[OpenID] Bug in OpenID RP implementations

Andrew Arnott andrewarnott at gmail.com
Thu Jan 1 23:17:25 UTC 2009 

Eric said:
The address bar said http, but I might have looked to quickly.  It could
have been protectnetwork that did the demotion.

Eric, if the address bar while you were authenticating with your OP said
"http", that is entirely up to the OP and not DotNetOpenId or any other RP.
The OP may or may not have an HTTPS OP endpoint (the programmatic OpenID
receiver), but once the checkid_setup message is received at the OP, the OP
certainly may (and in my experience often does) redirect the user agent to a
standard HTTP URL as part of the "do you want to authenticate to [realm]
RP?" experience.  I'm not saying this is good by any means, but it's
certainly legal, and if you don't like it, confront your OP about it.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire


On Thu, Jan 1, 2009 at 2:18 PM, Eric Norman <ejnorman at doit.wisc.edu> wrote:

>
> On Jan 1, 2009, at 2:45 PM, Andrew Arnott wrote:
>
> > Eric,
> >
> > I believe it is exactly the problem that Peter is facing.
> >
> > Regarding the behavior you saw, Eric, DotNetOpenId doesn't ever demote
> > https to http (or if so it would be a bug), but it will go through all
> > endpoints listed for a given OpenID and chooses from among that list.
> > So if your OpenID has multiple service endpoints listed (through an
> > XRDS file) can you check whether a non HTTPS OP Endpoint is among the
> > list?
>
> The address bar said http, but I might have looked
> to quickly.  It could have been protectnetwork that
> did the demotion.
>
> > I'd very much like to know the particular OpenID you were trying it
> > with so I can examine the behavior if you'd care to share (perhaps off
> > the list if you wish).
>
> https://ejnorman.protectnetwork.org
>
> This has worked at some OpenID sites in the past.
>
> In any case, there's certainly a bug somewhere since
> the error message I quoted is complaining about
> something I never typed.
>
> Eric Norman
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090101/a027569b/attachment-0002.htm>

More information about the general mailing list