Download & Extend
Issues

OpenID spec violation. Extract Authentication data - *search* for OP Identifier element

Posted by Heine on September 16, 2009 at 7:21pm
Project:Drupal core
Version:7.x-dev
Component:openid.module
Category:bug report
Priority:normal
Assigned:Unassigned
Status:closed (fixed)

Issue Summary

OpenID 2.0 Authentication 7.3.2.2. Extracting Authentication Data:

Once the Relying Party has obtained an XRDS document, it MUST first search the document (following the rules described in [XRI_Resolution_2.0]) for an OP Identifier Element. If none is found, the RP will search for a Claimed Identifier Element.

SO:

First, Drupal should search throught the XRDS document, trying to find whether it contains an OP Identifier element which is a Service element, containing a Type tag with the text content "http://specs.openid.net/auth/2.0/server" and a URI tag (the text content is the OP endpoint URL Drupal must use to do authentication requests).

If Drupal cannot find this OP Identifier element, it should try to find a Claimed Identifier Element which is a Service element, containing a Type tag with the text content http://specs.openid.net/auth/2.0/signon", a URI tag (containing the OP endpoint URL as above) and an optional LocalID tag (an identifier used by the OpenID provider to identify the user).

This issue is brought to you by the OpenID 2.0 Compliance Crusade

Login or register to post comments

Comments

#1

Posted by alex_b on January 12, 2010 at 7:35pm

subscribe

#2

Posted by c960657 on January 16, 2010 at 11:53pm
Status:active» needs review

This patch searches for the two different service elements as described in the OpenID spec. It also adds support for the priority attribute for the Service element as described in the XRI spec, section 4.3.3.

In openid_complete() the verification no longer uses $services[0] but loops through all discovered services. Section 11.2 of the spec says:

If the Claimed Identifier was not previously discovered by the Relying Party (the "openid.identity" in the request was "http://specs.openid.net/auth/2.0/identifier_select" or a different Identifier, or if the OP is sending an unsolicited positive assertion), the Relying Party MUST perform discovery on the Claimed Identifier in the response to make sure that the OP is authorized to make assertions about the Claimed Identifier.

I'm not completely sure how this is done. For now I look for service elements with the type either http://specs.openid.net/auth/2.0/signon or http://specs.openid.net/auth/2.0/server.

AttachmentSizeStatusTest resultOperations
openid-xrds-1.patch19.77 KBIdleFailed on MySQL 5.0 InnoDB, with: 17,335 pass(es), 1 fail(s), and 0 exception(es).View details

#3

Posted by System Message on January 17, 2010 at 12:20am
Status:needs review» needs work

The last submitted patch, openid-xrds-1.patch, failed testing.

#4

Posted by c960657 on January 17, 2010 at 12:26am

Hmm, I cannot reproduce the test failure reported by the test bot. I'll take a look at this later.

#5

Posted by c960657 on January 17, 2010 at 1:00pm
Status:needs work» needs review

The problem reported by the test bot occurred when Drupal is installed in a subdirectory.

AttachmentSizeStatusTest resultOperations
openid-xrds-2.patch20.18 KBIdlePassed on all environments.View details

#6

Posted by c960657 on January 31, 2010 at 4:55pm

Reroll.

AttachmentSizeStatusTest resultOperations
openid-xrds-3.patch19.9 KBIdleFAILED: [[SimpleTest]]: [MySQL] Unable to apply patch openid-xrds-3.patch.View details

#7

Posted by Dries on January 31, 2010 at 6:39pm
Status:needs review» fixed

Committed to CVS HEAD. Thanks!

#8

Posted by System Message on February 14, 2010 at 6:40pm
Status:fixed» closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.