Hi Ikai and thanks for the prompt response.
I think I found a couple bugs in the 1.3.4 openid implementation, let
me know if I should file a bug report for each of them:
I am using appengine 1.3.4 in eclipse on OS X 10.6. Note that this is
a pain to debug since it has to be done on a live appengine install
because of the UserService emulation when in development mode.
===
1: UserServiceFactory.getUserService().createLoginURL(
"
https://listshuffle.appspot.com/#q=abc123", "
google.com",
"
https://www.google.com/accounts/o8/id", new HashSet<String>());
returns
http://listshuffle.appspot.com/_ah/login_redir?claimid=https://www.google.com/accounts/o8/id&continue=http://listshuffle.appspot.com/
Note the lack of https in the continue parameter. Instead it seems to
pick http if the page is loaded from http and https if the page is
loaded from https.
===
2: Logging in to google openid using the url provided by
UserService.createLoginUrl() will cause Firefox (tested on 3.6.3 and
3.5.6) to display an ugly warning message, see message 1 in this
thread.
All sample pages of 1.3.4 based google-openid show the same problem,
these are the ones I found:
Java:
http://listshuffle.appspot.com/
Java:
http://super-easy.appspot.com/
Python:
http://your-move.appspot.com/
Signing in to AOL or yahoo does not trigger the problem, using Safari
(5), Chrome (5) or IE (8) does not display any errors as well.
If I allow myself to speculate it seems like the javascript POST from
a https to a http on the google redirect page
https://www.google.com/accounts/o8/ud?openid.ns=http%3A%2F%... that is
triggering this. (maybe yahoo and aol are using 302 redirects?)
===
3: Manually specifying a https continue parameter
http://listshuffle.appspot.com/_ah/login_redir?claimid=https://www.google.com/accounts/o8/id&continue=https://listshuffle.appspot.com/
Does not help, the same Firefox warning is displayed (but the return
url is honored, the page is loaded as https when returning). The post
is to
http://listshuffle.appspot.com/_ah/openid_verify?...
no matter if the continue is set to https (since the continue is just
a parameter forwarded to the openid_verify page).
===
4: When initiating the openid authentication from an appspot page
loaded using https you will get:
Secure Connection Failed
The javascript post is for some reason to
https://listshuffle.appspot.com:80/_ah/openid_verify?
confusing the browser since it expects SSL on a https url and there is
no ssl on port 80. This seems to happen in all browsers.
Removing port 80 does not help, instead it will trigger a 500 Server
Error.
===
This is what I noticed so far, let me know how you want me to
proceed.
// Tomas Isdal
On Jun 17, 10:20 am, "Ikai L (Google)" <
ika...@google.com> wrote:
> Can you try supplying an HTTPS url as the continue URL? This error is likely
> occurring because you are forwarding from an HTTPS page to an HTTP page.
>
>
>
> On Wed, Jun 16, 2010 at 11:01 PM, Isdal <
tomas.is...@gmail.com> wrote:
> > I considering switching my appengine app from the "old" google auth to
> > federated login using openid.
>
> > I am using the new userservice api introduced in 1.3.4. I have a test
> > app running athttp://
listshuffle.appspot.com/(sorry for the terrible
> > ui... and complete lack of functionality, it does show the problem
> > though...).
>
> > The problem I have is that in FireFox (tested on 3.6.3 on both OS X
> > and windows) there is an ugly warning displayed just before the
> > redirect back to my page from google, (after the user allows my app).
> > This only happens in Firefox and only for google openid: yahoo and aol
> > does not have the problem. In Safari and Chrome there is no warning.
>
> > The Firefox warning message says:
> > =================
> > Security Warning:
> > Although this page is encrypted, the information you have entered is
> > to be sent over an unencrypted connection and could easily be read by
> > a third party.
>
> > Are you sure you want to continue sending this information?
> > =================
>
> > I am using:
https://www.google.com/accounts/o8/idas my provider,
> > setting it to null orhttp://
www.google.com/accounts/o8/id(no https)
> > does not help.
>
> > Any ideas?
> > Thanks!
> > // Tomas
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Google App Engine" group.
> > To post to this group, send email to
google-a...@googlegroups.com.
> > To unsubscribe from this group, send email to
> >
google-appengi...@googlegroups.com<
google-appengine%2Bunsu...@googlegroups.com>
> > .