Redirecting fails when not logged in on the provider site
| Project: | OpenID Provider |
| Version: | 6.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | active |
Jump to:
I have a problem with openid_provider. I have a Drupal site as provider and another Drupal site as client. I have created profile for the provider site and I get OpenID account address to use from there. When I try to login to the client site, I'm been redirected to the provider site. When I'm not logged in, I will be asked my username and password and the URL is site/user/login?destination=openid/provider/continue. Then I will see a screen asking if the client site can be accessed with this OpenID account (URL: site/openid/provider/continue) and when I press "Yes; always", I still stay on the same page, but the URL is site/openid/provider/send?openid.signed=op_endpoint%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cidentity%2Cclaimed_id&openid.sig=%2B9sdGxiqbAgyS31ktx%2B3Y3BpDh0%3D. After that I can click "Yes; just this once" or "Yes; always" or "Cancel", but I don't get anywhere. When I check the OpenID sites page, I can see the checkbox chosen for the site I was trying to access.
When I try to do this procedure when I'm already logged in on the provider site, it works as it is supposed to.
#1
I have this problem when testing http://openidenabled.com/resources/openid-test/diagnose-server/
However, in my case, it fails to redirect when I am logged in.
The first test works: Associate (DH-SHA1 session)
The second test begins to work, I get this screen on my drupal:
OpenID login
You are being logged into http://openidenabled.com/resources/openid-test/diagnose-server/TestCheck..., would you like to continue?
I click Yes and rather than redirect me back to the source page, it returns me to my drupal authorization page with this broken message:
OpenID login
You are being logged into , would you like to continue?
#2
I'm seeing exactly the same as ninjay. Running Drupal 6.14, with all modules up to date.
#3
I tried with Drupal 6.13, and it works there. Seems like something has changed in Drupal core somewhere between Drupal 6.13 and 6.14.
Looking at the change logs, it seems that several vulnerabilities in the OpenID modules has been fixed, obviously one of them broke the OpenID provider module.
#4
I didn't check the changelook, but some tracing. When I stepped it through, I found _openid_provider_sign(...) does not return openid.redirect_to anymore. I'm not deep into OpenID enough to understand this correctly yet.
Anybody did some other research?