1_type_contact_country_home => http://axschema.org/contact/country/home
openid_ext1_value_contact_country_home => KG
openid_ext1_type_namePerson_last => http://axschema.org/namePerson/last
openid_ext1_value_namePerson_last => Surname
6. Loadosophia tries to validate authentication, sending POST request to https://www.google.com/accounts/o8/ud with all above fields and values, converted underscores in field names to dots and using openid.mode=check_authentication . Google responds "is_valid:false ns:http://specs.openid.net/auth/2.0"

I'm totally confused, why authentication is invalid... When I run the same code from different computer, everything works like a charm. I wonder if there is some IP/host dependency here... 

My service is down for 3 days because of this :(, I will really appreciate any help...

Thank you!

пятница, 20 апреля 2012 г., 1:46:49 UTC+3 пользователь breno написал:
The approach to nonce validation has been tightened some. Could it may
be that the server is mistakenly submitting the request twice?

On Thu, Apr 19, 2012 at 10:07,  <a...@apc.kg> wrote:
> Hi,
>
> I use Google OpenID users authentication on my website. I did no changes
> recently, but Google responds me on check_authentication request:
>>
>> is_valid:false ns:http://specs.openid.net/auth/2.0
>
>
> I tried from my test host to perform the same operation using the same code
> - it works. Was I banned for some reson? How may I know the reason to
> prevent further issues?
>
> --
> You received this message because you are subscribed to the Google Groups
> "Google Federated Login API" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/google-federated-login-api/-/nSPcJQ7xlZcJ.
> To post to this group, send email to
> google-federa...@googlegroups.com.
> To unsubscribe from this group, send email to
> google-federated-login-api+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/google-federated-login-api?hl=en.

--
--Breno