We used two Drupal installations (Provider and Consumer) to track and analyse a OpenID Login process.

While doing this, we've seen that the Consumer sent a HTTP Authentication Basic Header to the OpenID Provider. This is because the OpenID Identity "user@domain" was passed to http://api.drupal.org/api/function/drupal_http_request/7, and parse_url() then thinks that "user" is a HTTP Authentication username.

This is does not break functionality nor is it a security issue, because no confidental information is published (the OpenID Identity is public), however, the spec says that the Consumer should normalize a OpenID Identity. Also, it is unlikely, but a Provider could for some reason block HTTP requests with Basic Authentication headers and this would break the discovery process.

I'll try to write a patch soon.

CommentFileSizeAuthor
#1 472292.openid_remove_user.patch1.17 KBberdir

Comments

berdir’s picture

berdir
Primary language German
Location Switzerland
commented
Status: Active » Needs review
StatusFileSize
new 472292.openid_remove_user.patch1.17 KB

The attached patch fixes the described issue.

While creating the patch, I noticed that there are no tests for "user@example.org" OpenID Identities...

c960657’s picture

c960657 commented

The standard's description of the normalization process does not mention removal of usernames. Though probably very unusual, I wonder whether identifiers of the form http://john:secret@example.com are expected to work, i.e. whether Relying Parties should send the credentials along?

Status: Needs review » Needs work

The last submitted patch failed testing.

heine’s picture

heine commented
Status: Needs work » Closed (works as designed)

This behaviour is according to spec (http://openid.net/specs/openid-authentication-2_0.html, see 7.2).