Issue 202 in openid4java: Identity verification is too restrictive and results in false-positive verification failures
5 views
Skip to first unread message
codesite...@google.com
Dec 3, 2013, 10:54:38 PM12/3/13
to openid4java-...@googlegroups.com
Status: New
Owner: ----
Labels: Type-Defect Priority-Medium
New issue 202 by kohsuke....@gmail.com: Identity verification is too
restrictive and results in false-positive verification failures
http://code.google.com/p/openid4java/issues/detail?id=202
What steps will reproduce the problem?
1. If your openID is "http://foo/bar/zot", try to assert that you
are "http://foo:80/bar/zot"
2. Let the OpenID protocol runs its course
3. Observe that openid4java reports an error "No service element found to
match the identifier in the assertion."
What is the expected output? What do you see instead?
ConsumerManager should verify me as http://foo/bar/zot
What version of the product are you using? On what operating system?
0.9.4
Please provide any additional information below.
The problem is in ConsumerManager.verifyDiscovered1
Discover.discover(String identifier) performs an URL normalization,
so "http://foo:80/bar/zot" gets normalized into UrlIdentifier
of "http://foo/bar/zot", and this is what the discovery will be based on.
Yet a few lines down below, a check is done between pre-normalized assertId
and Identifier.getIdentifier() as a String comparison:
! assertId.equals(service.getClaimedIdentifier().getIdentifier()))
If we just let the comparison happen between two Identifier objects, the
normalization will correctly ignore these pointless differences.
I've attached the patch to fix this problem.
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
Owner: ----
Labels: Type-Defect Priority-Medium
New issue 202 by kohsuke....@gmail.com: Identity verification is too
restrictive and results in false-positive verification failures
http://code.google.com/p/openid4java/issues/detail?id=202
What steps will reproduce the problem?
1. If your openID is "http://foo/bar/zot", try to assert that you
are "http://foo:80/bar/zot"
2. Let the OpenID protocol runs its course
3. Observe that openid4java reports an error "No service element found to
match the identifier in the assertion."
What is the expected output? What do you see instead?
ConsumerManager should verify me as http://foo/bar/zot
What version of the product are you using? On what operating system?
0.9.4
Please provide any additional information below.
The problem is in ConsumerManager.verifyDiscovered1
Discover.discover(String identifier) performs an URL normalization,
so "http://foo:80/bar/zot" gets normalized into UrlIdentifier
of "http://foo/bar/zot", and this is what the discovery will be based on.
Yet a few lines down below, a check is done between pre-normalized assertId
and Identifier.getIdentifier() as a String comparison:
! assertId.equals(service.getClaimedIdentifier().getIdentifier()))
If we just let the comparison happen between two Identifier objects, the
normalization will correctly ignore these pointless differences.
I've attached the patch to fix this problem.
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
codesite...@google.com
Dec 3, 2013, 10:55:38 PM12/3/13
to openid4java-...@googlegroups.com
Comment #1 on issue 202 by kohsuke....@gmail.com: Identity verification is
too restrictive and results in false-positive verification failures
http://code.google.com/p/openid4java/issues/detail?id=202
Patch attached.
http://code.google.com/p/openid4java/issues/detail?id=202
Attachments:
openid4java-202.diff 1.2 KB
codesite...@google.com
Dec 3, 2013, 11:38:44 PM12/3/13
to openid4java-...@googlegroups.com
Updates:
Status: Invalid
Comment #2 on issue 202 by Johnny.B...@gmail.com: Identity verification is
be in normalized form (per claimed identifier definition) and must match
exactly the (normalized) claimed identifier obtained via discovery, per:
http://openid.net/specs/openid-authentication-2_0.html#terminology
http://openid.net/specs/openid-authentication-2_0.html#verify_disco
OpenID providers asserting invalid claimed identifiers (in non-normalized
form) are not complying to the above, so their responses will fail
verification as expected.
Status: Invalid
Comment #2 on issue 202 by Johnny.B...@gmail.com: Identity verification is
too restrictive and results in false-positive verification failures
http://code.google.com/p/openid4java/issues/detail?id=202
assertId is the claimed identifier obtained from the response, which must
http://code.google.com/p/openid4java/issues/detail?id=202
be in normalized form (per claimed identifier definition) and must match
exactly the (normalized) claimed identifier obtained via discovery, per:
http://openid.net/specs/openid-authentication-2_0.html#terminology
http://openid.net/specs/openid-authentication-2_0.html#verify_disco
OpenID providers asserting invalid claimed identifiers (in non-normalized
form) are not complying to the above, so their responses will fail
verification as expected.
codesite...@google.com
Dec 3, 2013, 11:42:15 PM12/3/13
to openid4java-...@googlegroups.com
Comment #3 on issue 202 by kohsuke....@gmail.com: Identity verification is
too restrictive and results in false-positive verification failures
http://code.google.com/p/openid4java/issues/detail?id=202
Okay.
http://code.google.com/p/openid4java/issues/detail?id=202
In this case the OpenID provider is also openid4java. I guess I need to dig
a bit deeper and file a separate issue.
Reply all
Reply to author
Forward
0 new messages