[OpenID] Bug in AOL OpenID Provider implementation

Andrew Arnott andrewarnott at gmail.com
Thu Jan 1 01:02:27 UTC 2009 

Is there anyone on this list who works for or with AOL OpenID folks?  I have
(below) a description of an interop issue with the AOL OpenID Provider that
may be a bug they should look at.

Thanks.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire


---------- Forwarded message ----------
From: Andrew Arnott <andrewarnott at gmail.com>
Date: Wed, Dec 31, 2008 at 5:50 PM
Subject: Re: [dotnetopenid] problems with AOL today?
To: dotnetopenid at googlegroups.com


Thanks for reporting this, Joel.  This is a bug in AOL's encoding/decoding
of the return_to URL, as I detail below.  I'll forward this onto the AOL
OpenID folks (as soon as I can figure out who they are) and suggest they fix
this bug prompto!

As can be seen in the below log, DotNetOpenId is sending AOL a return_to URL
with a twice-URL-encoded + sign as the value for the token parameter, as
appropriate.  That is, the plus sign is an actual character in the (base 64
encoded) value, which must be URL encoded because it is a URL parameter.
Then since the return_to URI is itself a URL parameter, it is encoded
again.

But when the auth message comes back from AOL (and only AOL has this issue,
reportedly starting 12/31/08) the + sign character in the return_to URL has
been decoded by AOL rather than being preserved as DotNetOpenId had written
it.  As a result, the + sign is misinterpreted as a URL encoding of the
space character, causing the base64 decoding operation to fail.

*Analysis: AOL is decoding the return_to parameter, and not properly
re-encoding it before sending it back to the RP.*

2008-12-31 17:19:17,737 [5] DEBUG DotNetOpenId - Sending indirect message:
	openid.mode: checkid_setup
	openid.identity: http://openid.aol.com/webmyway
	openid.trust_root: http://nerdbank.org/RP/
	openid.return_to:
http://nerdbank.org/RP/login.aspx?ReturnUrl=%2frp%2fMembersOnly%2fDefault.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE4tB*%2b*iV9nzTe78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg%3d%3d&OpenIdTextBox_UsePersistentCookie=False
	openid.assoc_handle:
diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0%3D-j5HRXRB1VbPyg48jGKE1Q%2FHHWVWwVNZus2FUJWWCXqED%2BIkTINCC3xA7WOU0AmejttQ%2F2yXC%2Bi4%3D
	openid.ns.sreg: http://openid.net/extensions/sreg/1.1
	openid.sreg.policy_url: http://nerdbank.org/RP/PrivacyPolicy.aspx
	openid.sreg.required: gender,postcode,timezone
	openid.sreg.optional: email,country

2008-12-31 17:19:17,737 [5] DEBUG DotNetOpenId - Redirecting to
https://api.screenname.aol.com/auth/openidServer?openid.mode=checkid_setup&openid.identity=http%3a%2f%2fopenid.aol.com%2fwebmyway&openid.trust_root=http%3a%2f%2fnerdbank.org%2fRP%2f&openid.return_to=http%3a%2f%2fnerdbank.org%2fRP%2flogin.aspx%3fReturnUrl%3d%252frp%252fMembersOnly%252fDefault.aspx%26token%3dATjrrFUCgj1z1e2dmRTszTnE4tB*%252b*iV9nzTe78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg%253d%253d%26OpenIdTextBox_UsePersistentCookie%3dFalse&openid.assoc_handle=diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0%253D-j5HRXRB1VbPyg48jGKE1Q%252FHHWVWwVNZus2FUJWWCXqED%252BIkTINCC3xA7WOU0AmejttQ%252F2yXC%252Bi4%253D&openid.ns.sreg=http%3a%2f%2fopenid.net%2fextensions%2fsreg%2f1.1&openid.sreg.policy_url=http%3a%2f%2fnerdbank.org%2fRP%2fPrivacyPolicy.aspx&openid.sreg.required=gender%2cpostcode%2ctimezone&openid.sreg.optional=email%2ccountry
2008-12-31 17:20:18,726 [1] DEBUG DotNetOpenId - OpenID authentication
response received:
	ReturnUrl: /rp/MembersOnly/Default.aspx
	token: ATjrrFUCgj1z1e2dmRTszTnE4tB
iV9nzTe78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg==
	OpenIdTextBox_UsePersistentCookie: False
	openid.mode: id_res
	openid.identity: http://openid.aol.com/webmyway
	openid.assoc_handle:
diAyLjAgayAwIHZrR3dmb3hFMy80VEZRMERlRFpkZ0RRUW03ST0%3D-j5HRXRB1VbPyg48jGKE1Q9dV%2Bsl5xZlMb7I9GJL9ohbwmRH%2BaEF%2BZhAJOAIsXk5%2BTdfzZoedphY%3D
	openid.return_to:
http://nerdbank.org/RP/login.aspx?ReturnUrl=/rp/MembersOnly/Default.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE4tB*+*iV9nzTe78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg==&OpenIdTextBox_UsePersistentCookie=False
	openid.signed: identity,return_to
	openid.sig: UkJ8PtkMcJNTDaw094KRGYZkQgs=
	openid.invalidate_handle:
diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0=-j5HRXRB1VbPyg48jGKE1Q/HHWVWwVNZus2FUJWWCXqED+IkTINCC3xA7WOU0AmejttQ/2yXC+i4=

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire



On Wed, Dec 31, 2008 at 1:11 PM, Joel Nylund <jnylund at yahoo.com> wrote:

>
> Hey, anyone else having issues with AOL openid, as of today on my site I
> cant use aol to login or signup, there is a problem with the token they are
> sending over, havent had a chance to debug yet, just wondering if anyone
> else has seen?
>
> When I try using Andrews site I see same problem:
>
> Server Error in '/RP' Application.
> Invalid length for a Base-64 char array.
> Description: An unhandled exception occurred during the execution of the
> current web request. Please review the stack trace for more information
> about the error and where it originated in the code.
>
> Exception Details: System.FormatException: Invalid length for a Base-64
> char array.
>
> Source Error:
>
> An unhandled exception was generated during the execution of the current
> web request. Information regarding the origin and location of the exception
> can be identified using the exception stack trace below.
>
> Stack Trace:
>
> [FormatException: Invalid length for a Base-64 char array.]
>   System.Convert.FromBase64String(String s) +0
>   DotNetOpenId.RelyingParty.Token.Deserialize(String token, INonceStore
> store) in Token.cs:82
>   DotNetOpenId.RelyingParty.AuthenticationResponse.Parse(IDictionary`2
> query, OpenIdRelyingParty relyingParty, Uri requestUrl, Boolean
> verifySignature) in AuthenticationResponse.cs:222
>   DotNetOpenId.RelyingParty.OpenIdRelyingParty.get_Response() in
> OpenIdRelyingParty.cs:294
>   DotNetOpenId.RelyingParty.OpenIdTextBox.OnLoad(EventArgs e) in
> OpenIdTextBox.cs:639
>   System.Web.UI.Control.LoadRecursive() +47
>   System.Web.UI.Control.LoadRecursive() +131
>   System.Web.UI.Control.LoadRecursive() +131
>   System.Web.UI.Control.LoadRecursive() +131
>   System.Web.UI.Control.LoadRecursive() +131
>   System.Web.UI.Page.ProcessRequestMain(Boolean
> includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1436
>
>
>
> thanks
> Joel
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081231/a60a9f5a/attachment-0002.htm>

More information about the general mailing list