It appears that the provider generates a different HMAC-SHA1 signature from a message than that generated by the JanRain library used by Moodle's OpenID plugin.

If I display the signature as sent by openid_provider, I get, for example:

5QfOxcTAM8dCT26Tv+R//noCvz8=

If I display the signature as calculated by the JanRain library, I get, for the same message example:

kQGeoC6W/waTDMnoiu1pF8btQg8=

Comments

jax’s picture

Status: Active » Postponed (maintainer needs more info)

Could you please explain the issue you are experiencing since that is not clear to me. Could you also please explain the steps one should follow to recreate the issue you are experiencing. I'm not familiar with Moodle or JanRain's libraries, so links to those would be appreciated as well.

Chris Johnson’s picture

Version: » 6.x-1.x-dev

The issue is that Moodle's OpenID Relying Party will not authenticate against Drupal's OpenID Identity Provider. One error I discovered is that the SHA1 hash values did not match up. I'm not sure why, but one obvious possibility is that one of the two applications (Moodle and Drupal) are not calculating them correctly under my test circumstances (calculations are done differently based upon the installed PHP's capabilities, e.g. bcmath, GMP, etc.).

Moodle uses the JanRain OpenID libraries, which power 90% of the OpenID sites out there. I'm pretty sure that I'd be right if I guessed that James Walker, who wrote most of the OpenID code for Drupal, spent a lot of time looking at JanRain's PHP library. No point in re-inventing the wheel, after all.

References:

Moodle is at http://moodle.org/.

JanRain's libraries are at http://www.openidenabled.com/php-openid/.

Given all that, I'm not sure this is a problem, since my colleague Darren Ferguson has found further fatal errors. I will be doing more testing with Darren's fixes to see what other problems we encounter (it still does not work with Moodle, for instance).

Chris Johnson’s picture

This problem still exists, now that we've solved the other problems.

Chris Johnson’s picture

Assigned: Unassigned » Chris Johnson
Status: Postponed (maintainer needs more info) » Closed (won't fix)

This appears to be caused by a missing $mac_key (aka "secret") value missing during the signature calculation. The calculation itself is correct. I'm opening a new issue for the botched OpenID protocol problem which leads to the missing $mac_key.