[OpenID] Bug in AOL OpenID Provider implementation

David Recordon drecordon at sixapart.com
Thu Jan 1 01:23:29 UTC 2009 

Hey Andrew,
George Fletcher is a great contact there and is normally on the list  
as well.

--David

On Dec 31, 2008, at 5:02 PM, Andrew Arnott wrote:

> Is there anyone on this list who works for or with AOL OpenID  
> folks?  I have (below) a description of an interop issue with the  
> AOL OpenID Provider that may be a bug they should look at.
>
> Thanks.
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the  
> death your right to say it." - Voltaire
>
>
> ---------- Forwarded message ----------
> From: Andrew Arnott <andrewarnott at gmail.com>
> Date: Wed, Dec 31, 2008 at 5:50 PM
> Subject: Re: [dotnetopenid] problems with AOL today?
> To: dotnetopenid at googlegroups.com
>
>
> Thanks for reporting this, Joel.  This is a bug in AOL's encoding/ 
> decoding of the return_to URL, as I detail below.  I'll forward this  
> onto the AOL OpenID folks (as soon as I can figure out who they are)  
> and suggest they fix this bug prompto!
>
> As can be seen in the below log, DotNetOpenId is sending AOL a  
> return_to URL with a twice-URL-encoded + sign as the value for the  
> token parameter, as appropriate.  That is, the plus sign is an  
> actual character in the (base 64 encoded) value, which must be URL  
> encoded because it is a URL parameter.  Then since the return_to URI  
> is itself a URL parameter, it is encoded again.
>
> But when the auth message comes back from AOL (and only AOL has this  
> issue, reportedly starting 12/31/08) the + sign character in the  
> return_to URL has been decoded by AOL rather than being preserved as  
> DotNetOpenId had written it.  As a result, the + sign is  
> misinterpreted as a URL encoding of the space character, causing the  
> base64 decoding operation to fail.
>
> Analysis: AOL is decoding the return_to parameter, and not properly  
> re-encoding it before sending it back to the RP.
> 2008-12-31 17:19:17,737 [5] DEBUG DotNetOpenId - Sending indirect  
> message:
>
>
> 	openid.mode: checkid_setup
> 	openid.identity: http://openid.aol.com/webmyway
>
>
> 	openid.trust_root: http://nerdbank.org/RP/
> 	openid.return_to: http://nerdbank.org/RP/login.aspx?ReturnUrl=%2frp%2fMembersOnly%2fDefault.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE4tB%2biV9nzTe78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg%3d%3d&OpenIdTextBox_UsePersistentCookie=False
>
>
> 	openid.assoc_handle:  
> diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0%3D- 
> j5HRXRB1VbPyg48jGKE1Q%2FHHWVWwVNZus2FUJWWCXqED 
> %2BIkTINCC3xA7WOU0AmejttQ%2F2yXC%2Bi4%3D
>
>
> 	openid.ns.sreg: http://openid.net/extensions/sreg/1.1
> 	openid.sreg.policy_url: http://nerdbank.org/RP/PrivacyPolicy.aspx
>
>
> 	openid.sreg.required: gender,postcode,timezone
> 	openid.sreg.optional: email,country
>
>
>
> 2008-12-31 17:19:17,737 [5] DEBUG DotNetOpenId - Redirecting to https://api.screenname.aol.com/auth/openidServer?openid.mode=checkid_setup&openid.identity=http%3a%2f%2fopenid.aol.com%2fwebmyway&openid.trust_root=http%3a%2f%2fnerdbank.org%2fRP%2f&openid.return_to=http%3a%2f%2fnerdbank.org%2fRP%2flogin.aspx%3fReturnUrl%3d%252frp%252fMembersOnly%252fDefault.aspx%26token%3dATjrrFUCgj1z1e2dmRTszTnE4tB%252biV9nzTe78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg%253d%253d%26OpenIdTextBox_UsePersistentCookie%3dFalse&openid.assoc_handle=diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0%253D-j5HRXRB1VbPyg48jGKE1Q%252FHHWVWwVNZus2FUJWWCXqED%252BIkTINCC3xA7WOU0AmejttQ%252F2yXC%252Bi4%253D&openid.ns.sreg=http%3a%2f%2fopenid.net%2fextensions%2fsreg%2f1.1&openid.sreg.policy_url=http%3a%2f%2fnerdbank.org%2fRP%2fPrivacyPolicy. 
> aspx&openid.sreg.required=gender%2cpostcode%2ctimezone&openid.sreg.optional=email%2ccountry
>
>
> 2008-12-31 17:20:18,726 [1] DEBUG DotNetOpenId - OpenID  
> authentication response received:
> 	ReturnUrl: /rp/MembersOnly/Default.aspx
>
>
> 	token: ATjrrFUCgj1z1e2dmRTszTnE4tB  
> iV9nzTe78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg 
> ==
>
>
> 	OpenIdTextBox_UsePersistentCookie: False
> 	openid.mode: id_res
>
>
> 	openid.identity: http://openid.aol.com/webmyway
> 	openid.assoc_handle:  
> diAyLjAgayAwIHZrR3dmb3hFMy80VEZRMERlRFpkZ0RRUW03ST0%3D- 
> j5HRXRB1VbPyg48jGKE1Q9dV%2Bsl5xZlMb7I9GJL9ohbwmRH%2BaEF 
> %2BZhAJOAIsXk5%2BTdfzZoedphY%3D
>
>
> 	openid.return_to: http://nerdbank.org/RP/login.aspx?ReturnUrl=/rp/MembersOnly/Default.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE4tB+iV9nzTe78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg==&OpenIdTextBox_UsePersistentCookie=False
>
>
> 	openid.signed: identity,return_to
> 	openid.sig: UkJ8PtkMcJNTDaw094KRGYZkQgs=
>
>
> 	openid.invalidate_handle:  
> diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0=- 
> j5HRXRB1VbPyg48jGKE1Q/HHWVWwVNZus2FUJWWCXqED+IkTINCC3xA7WOU0AmejttQ/ 
> 2yXC+i4=
>
>
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the  
> death your right to say it." - Voltaire
>
>
>
> On Wed, Dec 31, 2008 at 1:11 PM, Joel Nylund <jnylund at yahoo.com>  
> wrote:
>
> Hey, anyone else having issues with AOL openid, as of today on my  
> site I cant use aol to login or signup, there is a problem with the  
> token they are sending over, havent had a chance to debug yet, just  
> wondering if anyone else has seen?
>
> When I try using Andrews site I see same problem:
>
> Server Error in '/RP' Application.
> Invalid length for a Base-64 char array.
> Description: An unhandled exception occurred during the execution of  
> the current web request. Please review the stack trace for more  
> information about the error and where it originated in the code.
>
> Exception Details: System.FormatException: Invalid length for a  
> Base-64 char array.
>
> Source Error:
>
> An unhandled exception was generated during the execution of the  
> current web request. Information regarding the origin and location  
> of the exception can be identified using the exception stack trace  
> below.
>
> Stack Trace:
>
> [FormatException: Invalid length for a Base-64 char array.]
>   System.Convert.FromBase64String(String s) +0
>   DotNetOpenId.RelyingParty.Token.Deserialize(String token,  
> INonceStore store) in Token.cs:82
>    
> DotNetOpenId.RelyingParty.AuthenticationResponse.Parse(IDictionary`2  
> query, OpenIdRelyingParty relyingParty, Uri requestUrl, Boolean  
> verifySignature) in AuthenticationResponse.cs:222
>   DotNetOpenId.RelyingParty.OpenIdRelyingParty.get_Response() in  
> OpenIdRelyingParty.cs:294
>   DotNetOpenId.RelyingParty.OpenIdTextBox.OnLoad(EventArgs e) in  
> OpenIdTextBox.cs:639
>   System.Web.UI.Control.LoadRecursive() +47
>   System.Web.UI.Control.LoadRecursive() +131
>   System.Web.UI.Control.LoadRecursive() +131
>   System.Web.UI.Control.LoadRecursive() +131
>   System.Web.UI.Control.LoadRecursive() +131
>   System.Web.UI.Page.ProcessRequestMain(Boolean  
> includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)  
> +1436
>
>
>
> thanks
> Joel
>
>
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081231/caffb6ec/attachment-0002.htm>

More information about the general mailing list