[OpenID] Bug in AOL OpenID Provider implementation

Andrew Arnott andrewarnott at gmail.com
Thu Jan 1 04:50:25 UTC 2009 

Hi Peter,

I just checked out the https://cacert.at/homepw URL you mentioned.  The
reason the http://nerdbank.org/rp site rejects that URL is because the HTTPS
certificate is not signed by a recognized cert authority at the server
hosting the site.

This doesn't actually have anything to do with the AOL issue right? (does
this deserve its own thread?) I just want to make sure I'm understanding the
issue you're getting at.  I'm also not familiar with this CX thing.  Is that
a certificate exchange protocol that's in the works?

Thanks.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire


On Wed, Dec 31, 2008 at 8:07 PM, Peter Williams <pwilliams at rapattoni.com>wrote:

>  I tried to  use my https://cacert.at/homepw url at dotnetopenid the other
> day.
>
>
>
> It works at pbwiki and openid foundation, and showed the (good news)
> padlock.
>
>
>
> (If I'm a ordinary user, I'm now confused. If I get on the phone (costing
> me $10, and the provider $25) I'll probably understand very little of what
> the level 1 support person tells about trust networks, and CA CTLs. Im 58,
> and all I know is it worked at the openid foundation and not at
> dotnetopenid. Why wouldn't it?)
>
>
>
> Anyone looked at Nat's proposal CX again, recently, while I'm ranting?
>
>
>
> *From:* general-bounces at openid.net [mailto:general-bounces at openid.net] *On
> Behalf Of *Andrew Arnott
> *Sent:* Wednesday, December 31, 2008 5:02 PM
> *To:* OpenID List
> *Subject:* [OpenID] Bug in AOL OpenID Provider implementation
>
>
>
> Is there anyone on this list who works for or with AOL OpenID folks?  I
> have (below) a description of an interop issue with the AOL OpenID Provider
> that may be a bug they should look at.
>
> Thanks.
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - Voltaire
>
>  ---------- Forwarded message ----------
> From: *Andrew Arnott* <andrewarnott at gmail.com>
> Date: Wed, Dec 31, 2008 at 5:50 PM
> Subject: Re: [dotnetopenid] problems with AOL today?
> To: dotnetopenid at googlegroups.com
>
>
> Thanks for reporting this, Joel.  This is a bug in AOL's encoding/decoding
> of the return_to URL, as I detail below.  I'll forward this onto the AOL
> OpenID folks (as soon as I can figure out who they are) and suggest they fix
> this bug prompto!
>
> As can be seen in the below log, DotNetOpenId is sending AOL a return_to
> URL with a twice-URL-encoded + sign as the value for the token parameter, as
> appropriate.  That is, the plus sign is an actual character in the (base 64
> encoded) value, which must be URL encoded because it is a URL parameter.
> Then since the return_to URI is itself a URL parameter, it is encoded
> again.
>
> But when the auth message comes back from AOL (and only AOL has this issue,
> reportedly starting 12/31/08) the + sign character in the return_to URL has
> been decoded by AOL rather than being preserved as DotNetOpenId had written
> it.  As a result, the + sign is misinterpreted as a URL encoding of the
> space character, causing the base64 decoding operation to fail.
>
> *Analysis: AOL is decoding the return_to parameter, and not properly
> re-encoding it before sending it back to the RP.*
>
> 2008-12-31 17:19:17,737 [5] DEBUG DotNetOpenId - Sending indirect message:
>
>
>
>               openid.mode: checkid_setup
>
>               openid.identity: http://openid.aol.com/webmyway
>
>
>
>               openid.trust_root: http://nerdbank.org/RP/
>
>               openid.return_to: http://nerdbank.org/RP/login.aspx?ReturnUrl=%2frp%2fMembersOnly%2fDefault.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE4tB*%2b*iV9nzTe78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg%3d%3d&OpenIdTextBox_UsePersistentCookie=False
>
>
>
>               openid.assoc_handle: diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0%3D-j5HRXRB1VbPyg48jGKE1Q%2FHHWVWwVNZus2FUJWWCXqED%2BIkTINCC3xA7WOU0AmejttQ%2F2yXC%2Bi4%3D
>
>
>
>               openid.ns.sreg: http://openid.net/extensions/sreg/1.1
>
>               openid.sreg.policy_url: http://nerdbank.org/RP/PrivacyPolicy.aspx
>
>
>
>               openid.sreg.required: gender,postcode,timezone
>
>               openid.sreg.optional: email,country
>
>
>
>
>
> 2008-12-31 17:19:17,737 [5] DEBUG DotNetOpenId - Redirecting to https://api.screenname.aol.com/auth/openidServer?openid.mode=checkid_setup&openid.identity=http%3a%2f%2fopenid.aol.com%2fwebmyway&openid.trust_root=http%3a%2f%2fnerdbank.org%2fRP%2f&openid.return_to=http%3a%2f%2fnerdbank.org%2fRP%2flogin.aspx%3fReturnUrl%3d%252frp%252fMembersOnly%252fDefault.aspx%26token%3dATjrrFUCgj1z1e2dmRTszTnE4tB*%252b*iV9nzTe78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg%253d%253d%26OpenIdTextBox_UsePersistentCookie%3dFalse&openid.assoc_handle=diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0%253D-j5HRXRB1VbPyg48jGKE1Q%252FHHWVWwVNZus2FUJWWCXqED%252BIkTINCC3xA7WOU0AmejttQ%252F2yXC%252Bi4%253D&openid.ns.sreg=http%3a%2f%2fopenid.net%2fextensions%2fsreg%2f1.1&openid.sreg.policy_url=http%3a%2f%2fnerdbank.org%2fRP%2fPrivacyPolicy.aspx&openid.sreg.required=gender%2cpostcode%2ctimezone&openid.sreg.optional=email%2ccountry
>
>
>
> 2008-12-31 17:20:18,726 [1] DEBUG DotNetOpenId - OpenID authentication response received:
>
>               ReturnUrl: /rp/MembersOnly/Default.aspx
>
>
>
>               token: ATjrrFUCgj1z1e2dmRTszTnE4tB iV9nzTe78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg==
>
>
>
>               OpenIdTextBox_UsePersistentCookie: False
>
>               openid.mode: id_res
>
>
>
>               openid.identity: http://openid.aol.com/webmyway
>
>               openid.assoc_handle: diAyLjAgayAwIHZrR3dmb3hFMy80VEZRMERlRFpkZ0RRUW03ST0%3D-j5HRXRB1VbPyg48jGKE1Q9dV%2Bsl5xZlMb7I9GJL9ohbwmRH%2BaEF%2BZhAJOAIsXk5%2BTdfzZoedphY%3D
>
>
>
>               openid.return_to: http://nerdbank.org/RP/login.aspx?ReturnUrl=/rp/MembersOnly/Default.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE4tB*+*iV9nzTe78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg==&OpenIdTextBox_UsePersistentCookie=False
>
>
>
>               openid.signed: identity,return_to
>
>               openid.sig: UkJ8PtkMcJNTDaw094KRGYZkQgs=
>
>
>
>               openid.invalidate_handle: diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0=-j5HRXRB1VbPyg48jGKE1Q/HHWVWwVNZus2FUJWWCXqED+IkTINCC3xA7WOU0AmejttQ/2yXC+i4=
>
>
>
>
>  --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - Voltaire
>
>
>
>  On Wed, Dec 31, 2008 at 1:11 PM, Joel Nylund <jnylund at yahoo.com> wrote:
>
>
> Hey, anyone else having issues with AOL openid, as of today on my site I
> cant use aol to login or signup, there is a problem with the token they are
> sending over, havent had a chance to debug yet, just wondering if anyone
> else has seen?
>
> When I try using Andrews site I see same problem:
>
> Server Error in '/RP' Application.
> Invalid length for a Base-64 char array.
> Description: An unhandled exception occurred during the execution of the
> current web request. Please review the stack trace for more information
> about the error and where it originated in the code.
>
> Exception Details: System.FormatException: Invalid length for a Base-64
> char array.
>
> Source Error:
>
> An unhandled exception was generated during the execution of the current
> web request. Information regarding the origin and location of the exception
> can be identified using the exception stack trace below.
>
> Stack Trace:
>
> [FormatException: Invalid length for a Base-64 char array.]
>   System.Convert.FromBase64String(String s) +0
>   DotNetOpenId.RelyingParty.Token.Deserialize(String token, INonceStore
> store) in Token.cs:82
>   DotNetOpenId.RelyingParty.AuthenticationResponse.Parse(IDictionary`2
> query, OpenIdRelyingParty relyingParty, Uri requestUrl, Boolean
> verifySignature) in AuthenticationResponse.cs:222
>   DotNetOpenId.RelyingParty.OpenIdRelyingParty.get_Response() in
> OpenIdRelyingParty.cs:294
>   DotNetOpenId.RelyingParty.OpenIdTextBox.OnLoad(EventArgs e) in
> OpenIdTextBox.cs:639
>   System.Web.UI.Control.LoadRecursive() +47
>   System.Web.UI.Control.LoadRecursive() +131
>   System.Web.UI.Control.LoadRecursive() +131
>   System.Web.UI.Control.LoadRecursive() +131
>   System.Web.UI.Control.LoadRecursive() +131
>   System.Web.UI.Page.ProcessRequestMain(Boolean
> includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1436
>
>
>
> thanks
> Joel
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081231/9d39c04f/attachment-0002.htm>

More information about the general mailing list