[OpenID] Bug in OpenID RP implementations

[Peter Williams]

Evidently, one can post a claim about https:// to a non http:// endpoint. Neither WordPress or ProtectNetwork objected (so far) to the form of the service call.

POST http://openid.net/wordpress/wp-comments-post.php
302 Found to http://openid.protectnetwork.org/server?openid.assoc_handle=1230672724124-5&openid.identity=https%3A%2F%2Fejnorman.protectnetwork.org%2F&openid.mode=checkid_setup&openid.return_to=http%3A%2F%2Fopenid.net%2F%3Faction%3Dcomment%26janrain_nonce%3D2009-01-01T21%253A57%253A31ZNNGAwq%26openid1_claimed_id%3Dhttps%253A%252F%252Fejnorman.protectnetwork.org%252F%26openid_consumer%3D1&openid.sreg.optional=nickname%2Cemail%2Cfullname&openid.trust_root=http%3A%2F%2Fopenid.net

GET http://openid.protectnetwork.org/server?openid.assoc_handle=1230672724124-5&openid.identity=https%3A%2F%2Fejnorman.protectnetwork.org%2F&openid.mode=checkid_setup&openid.return_to=http%3A%2F%2Fopenid.net%2F%3Faction%3Dcomment%26janrain_nonce%3D2009-01-01T21%253A57%253A31ZNNGAwq%26openid1_claimed_id%3Dhttps%253A%252F%252Fejnorman.protectnetwork.org%252F%26openid_consumer%3D1&openid.sreg.optional=nickname%2Cemail%2Cfullname&openid.trust_root=http%3A%2F%2Fopenid.net
302 Moved Temporarily to http://openid.protectnetwork.org/Authentication


Eric's doesn't have any obvious XRDS metadata, only HTML metadata (suited to openid1) :  <link rel="openid.server" href="http://openid.protectnetwork.org/server"></



With a little handcrafting, one sees that the https OP end points does exist, and will redirect. But if its not advertised, its hard to see why it should be used.

GET https://openid.protectnetwork.org/server?openid.assoc_handle=1230672724124-5&openid.identity=https%3A%2F%2Fejnorman.protectnetwork.org%2F&openid.mode=checkid_setup&openid.return_to=http%3A%2F%2Fopenid.net%2F%3Faction%3Dcomment%26janrain_nonce%3D2009-01-01T22%253A06%253A33Za0tf5A%26openid1_claimed_id%3Dhttps%253A%252F%252Fejnorman.protectnetwork.org%252F%26openid_consumer%3D1&openid.sreg.optional=nickname%2Cemail%2Cfullname&openid.trust_root=http%3A%2F%2Fopenid.net
302 Moved Temporarily to https://openid.protectnetwork.org/Authentication




The openid 2 spec says in section 15 (a non-normative must, note):

"In order to get protection from SSL, SSL must be used for all parts of the interaction, including interaction with the end user through the User-Agent."

So,. Perhaps my question ought to be

If both http and https OP endpoints are advertised (in XRDS), given an https:// claim, can the RP choose the http at its discretion?

Presumably yes, since the section 15 must is non-normative.


> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Eric Norman
> Sent: Thursday, January 01, 2009 1:18 PM
> To: OpenID List
> Subject: Re: [OpenID] Bug in OpenID RP implementations
>
>
> On Jan 1, 2009, at 2:45 PM, Andrew Arnott wrote:
>
> > Eric,
> >
> > I believe it is exactly the problem that Peter is facing.
> >
> > Regarding the behavior you saw, Eric, DotNetOpenId doesn't ever
> demote
> > https to http (or if so it would be a bug), but it will go through
> all
> > endpoints listed for a given OpenID and chooses from among that list.
> > So if your OpenID has multiple service endpoints listed (through an
> > XRDS file) can you check whether a non HTTPS OP Endpoint is among the
> > list?
>
> The address bar said http, but I might have looked
> to quickly.  It could have been protectnetwork that
> did the demotion.
>
> > I'd very much like to know the particular OpenID you were trying it
> > with so I can examine the behavior if you'd care to share (perhaps
> off
> > the list if you wish).
>
> https://ejnorman.protectnetwork.org
>
> This has worked at some OpenID sites in the past.
>
> In any case, there's certainly a bug somewhere since
> the error message I quoted is complaining about
> something I never typed.
>
> Eric Norman
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general