[OpenID] Bug in AOL OpenID Provider implementation

Andrew Arnott andrewarnott at gmail.com
Mon Jan 5 03:01:35 UTC 2009 

George,
I haven't heard back from you.  I have multiple RP sites contacting me
saying that interop with AOL broke recently due to this change on the AOL
Provider side.  Can you give me an idea of what you think of this report and
when you think a fix can be brought online?

Thanks.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire


On Wed, Dec 31, 2008 at 5:23 PM, David Recordon <drecordon at sixapart.com>wrote:

> Hey Andrew,George Fletcher is a great contact there and is normally on the
> list as well.
>
> --David
>
> On Dec 31, 2008, at 5:02 PM, Andrew Arnott wrote:
>
> Is there anyone on this list who works for or with AOL OpenID folks?  I
> have (below) a description of an interop issue with the AOL OpenID Provider
> that may be a bug they should look at.
>
> Thanks.
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - Voltaire
>
>
> ---------- Forwarded message ----------
> From: Andrew Arnott <andrewarnott at gmail.com>
> Date: Wed, Dec 31, 2008 at 5:50 PM
> Subject: Re: [dotnetopenid] problems with AOL today?
> To: dotnetopenid at googlegroups.com
>
>
> Thanks for reporting this, Joel.  This is a bug in AOL's encoding/decoding
> of the return_to URL, as I detail below.  I'll forward this onto the AOL
> OpenID folks (as soon as I can figure out who they are) and suggest they fix
> this bug prompto!
>
> As can be seen in the below log, DotNetOpenId is sending AOL a return_to
> URL with a twice-URL-encoded + sign as the value for the token parameter, as
> appropriate.  That is, the plus sign is an actual character in the (base 64
> encoded) value, which must be URL encoded because it is a URL parameter.
> Then since the return_to URI is itself a URL parameter, it is encoded
> again.
>
> But when the auth message comes back from AOL (and only AOL has this issue,
> reportedly starting 12/31/08) the + sign character in the return_to URL has
> been decoded by AOL rather than being preserved as DotNetOpenId had written
> it.  As a result, the + sign is misinterpreted as a URL encoding of the
> space character, causing the base64 decoding operation to fail.
>
> *Analysis: AOL is decoding the return_to parameter, and not properly
> re-encoding it before sending it back to the RP.*
>
> 2008-12-31 17:19:17,737 [5] DEBUG DotNetOpenId - Sending indirect message:
>
> 	openid.mode: checkid_setup
> 	openid.identity: http://openid.aol.com/webmyway
>
> 	openid.trust_root: http://nerdbank.org/RP/
> 	openid.return_to: http://nerdbank.org/RP/login.aspx?ReturnUrl=%2frp%2fMembersOnly%2fDefault.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE4tB*%2b*iV9nzTe78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg%3d%3d&OpenIdTextBox_UsePersistentCookie=False
>
> 	openid.assoc_handle: diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0%3D-j5HRXRB1VbPyg48jGKE1Q%2FHHWVWwVNZus2FUJWWCXqED%2BIkTINCC3xA7WOU0AmejttQ%2F2yXC%2Bi4%3D
>
> 	openid.ns.sreg: http://openid.net/extensions/sreg/1.1
> 	openid.sreg.policy_url: http://nerdbank.org/RP/PrivacyPolicy.aspx
>
> 	openid.sreg.required: gender,postcode,timezone
> 	openid.sreg.optional: email,country
>
>
> 2008-12-31 17:19:17,737 [5] DEBUG DotNetOpenId - Redirecting to https://api.screenname.aol.com/auth/openidServer?openid.mode=checkid_setup&openid.identity=http%3a%2f%2fopenid.aol.com%2fwebmyway&openid.trust_root=http%3a%2f%2fnerdbank.org%2fRP%2f&openid.return_to=http%3a%2f%2fnerdbank.org%2fRP%2flogin.aspx%3fReturnUrl%3d%252frp%252fMembersOnly%252fDefault.aspx%26token%3dATjrrFUCgj1z1e2dmRTszTnE4tB*%252b*iV9nzTe78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg%253d%253d%26OpenIdTextBox_UsePersistentCookie%3dFalse&openid.assoc_handle=diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0%253D-j5HRXRB1VbPyg48jGKE1Q%252FHHWVWwVNZus2FUJWWCXqED%252BIkTINCC3xA7WOU0AmejttQ%252F2yXC%252Bi4%253D&openid.ns.sreg=http%3a%2f%2fopenid.net%2fextensions%2fsreg%2f1.1&openid.sreg.policy_url=http%3a%2f%2fnerdbank.org%2fRP%2fPrivacyPolicy.aspx&openid.sreg.required=gender%2cpostcode%2ctimezone&openid.sreg.optional=email%2ccountry
>
> 2008-12-31 17:20:18,726 [1] DEBUG DotNetOpenId - OpenID authentication response received:
> 	ReturnUrl: /rp/MembersOnly/Default.aspx
>
> 	token: ATjrrFUCgj1z1e2dmRTszTnE4tB iV9nzTe78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg==
>
> 	OpenIdTextBox_UsePersistentCookie: False
> 	openid.mode: id_res
>
> 	openid.identity: http://openid.aol.com/webmyway
> 	openid.assoc_handle: diAyLjAgayAwIHZrR3dmb3hFMy80VEZRMERlRFpkZ0RRUW03ST0%3D-j5HRXRB1VbPyg48jGKE1Q9dV%2Bsl5xZlMb7I9GJL9ohbwmRH%2BaEF%2BZhAJOAIsXk5%2BTdfzZoedphY%3D
>
> 	openid.return_to: http://nerdbank.org/RP/login.aspx?ReturnUrl=/rp/MembersOnly/Default.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE4tB*+*iV9nzTe78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg==&OpenIdTextBox_UsePersistentCookie=False
>
> 	openid.signed: identity,return_to
> 	openid.sig: UkJ8PtkMcJNTDaw094KRGYZkQgs=
>
> 	openid.invalidate_handle: diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0=-j5HRXRB1VbPyg48jGKE1Q/HHWVWwVNZus2FUJWWCXqED+IkTINCC3xA7WOU0AmejttQ/2yXC+i4=
>
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - Voltaire
>
>
>
> On Wed, Dec 31, 2008 at 1:11 PM, Joel Nylund <jnylund at yahoo.com> wrote:
>
>>
>> Hey, anyone else having issues with AOL openid, as of today on my site I
>> cant use aol to login or signup, there is a problem with the token they are
>> sending over, havent had a chance to debug yet, just wondering if anyone
>> else has seen?
>>
>> When I try using Andrews site I see same problem:
>>
>> Server Error in '/RP' Application.
>> Invalid length for a Base-64 char array.
>> Description: An unhandled exception occurred during the execution of the
>> current web request. Please review the stack trace for more information
>> about the error and where it originated in the code.
>>
>> Exception Details: System.FormatException: Invalid length for a Base-64
>> char array.
>>
>> Source Error:
>>
>> An unhandled exception was generated during the execution of the current
>> web request. Information regarding the origin and location of the exception
>> can be identified using the exception stack trace below.
>>
>> Stack Trace:
>>
>> [FormatException: Invalid length for a Base-64 char array.]
>>   System.Convert.FromBase64String(String s) +0
>>   DotNetOpenId.RelyingParty.Token.Deserialize(String token, INonceStore
>> store) in Token.cs:82
>>   DotNetOpenId.RelyingParty.AuthenticationResponse.Parse(IDictionary`2
>> query, OpenIdRelyingParty relyingParty, Uri requestUrl, Boolean
>> verifySignature) in AuthenticationResponse.cs:222
>>   DotNetOpenId.RelyingParty.OpenIdRelyingParty.get_Response() in
>> OpenIdRelyingParty.cs:294
>>   DotNetOpenId.RelyingParty.OpenIdTextBox.OnLoad(EventArgs e) in
>> OpenIdTextBox.cs:639
>>   System.Web.UI.Control.LoadRecursive() +47
>>   System.Web.UI.Control.LoadRecursive() +131
>>   System.Web.UI.Control.LoadRecursive() +131
>>   System.Web.UI.Control.LoadRecursive() +131
>>   System.Web.UI.Control.LoadRecursive() +131
>>   System.Web.UI.Page.ProcessRequestMain(Boolean
>> includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1436
>>
>>
>>
>> thanks
>> Joel
>>
>>
>>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090104/afe2af98/attachment-0002.htm>

More information about the general mailing list