Appengine 1.3.4 userService.createLoginURL for google openid causing firefox warning

[Isdal]

I considering switching my appengine app from the "old" google auth to
federated login using openid.

I am using the new userservice api introduced in 1.3.4. I have a test
app running at http://listshuffle.appspot.com/ (sorry for the terrible
ui... and complete lack of functionality, it does show the problem
though...).

The problem I have is that in FireFox (tested on 3.6.3 on both OS X
and windows) there is an ugly warning displayed just before the
redirect back to my page from google, (after the user allows my app).
This only happens in Firefox and only for google openid: yahoo and aol
does not have the problem. In Safari and Chrome there is no warning.

The Firefox warning message says:
=================
Security Warning:
Although this page is encrypted, the information you have entered is
to be sent over an unencrypted connection and could easily be read by
a third party.

Are you sure you want to continue sending this information?
=================

I am using: https://www.google.com/accounts/o8/id as my provider,
setting it to null or http://www.google.com/accounts/o8/id (no https)
does not help.

Any ideas?
Thanks!
// Tomas

[Ikai L (Google)]

Can you try supplying an HTTPS url as the continue URL? This error is likely occurring because you are forwarding from an HTTPS page to an HTTP page. 

--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To post to this group, send email to google-a...@googlegroups.com.
To unsubscribe from this group, send email to google-appengi...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.

--
Ikai Lan 
Developer Programs Engineer, Google App Engine

Blog: http://googleappengine.blogspot.com 

Twitter: http://twitter.com/app_engine

Reddit: http://www.reddit.com/r/appengine

[Isdal]

Hi Ikai and thanks for the prompt response.

I think I found a couple bugs in the 1.3.4 openid implementation, let
me know if I should file a bug report for each of them:
I am using appengine 1.3.4 in eclipse on OS X 10.6. Note that this is
a pain to debug since it has to be done on a live appengine install
because of the UserService emulation when in development mode.

===
1: UserServiceFactory.getUserService().createLoginURL(
"https://listshuffle.appspot.com/#q=abc123", "google.com",
"https://www.google.com/accounts/o8/id", new HashSet<String>());
returns
http://listshuffle.appspot.com/_ah/login_redir?claimid=https://www.google.com/accounts/o8/id&continue=http://listshuffle.appspot.com/

Note the lack of https in the continue parameter. Instead it seems to
pick http if the page is loaded from http and https if the page is
loaded from https.

===
2: Logging in to google openid using the url provided by
UserService.createLoginUrl() will cause Firefox (tested on 3.6.3 and
3.5.6) to display an ugly warning message, see message 1 in this
thread.
All sample pages of 1.3.4 based google-openid show the same problem,
these are the ones I found:
Java: http://listshuffle.appspot.com/
Java: http://super-easy.appspot.com/
Python: http://your-move.appspot.com/

Signing in to AOL or yahoo does not trigger the problem, using Safari
(5), Chrome (5) or IE (8) does not display any errors as well.
If I allow myself to speculate it seems like the javascript POST from
a https to a http on the google redirect page
https://www.google.com/accounts/o8/ud?openid.ns=http%3A%2F%... that is
triggering this. (maybe yahoo and aol are using 302 redirects?)

===
3: Manually specifying a https continue parameter
http://listshuffle.appspot.com/_ah/login_redir?claimid=https://www.google.com/accounts/o8/id&continue=https://listshuffle.appspot.com/
Does not help, the same Firefox warning is displayed (but the return
url is honored, the page is loaded as https when returning). The post
is to
http://listshuffle.appspot.com/_ah/openid_verify?...
no matter if the continue is set to https (since the continue is just
a parameter forwarded to the openid_verify page).

===
4: When initiating the openid authentication from an appspot page
loaded using https you will get:
Secure Connection Failed

The javascript post is for some reason to https://listshuffle.appspot.com:80/_ah/openid_verify?
confusing the browser since it expects SSL on a https url and there is
no ssl on port 80. This seems to happen in all browsers.

Removing port 80 does not help, instead it will trigger a 500 Server
Error.
===

This is what I noticed so far, let me know how you want me to
proceed.

// Tomas Isdal

On Jun 17, 10:20 am, "Ikai L (Google)" <ika...@google.com> wrote:
> Can you try supplying an HTTPS url as the continue URL? This error is likely
> occurring because you are forwarding from an HTTPS page to an HTTP page.
>
>
>
> On Wed, Jun 16, 2010 at 11:01 PM, Isdal <tomas.is...@gmail.com> wrote:
> > I considering switching my appengine app from the "old" google auth to
> > federated login using openid.
>
> > I am using the new userservice api introduced in 1.3.4. I have a test

> > app running athttp://listshuffle.appspot.com/(sorry for the terrible

> > ui... and complete lack of functionality, it does show the problem
> > though...).
>
> > The problem I have is that in FireFox (tested on 3.6.3 on both OS X
> > and windows) there is an ugly warning displayed just before the
> > redirect back to my page from google, (after the user allows my app).
> > This only happens in Firefox and only for google openid: yahoo and aol
> > does not have the problem. In Safari and Chrome there is no warning.
>
> > The Firefox warning message says:
> > =================
> > Security Warning:
> > Although this page is encrypted, the information you have entered is
> > to be sent over an unencrypted connection and could easily be read by
> > a third party.
>
> > Are you sure you want to continue sending this information?
> > =================
>

> > I am using:https://www.google.com/accounts/o8/idas my provider,
> > setting it to null orhttp://www.google.com/accounts/o8/id(no https)

> > does not help.
>
> > Any ideas?
> > Thanks!
> > // Tomas
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Google App Engine" group.
> > To post to this group, send email to google-a...@googlegroups.com.
> > To unsubscribe from this group, send email to

> > google-appengi...@googlegroups.com<google-appengine%2Bunsu...@googlegroups.com>
> > .

[Rajkumar Radhakrishnan]

Hi,

Wanted to add that the issue that Tomas Isdal has reported (first post in this thread), is affecting my app's users too.

The default URL for App Engine apps (or services) from the Google Apps dashboard is with "https://" which will be used in the login URL, resulting in this error. If this were just "http://" there are no issues. Since SSL support is only for appspot domains and anyway not possible for custom domain mapping, I am OK with not having to use https for appspot too and have redirected users to "http://" to avoid the issue. 

Regards,

R.Rajkumar

To unsubscribe from this group, send email to google-appengi...@googlegroups.com.

[l.denardo]

I did try this since I got the same warning (by the way I think it's a
Firefox issue, since I had disabled that kind of warnings in my
settings).

The result was an HTTPS error, stating parameters were too long to
process (I think it was due to the very long URLs generated by
redirections).
Sorry for the lack of more details about the error, I just returned to
HTTP and kept Firefox warning, I can try to test HTTPS again if it can
help you detect an issue.

Regards
Lorenzo

On Jun 17, 7:20 pm, "Ikai L (Google)" <ika...@google.com> wrote:
> Can you try supplying an HTTPS url as the continue URL? This error is likely
> occurring because you are forwarding from an HTTPS page to an HTTP page.
>
>
>
> On Wed, Jun 16, 2010 at 11:01 PM, Isdal <tomas.is...@gmail.com> wrote:
> > I considering switching my appengine app from the "old" google auth to
> > federated login using openid.
>
> > I am using the new userservice api introduced in 1.3.4. I have a test

> > app running athttp://listshuffle.appspot.com/(sorry for the terrible

> > ui... and complete lack of functionality, it does show the problem
> > though...).
>
> > The problem I have is that in FireFox (tested on 3.6.3 on both OS X
> > and windows) there is an ugly warning displayed just before the
> > redirect back to my page from google, (after the user allows my app).
> > This only happens in Firefox and only for google openid: yahoo and aol
> > does not have the problem. In Safari and Chrome there is no warning.
>
> > The Firefox warning message says:
> > =================
> > Security Warning:
> > Although this page is encrypted, the information you have entered is
> > to be sent over an unencrypted connection and could easily be read by
> > a third party.
>
> > Are you sure you want to continue sending this information?
> > =================
>

> > I am using:https://www.google.com/accounts/o8/idas my provider,
> > setting it to null orhttp://www.google.com/accounts/o8/id(no https)

> > does not help.
>
> > Any ideas?
> > Thanks!
> > // Tomas
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Google App Engine" group.
> > To post to this group, send email to google-a...@googlegroups.com.
> > To unsubscribe from this group, send email to

> > google-appengi...@googlegroups.com<google-appengine%2Bunsu...@googlegroups.com>
> > .