[OpenID] Interoperability problem with OpenID POST response between myopenid and Google

Andrew Arnott andrewarnott at gmail.com
Sun Sep 20 05:05:19 UTC 2009 

Hi André,
I've finally getting around to writing those UTF-8 signature tests you asked
for.  It occurs to me that the only place it matters is in an OP positive
assertion sent via POST.  Query strings have very strict rules about
allowable characters and UTF-8 characters will have to be properly escaped
for query string transport, which eliminates any signature issues.  POST
however, I think are more capable of carrying UTF-8 payloads.  So I'm
designing the UTF-8 signature test to verify that OPs properly sign a
positive assertion from an RP that intentionally encourages the OP to use
POST instead of GET.

If you think I'm missing something please let me know.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre


On Mon, Jun 1, 2009 at 8:18 AM, André Cruz <andre.cruz at co.sapo.pt> wrote:

> Great suite of tests, Andrew.
> On Jun 1, 2009, at 14:41 , Andrew Arnott wrote:
>
> Although I've not been able to reproduce the problem yet, I did add a few
> POST interop tests to the OSIS site.  Can you test against that and if you
> can repro it give me instructions to do so?
> RP accepts POST assertion <http://test-id.org/RP/POSTAssertion.aspx>
>
>
> Google/Blogger comments FAIL.
>
> You can try to post a comment
> http://ljsapo.blogspot.com/2007/02/teste-para-tags.html#comments
> Choose openid, fill captcha, result: Your OpenID credentials could not be
> verified.
>
>
> SourceForge login FAIL
>
> https://sourceforge.net/account/login.php
>
> Error: Could not verify your OpenID. Please try again.
>
>
> Plaxo OK
>
> https://www.plaxo.com/openid?r=%2Fevents
>
>
> OP accepts POSTed authentication requests<http://test-id.org/OP/POSTRequests.aspx>
>
>
> myopenid OK
>
>
> OP sends large assertions as POST<http://test-id.org/OP/POSTAssertion.aspx>
>
>
> myopenid OK
>
> Can you make one that exercises the UTF-8 encoding of attributes (SREG and
> AX)? Both in the OP (to check the signature generated) and in the RP (to
> check the signature verification).
>
> Thanks,
> André
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090919/0a0ae5fb/attachment.htm>

More information about the general mailing list