problems with myopenid.com
Andreas
My openid consumer has been working fine for a few months now, but
today I noticed a problem with myopenid.com logins, which used to work
well before.
ConsumerManager.call() fails at
response.copyOf(ParameterList.createFromKeyValueForm(postResponse));
with the error message:
0x100: Invalid Key-Value form, colon missing:
It seems the server response contains unexpected HTML.
Any ideas what to do?
Thanks,
Andreas
here my logs:
SessionAssociation: load http://www.myopenid.com/server
- Could not create association of type: no-encryption:HMAC-
SHA1:OpenID2
- Could not create association of type: no-encryption:HMAC-
SHA256:OpenID2
- Creating parameter list from key-value form:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://
www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<base href="http://www.myopenid.com/" />
<title></title>
</head>
<body onload="document.forms[0].submit();"
>
<script type="text/javascript">
if (top != self) top.location.href = 'https://www.myopenid.com/
framed';
</script>
<p>
Please click <b>Continue...</b> to continue your request. To avoid
seeing this message in the future, you should enable JavaScript in
your browser.
</p>
assoc_handle:{HMAC-SHA256}{4757f9d6}{O/UYow==}
assoc_type:HMAC-SHA256
dh_server_public:ANzyKzyMz+1Oa5w5VQQ20GNdC55j0tqGJ4CkL6dxWeu88WXuYKEzs
+EscyCOEnf9VSmrMkNGKvma/LCDrl5evA7hwNImrdbKceVZttc0/ImjI24/
IwSDpu6+cJJXsVqEldMTfIQq4jEG9YJXiPj9BifC7FKz9Et0epDriSjj+d1i
enc_mac_key:L0AKhLuPRGcMXcQL0z9cQ5rfPvU5lJOYeXl8R1mFrgY=
expires_in:1209600
ns:http://specs.openid.net/auth/2.0
session_type:DH-SHA256
</body>
</html>
- Error encountered during association attempt.
org.openid4java.message.MessageException: 0x100: Invalid Key-Value
form, colon missing: <html>
at
org.openid4java.message.ParameterList.createFromKeyValueForm(ParameterList.java:
199)
at org.openid4java.consumer.ConsumerManager.call(ConsumerManager.java:
603)
at
org.openid4java.consumer.ConsumerManager.associate(ConsumerManager.java:
760)
at
org.openid4java.consumer.ConsumerManager.associate(ConsumerManager.java:
647)
at
org.apache.jsp.consumer_005fredirect_jsp._jspService(consumer_005fredirect_jsp.java:
220)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
at
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:
334)
at
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:
314)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:264)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:
252)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:
173)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:
213)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:
178)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:
126)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:
105)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:
107)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:
148)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:
869)
at org.apache.coyote.http11.Http11BaseProtocol
$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:
664)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:
527)
at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:
80)
at org.apache.tomcat.util.threads.ThreadPool
$ControlRunnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Thread.java:619)
Johnny Bufu
This seems to be a problem with myopenid.com; I've confirmed that
they are sending html content in direct responses (as opposed to the
very strict key-value form). I've sent them a note about this, and
will post back here when I hear from them.
(You can also always try to contact them directly if you want.)
Johnny
Johnny Bufu
On 6-Dec-07, at 11:02 AM, Johnny Bufu wrote:
> This seems to be a problem with myopenid.com; I've confirmed that
> they are sending html content in direct responses (as opposed to the
> very strict key-value form). I've sent them a note about this, and
> will post back here when I hear from them.
Johnathan Daugherty has just let me know that the problem is fixed
(and indeed it works for me again).
Johnny
Andreas
Thanks for the update.
I know that openid is strictly following the spec in this case.
Still it was possible to log into other web sites with an myopenid.com
account during this time. This means
the consumer libraries used there are more tolerant against such spec-
deviations.
Would it make sense to make the ParameterList parser more tolerant
against this?
( the correct key-value fields were wrapped within html), or is it
more desireable to follow the spec strictly?
Andreas
Johnny Bufu
On 7-Dec-07, at 2:03 AM, Andreas wrote:
> I know that openid is strictly following the spec in this case.
> Still it was possible to log into other web sites with an myopenid.com
> account during this time. This means
> the consumer libraries used there are more tolerant against such spec-
> deviations.
No, that is not necessarily true.
Login into RPs was possible during the misconfiguration of
myopenid.com for all the RPs that had existing associations with
myopenid.com. In this case, no direct calls (for establishing new
associations, or for direct verification) are needed. (Sxip's RPs,
which are powered by openid4java also worked with myopenid.com during
this timeframe.)
> Would it make sense to make the ParameterList parser more tolerant
> against this?
> ( the correct key-value fields were wrapped within html), or is it
> more desireable to follow the spec strictly?
The key-value form is used for calculating signatures as well as for
direct messages, so it has to be strictly followed. Permitting the
slightest tolerance can lead to attacks. You can see in this thread
what could happen if something that doesn't look very important is
left out:
http://openid.net/pipermail/security/2006-November/000171.html
Johnny