librelist archives

« back to archive

Interoperability with Gerrit/openid4java

Interoperability with Gerrit/openid4java

From:
Lionel Elie Mamane
Date:
2012-06-19 @ 16:47
I'm having difficulties registering at Gerrit installations with
local-openid; I'd appreciate any hint. The underlying library is
openid4java.

After successful authentication, local-openid redirects me to a Gerrit
page (looong URL), but then I get redirected to:

 /#SignInFailure,REGISTER,Discovered+information+verification+failed.

with a body of:

 Not Found

 The page you requested was not found, or you do not have permission to
 view this page.

The gerrit logs are not more informative, and just repeat "Discovered
information verification failed".


Here are a few OpenID-enabled Gerrit installations that one can test against:

 https://gerrit.libreoffice.org/
 https://reviews.mahara.org/
 http://review.cyanogenmod.com/
 http://reviews.cloudfoundry.org/


I can successfully authenticate at slashdot and wikitravel with my
local-openid. Also at:
http://www.biff.org.uk/dave/openid/guestbook.cgi
http://www.wasab.dk/morten/2007/11/openid/
http://www.pillwatch.com/openid-login.php

OTOH, http://www.openid-ldap.org/test.php fails with message "Bad
signature", but they say:

Note: There is an issue with some servers, showing "Bad signature"
error message after successful login. This is an issue with our test
page implementation, not with those servers.

-- 
Lionel

Re: [local.openid] Interoperability with Gerrit/openid4java

From:
Eric Wong
Date:
2012-06-19 @ 17:59
Lionel Elie Mamane <lionel@mamane.lu> wrote:
> I'm having difficulties registering at Gerrit installations with
> local-openid; I'd appreciate any hint. The underlying library is
> openid4java.

Hi, I don't have time to investigate this right now.  I haven't used
local-openid (nor the websites requiring signup) much.

I did try logging into Sourceforge a few weeks ago with local-openid and
didn't have success, either.  I was also very tired/sleepy and didn't
have time to investigate.

Anything you find and report back would /greatly/ be appreciated :)
Thanks!

Re: [local.openid] Interoperability with Gerrit/openid4java

From:
Lionel Elie Mamane
Date:
2012-06-20 @ 17:06
On Tue, Jun 19, 2012 at 05:59:24PM +0000, Eric Wong wrote:
> Lionel Elie Mamane <lionel@mamane.lu> wrote:

>> I'm having difficulties registering at Gerrit installations with
>> local-openid; I'd appreciate any hint. The underlying library is
>> openid4java.

> Hi, I don't have time to investigate this right now.  I haven't used
> local-openid (nor the websites requiring signup) much.

> Anything you find and report back would /greatly/ be appreciated :)

local-openid is setup in such a way that the identifier for the OpenID
Provider and the "Claimed identifier" are the same. It seems this is
forbidden.

See http://openid.net/specs/openid-authentication-2_0.html#verify_disco:


 The Claimed Identifier MUST NOT be an OP Identifier.

And
http://openid.net/specs/openid-authentication-2_0.html#rfc.section.7.3.2.1.1
says:

 An OP Identifier Element is an <xrd:Service> element with the
 following information:

 An <xrd:Type> tag whose text content is 
"http://specs.openid.net/auth/2.0/server".
 An <xrd:URI> tag whose text content is the OP Endpoint URL

So it is forbidden for the same URL to give *both* a
http://specs.openid.net/auth/2.0/server and a 
http://specs.openid.net/auth/2.0/signon

Attached patch is a quick hack; along with

   <link rel="openid.server" href="http://openid.mamane.lu/" />
   <link rel="openid2.provider" href="http://openid.mamane.lu/" />

in the HEAD of http://www.mamane.lu/, it works!

-- 
Lionel

Re: [local.openid] Interoperability with Gerrit/openid4java

From:
Lionel Elie Mamane
Date:
2012-06-20 @ 18:59
On Wed, Jun 20, 2012 at 07:06:06PM +0200, Lionel Elie Mamane wrote:
> On Tue, Jun 19, 2012 at 05:59:24PM +0000, Eric Wong wrote:
>> Lionel Elie Mamane <lionel@mamane.lu> wrote:

>>> I'm having difficulties registering at Gerrit installations with
>>> local-openid; I'd appreciate any hint. The underlying library is
>>> openid4java.

> local-openid is setup in such a way that the identifier for the OpenID
> Provider and the "Claimed identifier" are the same. It seems this is
> forbidden.

> Attached patch is a quick hack;

Here's a better patch.

-- 
Lionel

Re: [local.openid] Interoperability with Gerrit/openid4java

From:
Eric Wong
Date:
2012-06-20 @ 19:54
Lionel Elie Mamane <lionel@mamane.lu> wrote:
> Here's a better patch.

Thanks!

Can you write a proposed commit message describing what you did?
I'd like to test + release a new version within the week.

I honestly barely remember how this code works, it was a quick
hack one day many years ago :)

Re: [local.openid] Interoperability with Gerrit/openid4java

From:
Lionel Elie Mamane
Date:
2012-06-22 @ 15:33
On Wed, Jun 20, 2012 at 07:54:27PM +0000, Eric Wong wrote:
> Lionel Elie Mamane <lionel@mamane.lu> wrote:
>> Here's a better patch.

> Thanks!

> Can you write a proposed commit message describing what you did?
> I'd like to test + release a new version within the week.

I attach a slightly revised version of my patch as
local-openid.complete.patch.

Now also http://www.openid-ldap.org/test.php works OK!

Commit message:

separate OpenID Provider identifier and user identifier to be distinct

As per OpenID Authentication 2.0 specification section 11.2, the two
are not allowed to be equal.

The user identifier is unchanged: http://${HOST}/
The provider identifier (and provider endpoint URL) is now http://${HOST}/provider


***** End of commit message -----


Testing against external websites (using openid4java) is made *far*
more complicated by the fact that openid4java caches discovery
responses indefinitely (up to the lifetime of the process!).

After much wrangling, I succeeded to run the openid4java simple-openid
sample / demo code and to test against that.

This made me realise that the attached - far simpler -
local-openid.hacky.patch could possibly work "just as
well". Simple-openid was using the presence of HTTP header
 Accept: application/xrds+xml
as a heuristic whether it should answer with an OpenID Provider
identifier (<xrd:Type> tag whose text content is
"http://specs.openid.net/auth/2.0/server") or with a (user) identifier
(<xrd:Type> tag whose text content is
"http://specs.openid.net/auth/2.0/signon").

That is the wrong condition to make that decision, and it is only by
utter chance (and details of other implementations) that it worked
before.

I think that with this hackish patch, local-openid could actually
interoperate with (nearly) every other implementation, but that is a
point to be tested.

I haven't been able to successfully test it against a running gerrit
installation, though, because of the caching problem.

However, it would still run afoul of the standard (a Claimed Identity
cannot be an OpenID Provider identity), so my vote is to stick to my
first approach.

FYI, I also attach my "dream plans" for local-openid; whether and when
I'll implement them is unsure.

-- 
Lionel

Re: [local.openid] Interoperability with Gerrit/openid4java

From:
Eric Wong
Date:
2012-06-23 @ 09:30
Lionel Elie Mamane <lionel@mamane.lu> wrote:

Thanks for explanations!  I'll apply your patch (some minor comments
below).

> However, it would still run afoul of the standard (a Claimed Identity
> cannot be an OpenID Provider identity), so my vote is to stick to my
> first approach.

OK.

> 1) option to validate each request directly on the terminal: answer
>    y/n
>    ------> also answer +5m, +5d, +5y, etc to automatically allow for
>    that duration; but most useful with:

That could be tricky depending on how the Rack server configuration
is handled (some servers daemonize and detach the terminal).

Should be doable if it only supports the default wrapper, (which uses
WEBrick), though.

> 2) introduce a system of "login", so that all websites configured for
>    automatic OK can be OKed automatically securely. Login is validated
>    like the rest (config file or terminal).
> 
>    Then, the expiration can be "for this session" (tied to a login) or
>    "for all sessions".

Not sure what you mean, exactly.  So it could be something that writes
the local-openid PID to the config file, and if the PID is unchanged,
local-openid can just give an OK for the automatic IPs?
I suppose it could work.

> 3) Log original request IP *also* (from header added by Apache), not
>    only reverse proxy IP

If you're using it as a Rack application, it should be easy to add the
Rack::Logger middleware in the rackup config.ru.  Rack::Logger
understand X-Forwarded-For, and a few other similar things.

----------------- 8< config.ru 8< --------------------
require 'local_openid'
use Rack::CommonLogger
run LocalOpenID.new
----------------- 8< config.ru 8< --------------------

> +      <openid:Delegate>http://lmamane.myopenid.com/</openid:Delegate>

Did you leave the above openid:Delegate line in by accident?
Can I delete it?

> -                    delete this if you've changed browsers or computers.
> +                    delete this if you have ve changed browsers or computers.

Not sure why you changed the above line.  I can change it to "you have"
(and leave out the "ve" entirely) as contractions can sometimes be
confusing.


I've only tried out a few sites I have used in the past.  Sadly 4 of
them no longer support OpenID, but I was able to log into Sourceforge
and Freecode :)

Thanks again!

Re: [local.openid] Interoperability with Gerrit/openid4java

From:
Lionel Elie Mamane
Date:
2012-06-23 @ 20:23
On Sat, Jun 23, 2012 at 09:30:33AM +0000, Eric Wong wrote:
> Lionel Elie Mamane <lionel@mamane.lu> wrote:

>> +      <openid:Delegate>http://lmamane.myopenid.com/</openid:Delegate>

> Did you leave the above openid:Delegate line in by accident?
> Can I delete it?

it is the OpenID 1.x equivalent of LocalID in OpenID 2.0.

>> -                    delete this if you've changed browsers or computers.
>> +                    delete this if you have ve changed browsers or computers.

> Not sure why you changed the above line.

It messed up the syntax highlighting in my Emacs; I intended to change
it back before sending the patch, but forgot. It is inconsequential,
you can drop that hunk. (Or not; my English teacher in high school
always said to reserve contractions for oral speech and not written
medium, but I don't really care.)

-- 
Lionel

Re: [local.openid] Interoperability with Gerrit/openid4java

From:
Eric Wong
Date:
2012-06-23 @ 22:59
Lionel Elie Mamane <lionel@mamane.lu> wrote:
> On Sat, Jun 23, 2012 at 09:30:33AM +0000, Eric Wong wrote:
> > Lionel Elie Mamane <lionel@mamane.lu> wrote:
> 
> >> +      <openid:Delegate>http://lmamane.myopenid.com/</openid:Delegate>
> 
> > Did you leave the above openid:Delegate line in by accident?
> > Can I delete it?
> 
> it is the OpenID 1.x equivalent of LocalID in OpenID 2.0.

OK, is there a generic value we can put there instead of a myopenid.com
URL tied to your identity? :)

> >> -                    delete this if you've changed browsers or computers.
> >> +                    delete this if you have ve changed browsers or 
computers.
> 
> > Not sure why you changed the above line.
> 
> It messed up the syntax highlighting in my Emacs; I intended to change
> it back before sending the patch, but forgot. It is inconsequential,
> you can drop that hunk. (Or not; my English teacher in high school
> always said to reserve contractions for oral speech and not written
> medium, but I don't really care.)

I'll just remove the extra " ve" and it'll say "you have"
Thanks.

Re: [local.openid] Interoperability with Gerrit/openid4java

From:
Lionel Elie Mamane
Date:
2012-06-24 @ 05:44
On Sat, Jun 23, 2012 at 10:59:24PM +0000, Eric Wong wrote:
> Lionel Elie Mamane <lionel@mamane.lu> wrote:
>> On Sat, Jun 23, 2012 at 09:30:33AM +0000, Eric Wong wrote:
>>> Lionel Elie Mamane <lionel@mamane.lu> wrote:

>>>> +      <openid:Delegate>http://lmamane.myopenid.com/</openid:Delegate>

>>> Did you leave the above openid:Delegate line in by accident?
>>> Can I delete it?

>> it is the OpenID 1.x equivalent of LocalID in OpenID 2.0.

> OK, is there a generic value we can put there instead of a
> myopenid.com URL tied to your identity? :)

Oh, I see now. It should be

      <openid:Delegate>%s</openid:Delegate>

-- 
Lionel

Re: [local.openid] Interoperability with Gerrit/openid4java

From:
Eric Wong
Date:
2012-06-25 @ 03:57
Thanks for your contribution Lionel!

I've pushed your change (crediting you) to "master" of
git://bogomips.org/local-openid.git
(wow, first commit in nearly 2 years! :)

Anything else in the next few days?  I'll release a new version
soon.