Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
openid_complete should normalize the claimed_id before calling openid_discovery with it.
See OpenID Authentication 2.0 Section 11.2. - Verifying Discovered Information.
Comment | File | Size | Author |
---|---|---|---|
#12 | openid-normalize-D6-2.patch | 2.28 KB | c960657 |
#9 | openid-normalize-D6-1.patch | 2.1 KB | c960657 |
#6 | openid-normalize-2.patch | 7.85 KB | c960657 |
#2 | openid-normalize-1.patch | 7.64 KB | c960657 |
Comments
Comment #1
pwolanin CreditAttribution: pwolanin commentedComment #2
c960657 CreditAttribution: c960657 commentedComment #3
Dries CreditAttribution: Dries commentedNeeds to be rerolled because of other OpenID patches going in.
Comment #4
Dries CreditAttribution: Dries commented#2: openid-normalize-1.patch queued for re-testing.
Comment #6
c960657 CreditAttribution: c960657 commentedComment #7
Dries CreditAttribution: Dries commentedLooks solid, and I like the extra tests. Committed to CVS HEAD. Another critical bug bites the dust.
Comment #9
c960657 CreditAttribution: c960657 commentedThis is a straight backport for D6.
Comment #10
mfbFollow-up bug-fix: #803294: OpenID discovery and login tests fail on HTTPS site
Comment #12
c960657 CreditAttribution: c960657 commentedReroll.
Comment #14
c960657 CreditAttribution: c960657 commentedPatch still applies. The testbot has an issue with D6 patches at the moment (#961172).
Comment #15
wojtha CreditAttribution: wojtha commented#12: openid-normalize-D6-2.patch queued for re-testing.
Comment #16
wojtha CreditAttribution: wojtha commentedThis "critical fix" introduced probably more critical bug in D7 #1076366-12: OpenID discovery spec violation - fragments are removed from claimed id . Fortunately it has not been commited to D6 yet.
This is wrong, now you are stripping the fragment which is important for identifier recycling. Claimed ID "SHOULD" be stored with this fragment by the Relying party as specs are saying.
Powered by Dreditor.
Comment #17
c960657 CreditAttribution: c960657 commentedBy reading the spec it is not very clear that you have to normalize the identifier before doing discovery.
@Heine, is this bug report based on a concrete problem with some OpenID provider?
Comment #18
Heine CreditAttribution: Heine commentedNo, and you are right it is not clear. They way I read it now, I'm in doubt.
Comment #19
wojtha CreditAttribution: wojtha commented@Heine: yop, it is slightly uncertain and doubtful and we are not alone in those doubts. Some Openid libraries (JanRain) only strips fragment part and some Openid libraries (Zend Framework) normalize the claimed id as you have requested in the issue description. Most of the libraries only strips the fragment AFAIK.
Me and c960657 were discussing the fragment part stripping/url normalization here: #1076366-15: OpenID discovery spec violation - fragments are removed from claimed id
Comment #20
dpearcefl CreditAttribution: dpearcefl commentedIs this issue fixed in the latest D6? is there any interest in pursuing this issue?
Comment #21
wojtha CreditAttribution: wojtha commentedI'm now focusing to fix the bug introduced by this issue to the D7, after that I can try to fix this... The current patch here is wrong and contains another criticitical error.