[OpenID] Bug in AOL OpenID Provider implementation
George Fletcher
gffletch at aol.com
Mon Jan 5 20:03:35 UTC 2009
Ahh... Thanks Andrew for the detailed bug report! We're looking into it.
My apologies for not keeping up with the list. I took a "vacation" from
email over Christmas and New Years:) Hence the slow response.
Thanks,
George
Andrew Arnott wrote:
> Is there anyone on this list who works for or with AOL OpenID folks?
> I have (below) a description of an interop issue with the AOL OpenID
> Provider that may be a bug they should look at.
>
> Thanks.
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the
> death your right to say it." - Voltaire
>
>
> ---------- Forwarded message ----------
> From: *Andrew Arnott* <andrewarnott at gmail.com
> <mailto:andrewarnott at gmail.com>>
> Date: Wed, Dec 31, 2008 at 5:50 PM
> Subject: Re: [dotnetopenid] problems with AOL today?
> To: dotnetopenid at googlegroups.com <mailto:dotnetopenid at googlegroups.com>
>
>
> Thanks for reporting this, Joel. This is a bug in AOL's
> encoding/decoding of the return_to URL, as I detail below. I'll
> forward this onto the AOL OpenID folks (as soon as I can figure out
> who they are) and suggest they fix this bug prompto!
>
> As can be seen in the below log, DotNetOpenId is sending AOL a
> return_to URL with a twice-URL-encoded + sign as the value for the
> token parameter, as appropriate. That is, the plus sign is an actual
> character in the (base 64 encoded) value, which must be URL encoded
> because it is a URL parameter. Then since the return_to URI is itself
> a URL parameter, it is encoded again.
>
> But when the auth message comes back from AOL (and only AOL has this
> issue, reportedly starting 12/31/08) the + sign character in the
> return_to URL has been decoded by AOL rather than being preserved as
> DotNetOpenId had written it. As a result, the + sign is
> misinterpreted as a URL encoding of the space character, causing the
> base64 decoding operation to fail.
>
> *Analysis: AOL is decoding the return_to parameter, and not properly
> re-encoding it before sending it back to the RP.*
> 2008-12-31 17:19:17,737 [5] DEBUG DotNetOpenId - Sending indirect message:
>
>
> openid.mode: checkid_setup
> openid.identity: http://openid.aol.com/webmyway
>
>
> openid.trust_root: http://nerdbank.org/RP/
> openid.return_to: http://nerdbank.org/RP/login.aspx?ReturnUrl=%2frp%2fMembersOnly%2fDefault.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE <http://nerdbank.org/RP/login.aspx?ReturnUrl=%2frp%2fMembersOnly%2fDefault.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE>4tB*%2b*iV9nzTe78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg%3d%3d&OpenIdTextBox_UsePersistentCookie=False
>
>
> openid.assoc_handle: diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0%3D-j5HRXRB1VbPyg48jGKE1Q%2FHHWVWwVNZus2FUJWWCXqED%2BIkTINCC3xA7WOU0AmejttQ%2F2yXC%2Bi4%3D
>
>
> openid.ns.sreg: http://openid.net/extensions/sreg/1.1
> openid.sreg.policy_url: http://nerdbank.org/RP/PrivacyPolicy.aspx
>
>
> openid.sreg.required: gender,postcode,timezone
> openid.sreg.optional: email,country
>
>
>
> 2008-12-31 17:19:17,737 [5] DEBUG DotNetOpenId - Redirecting to https://api.screenname.aol.com/auth/openidServer?openid.mode=checkid_setup&openid.identity=http%3a%2f%2fopenid.aol.com%2fwebmyway&openid.trust_root=http%3a%2f%2fnerdbank.org%2fRP%2f&openid.return_to=http%3a%2f%2fnerdbank.org%2fRP%2flogin.aspx%3fReturnUrl%3d%252frp%252fMembersOnly%252fDefault.aspx%26token%3dATjrrFUCgj1z1e2dmRTszTnE <https://api.screenname.aol.com/auth/openidServer?openid.mode=checkid_setup&openid.identity=http%3a%2f%2fopenid.aol.com%2fwebmyway&openid.trust_root=http%3a%2f%2fnerdbank.org%2fRP%2f&openid.return_to=http%3a%2f%2fnerdbank.org%2fRP%2flogin.aspx%3fReturnUrl%3d%252frp%252fMembersOnly%252fDefault.aspx%26token%3dATjrrFUCgj1z1e2dmRTszTnE>4tB*%252b*iV9nzTe78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg%253d%253d%26OpenIdTextBox_UsePersistentCookie%3dFalse&openid.assoc_handle=diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0%253D-j5HRXRB1VbPyg48jGKE1Q%252FHHWVWwVNZus2FUJWWCXqED%252BIkTINCC3xA7WOU0AmejttQ%252F2yXC%252Bi4%253D&openid.ns.sreg=http%3a%2f%2fopenid.net <http://2fopenid.net>%2fextensions%2fsreg%2f1.1&openid.sreg.policy_url=http%3a%2f%2fnerdbank.org <http://2fnerdbank.org>%2fRP%2fPrivacyPolicy.aspx&openid.sreg.required=gender%2cpostcode%2ctimezone&openid.sreg.optional=email%2ccountry
>
>
> 2008-12-31 17:20:18,726 [1] DEBUG DotNetOpenId - OpenID authentication response received:
> ReturnUrl: /rp/MembersOnly/Default.aspx
>
>
> token: ATjrrFUCgj1z1e2dmRTszTnE4tB iV9nzTe78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg==
>
>
> OpenIdTextBox_UsePersistentCookie: False
> openid.mode: id_res
>
>
> openid.identity: http://openid.aol.com/webmyway
> openid.assoc_handle: diAyLjAgayAwIHZrR3dmb3hFMy80VEZRMERlRFpkZ0RRUW03ST0%3D-j5HRXRB1VbPyg48jGKE1Q9dV%2Bsl5xZlMb7I9GJL9ohbwmRH%2BaEF%2BZhAJOAIsXk5%2BTdfzZoedphY%3D
>
>
> openid.return_to: http://nerdbank.org/RP/login.aspx?ReturnUrl=/rp/MembersOnly/Default.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE <http://nerdbank.org/RP/login.aspx?ReturnUrl=/rp/MembersOnly/Default.aspx&token=ATjrrFUCgj1z1e2dmRTszTnE>4tB*+*iV9nzTe78Df6GxGeaHR0cDovL29wZW5pZC5hb2wuY29tL3dlYm15d2F5DQpodHRwOi8vb3BlbmlkLmFvbC5jb20vd2VibXl3YXkNCg0KaHR0cHM6Ly9hcGkuc2NyZWVubmFtZS5hb2wuY29tL2F1dGgvb3BlbmlkU2VydmVyDQoxLjENCjIwMDktMDEtMDFUMDA6MTk6MTdaZHdCL3t8THkNCg==&OpenIdTextBox_UsePersistentCookie=False
>
>
> openid.signed: identity,return_to
> openid.sig: UkJ8PtkMcJNTDaw094KRGYZkQgs=
>
>
> openid.invalidate_handle: diAyLjAgayAwIFoxQWlqdWw1Mmh3bXZUUHBtRVF2NG1NeDdaYz0=-j5HRXRB1VbPyg48jGKE1Q/HHWVWwVNZus2FUJWWCXqED+IkTINCC3xA7WOU0AmejttQ/2yXC+i4=
>
>
>
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the
> death your right to say it." - Voltaire
>
>
>
> On Wed, Dec 31, 2008 at 1:11 PM, Joel Nylund <jnylund at yahoo.com
> <mailto:jnylund at yahoo.com>> wrote:
>
>
> Hey, anyone else having issues with AOL openid, as of today on my
> site I cant use aol to login or signup, there is a problem with
> the token they are sending over, havent had a chance to debug yet,
> just wondering if anyone else has seen?
>
> When I try using Andrews site I see same problem:
>
> Server Error in '/RP' Application.
> Invalid length for a Base-64 char array.
> Description: An unhandled exception occurred during the execution
> of the current web request. Please review the stack trace for more
> information about the error and where it originated in the code.
>
> Exception Details: System.FormatException: Invalid length for a
> Base-64 char array.
>
> Source Error:
>
> An unhandled exception was generated during the execution of the
> current web request. Information regarding the origin and location
> of the exception can be identified using the exception stack trace
> below.
>
> Stack Trace:
>
> [FormatException: Invalid length for a Base-64 char array.]
> System.Convert.FromBase64String(String s) +0
> DotNetOpenId.RelyingParty.Token.Deserialize(String token,
> INonceStore store) in Token.cs:82
>
> DotNetOpenId.RelyingParty.AuthenticationResponse.Parse(IDictionary`2
> query, OpenIdRelyingParty relyingParty, Uri requestUrl, Boolean
> verifySignature) in AuthenticationResponse.cs:222
> DotNetOpenId.RelyingParty.OpenIdRelyingParty.get_Response() in
> OpenIdRelyingParty.cs:294
> DotNetOpenId.RelyingParty.OpenIdTextBox.OnLoad(EventArgs e) in
> OpenIdTextBox.cs:639
> System.Web.UI.Control.LoadRecursive() +47
> System.Web.UI.Control.LoadRecursive() +131
> System.Web.UI.Control.LoadRecursive() +131
> System.Web.UI.Control.LoadRecursive() +131
> System.Web.UI.Control.LoadRecursive() +131
> System.Web.UI.Page.ProcessRequestMain(Boolean
> includeStagesBeforeAsyncPoint, Boolean
> includeStagesAfterAsyncPoint) +1436
>
>
>
> thanks
> Joel
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
More information about the general
mailing list