OpenID Authentication v1 - openid.trust_root not set
| Project: | OpenID |
| Version: | 5.x-1.2 |
| Component: | OpenID Client |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | needs review |
The problem: cannot authenticate with OpenID Authentication 1.1.
This is because when authenticating, the RP prepares a set of key-value pairs as defined in the OpenID specs: http://openid.net/specs/openid-authentication-1_1.html
One of these pairs is openid.trust_root:
"The openid.return_to URL MUST descend from the openid.trust_root, or the Identity Provider SHOULD return an error. Namely, the URL scheme and port MUST match. The path, if present, MUST be equal to or below the value of openid.trust_root, and the domains on both MUST match, or, the openid.trust_root value contain a wildcard like http://*.example.com. The wildcard SHALL only be at the beginning. It is RECOMMENDED Identity Provider's protect their End Users from requests for things like http://*.com/ or http://*.co.uk/."
http://openid.net/specs/openid-authentication-1_1.html#anchor13
This is handled in the function openid_authentication_request
<?php
function openid_authentication_request($claimed_id, $identity, $return_to = '', $assoc_handle = '', $version = 2) {
global $base_url;
include_once drupal_get_path('module', 'openid') .'/openid.inc';
$ns = ($version == 2) ? OPENID_NS_2_0 : OPENID_NS_1_0;
$request = array(
'openid.ns' => $ns,
'openid.mode' => 'checkid_setup',
'openid.identity' => $identity,
'openid.claimed_id' => $claimed_id,
'openid.assoc_handle' => $assoc_handle,
'openid.return_to' => $return_to,
);
if ($version == 2) {
$request['openid.realm'] = url('', NULL, NULL, TRUE);
}
else {
$request['openid.trust_root'] = $realm;
}
// Simple Registration
$request['openid.sreg.required'] = 'nickname,email';
$request['openid.ns.sreg'] = "http://openid.net/extensions/sreg/1.1";
$request = array_merge($request, module_invoke_all('openid', 'request', $request));
return $request;
}
?>The function assigns openid.trust_root to the variable $realm, however, $realm is not used in this module or in scope for this function. This means that openid.trust_root will always be set to NULL.
<?php
$request['openid.trust_root'] = $realm;
?>The attached patch replace $realm with a call to url(), setting the trust_root to be the base url of the website.
| Attachment | Size |
|---|---|
| openid.module.patch | 213 bytes |