[OpenID] Bug in AOL OpenID Provider implementation
Peter Williams
pwilliams at rapattoni.com
Thu Jan 1 03:07:14 UTC 2009
I tried to use my https://cacert.at/homepw url at dotnetopenid the other day.
It works at pbwiki and openid foundation, and showed the (good news) padlock.
(If I'm a ordinary user, I'm now confused. If I get on the phone (costing me $10, and the provider $25) I'll probably understand very little of what the level 1 support person tells about trust networks, and CA CTLs. Im 58, and all I know is it worked at the openid foundation and not at dotnetopenid. Why wouldn't it?)
Anyone looked at Nat's proposal CX again, recently, while I'm ranting?
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Andrew Arnott
Sent: Wednesday, December 31, 2008 5:02 PM
To: OpenID List
Subject: [OpenID] Bug in AOL OpenID Provider implementation
Is there anyone on this list who works for or with AOL OpenID folks? I have (below) a description of an interop issue with the AOL OpenID Provider that may be a bug they should look at.
Thanks.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire
---------- Forwarded message ----------
From: Andrew Arnott <andrewarnott at gmail.com<mailto:andrewarnott at gmail.com>>
Date: Wed, Dec 31, 2008 at 5:50 PM
Subject: Re: [dotnetopenid] problems with AOL today?
To: dotnetopenid at googlegroups.com<mailto:dotnetopenid at googlegroups.com>
Thanks for reporting this, Joel. This is a bug in AOL's encoding/decoding of the return_to URL, as I detail below. I'll forward this onto the AOL OpenID folks (as soon as I can figure out who they are) and suggest they fix this bug prompto!
As can be seen in the below log, DotNetOpenId is sending AOL a return_to URL with a twice-URL-encoded + sign as the value for the token parameter, as appropriate. That is, the plus sign is an actual character in the (base 64 encoded) value, which must be URL encoded because it is a URL parameter. Then since the return_to URI is itself a URL parameter, it is encoded again.
But when the auth message comes back from AOL (and only AOL has this issue, reportedly starting 12/31/08) the + sign character in the return_to URL has been decoded by AOL rather than being preserved as DotNetOpenId had written it. As a result, the + sign is misinterpreted as a URL encoding of the space character, causing the base64 decoding operation to fail.
Analysis: AOL is decoding the return_to parameter, and not properly re-encoding it before sending it back to the RP.
2008-12-31 17:19:17,737 [5] DEBUG DotNetOpenId - Sending indirect message:
openid.mode: checkid_setup
openid.identity: http://openid.aol.com/webmyway
openid.trust_root: http://nerdbank.org/RP/
openid.return_to: http://nerdbank.org/RP/login.aspx?ReturnUrl=%2frp%2fMembersOnly%2fDefault.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE4tB%2biV9nzTe78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg%3d%3d&OpenIdTextBox_UsePersistentCookie=False
openid.assoc_handle: diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0%3D-j5HRXRB1VbPyg48jGKE1Q%2FHHWVWwVNZus2FUJWWCXqED%2BIkTINCC3xA7WOU0AmejttQ%2F2yXC%2Bi4%3D
openid.ns.sreg: http://openid.net/extensions/sreg/1.1
openid.sreg.policy_url: http://nerdbank.org/RP/PrivacyPolicy.aspx
openid.sreg.required: gender,postcode,timezone
openid.sreg.optional: email,country
2008-12-31 17:19:17,737 [5] DEBUG DotNetOpenId - Redirecting to https://api.screenname.aol.com/auth/openidServer?openid.mode=checkid_setup&openid.identity=http%3a%2f%2fopenid.aol.com%2fwebmyway&openid.trust_root=http%3a%2f%2fnerdbank.org%2fRP%2f&openid.return_to=http%3a%2f%2fnerdbank.org%2fRP%2flogin.aspx%3fReturnUrl%3d%252frp%252fMembersOnly%252fDefault.aspx%26token%3dATjrrFUCgj1z1e2dmRTszTnE4tB%252biV9nzTe78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg%253d%253d%26OpenIdTextBox_UsePersistentCookie%3dFalse&openid.assoc_handle=diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0%253D-j5HRXRB1VbPyg48jGKE1Q%252FHHWVWwVNZus2FUJWWCXqED%252BIkTINCC3xA7WOU0AmejttQ%252F2yXC%252Bi4%253D&openid.ns.sreg=http%3a%2f%2fopenid.net<http://2fopenid.net>%2fextensions%2fsreg%2f1.1&openid.sreg.policy_url=http%3a%2f%2fnerdbank.org<http://2fnerdbank.org>%2fRP%2fPrivacyPolicy.aspx&openid.sreg.required=gender%2cpostcode%2ctimezone&openid.sreg.optional=email%2ccountry
2008-12-31 17:20:18,726 [1] DEBUG DotNetOpenId - OpenID authentication response received:
ReturnUrl: /rp/MembersOnly/Default.aspx
token: ATjrrFUCgj1z1e2dmRTszTnE4tB iV9nzTe78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg==
OpenIdTextBox_UsePersistentCookie: False
openid.mode: id_res
openid.identity: http://openid.aol.com/webmyway
openid.assoc_handle: diAyLjAgayAwIHZrR3dmb3hFMy80VEZRMERlRFpkZ0RRUW03ST0%3D-j5HRXRB1VbPyg48jGKE1Q9dV%2Bsl5xZlMb7I9GJL9ohbwmRH%2BaEF%2BZhAJOAIsXk5%2BTdfzZoedphY%3D
openid.return_to: http://nerdbank.org/RP/login.aspx?ReturnUrl=/rp/MembersOnly/Default.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE4tB+iV9nzTe78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg==&OpenIdTextBox_UsePersistentCookie=False
openid.signed: identity,return_to
openid.sig: UkJ8PtkMcJNTDaw094KRGYZkQgs=
openid.invalidate_handle: diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0=-j5HRXRB1VbPyg48jGKE1Q/HHWVWwVNZus2FUJWWCXqED+IkTINCC3xA7WOU0AmejttQ/2yXC+i4=
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire
On Wed, Dec 31, 2008 at 1:11 PM, Joel Nylund <jnylund at yahoo.com<mailto:jnylund at yahoo.com>> wrote:
Hey, anyone else having issues with AOL openid, as of today on my site I cant use aol to login or signup, there is a problem with the token they are sending over, havent had a chance to debug yet, just wondering if anyone else has seen?
When I try using Andrews site I see same problem:
Server Error in '/RP' Application.
Invalid length for a Base-64 char array.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.FormatException: Invalid length for a Base-64 char array.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[FormatException: Invalid length for a Base-64 char array.]
System.Convert.FromBase64String(String s) +0
DotNetOpenId.RelyingParty.Token.Deserialize(String token, INonceStore store) in Token.cs:82
DotNetOpenId.RelyingParty.AuthenticationResponse.Parse(IDictionary`2 query, OpenIdRelyingParty relyingParty, Uri requestUrl, Boolean verifySignature) in AuthenticationResponse.cs:222
DotNetOpenId.RelyingParty.OpenIdRelyingParty.get_Response() in OpenIdRelyingParty.cs:294
DotNetOpenId.RelyingParty.OpenIdTextBox.OnLoad(EventArgs e) in OpenIdTextBox.cs:639
System.Web.UI.Control.LoadRecursive() +47
System.Web.UI.Control.LoadRecursive() +131
System.Web.UI.Control.LoadRecursive() +131
System.Web.UI.Control.LoadRecursive() +131
System.Web.UI.Control.LoadRecursive() +131
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1436
thanks
Joel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081231/97b0bd81/attachment-0002.htm>
More information about the general
mailing list