OpenID should support openid.invalidate_handle

Posted by Heine on March 2, 2010 at 6:00pm

Issue Summary

If the Relying Party supplied an association handle with the authentication request, the OP SHOULD attempt to look up an association based on that handle. If the association is missing or expired, the OP SHOULD send the "openid.invalidate_handle" parameter as part of the response with the value of the request's "openid.assoc_handle" parameter, and SHOULD proceed as if no association handle was specified.

This is not a security issue as the signature will fail and openid_complete will not be able to verify responses. The bug 1) is against spec and 2) blocks sign-in for certain OPs when their authentication handles expire.

Comments

#1

Posted by Damien Tournoud on March 2, 2010 at 6:56pm

Hm. The way I'm reading that is that when the request openid.assoc_handle is expired, the OP has to "proceed as if no association handle was specified" (ie. as if that field was not in the request), and has to put the expired association handle in the response as openid.invalidate_handle.

As a consequence, the response should not contain any openid.assoc_handle, and openid_verify_assertion() will proceed with direct verification.

So, except if the OP doesn't comply with the spec, nothing wrong should happen. The only issue is that we will continue to send invalid association handles to this OP, that will have to be verified in the (less performant) direct verification mode.

#2

Posted by Damien Tournoud on March 2, 2010 at 7:07pm

Status:

active

» needs review

Anyway, this should do it.

Attachment	Size	Status	Test result	Operations
730462-invalidate-handle.patch	1.17 KB	Idle	PASSED: [[SimpleTest]]: [MySQL] 18,197 pass(es).	View details \| Re-test

#3

Posted by Damien Tournoud on March 2, 2010 at 7:13pm

Just to clarify #1, my analysis is that 1) we do not violate the spec here, because the spec only specify the behavior of the OP, not of the RP, 2) nothing wrong should happen as long as the RP comply with the spec.

#4

Posted by Heine on March 2, 2010 at 8:06pm

Status:

needs review

» needs work

Alas,

If we receive an invalid_handle response, we must verify directly with the OP (we do now, assuming the OP is well-behaved and sends an empty assoc_handle).

Only then, when the OP confirms that the handle is in valid should we remove it. see section 11.4.2.2:

Note: This two-step process for invalidating associations is necessary to prevent an attacker from invalidating an association at will by adding "invalidate_handle" parameters to an authentication response.

TODO - I still need to look into 11.4.2.1. about shared keys.
TODO - we must do ns checking - maybe in a separate issue?