Issues

ZF-11595: OpenId_Consumer handles/requires dh association improperly

Description

Zend_OpenId_Consumer::_checkId()

    if (!$this->_associate($server, $version)) {
        $this->_setError("Association failed: " . $this->getError());
        return false;
    }

It should not return false because association is not a mandatory part of openid authentication.

<a rel="nofollow" href="http://openid.net/specs/openid-authentication-1_1.html#smart_vs_dumb">http://openid.net/specs/&hellip;</a>

(3.4.1 paragraph 1): "It's RECOMMENDED that a Consumer first submit an associate request (associate) ..." "This shared secret SHOULD be used ..."

<a rel="nofollow" href="http://openid.net/specs/openid-authentication-2_0.html#anchor2">http://openid.net/specs/&hellip;</a>

3.(optional) The Relying Party and the OP establish an association
(Establishing Associations) -- a shared secret established using
Diffie-Hellman Key Exchange...

This is important for the cases if DH key can not be created:

<a rel="nofollow" href="https://bugs.php.net/bug.php?id=55259">https://bugs.php.net/bug.php?id=55259</a>

"openssl extension does not get the DH parameters from DH key resource"

thus the Zend_OpenId::createDhKey() returns the wrong values in the array.

<a rel="nofollow" href="https://rt.cpan.org/Ticket/Display.html?id=69651">https://rt.cpan.org/Ticket/Display.html?id=69651</a>

Zend_OpenId_Consumer sends the assoc request without the DH parameters to the Net::OpenID::Server and receives the response without assoc_type. Zend_OpenId_Consumer::_associate()

        $params['openid.assoc_type'] != $ret['assoc_type']) {
        if ($params['openid.assoc_type'] != $ret['assoc_type']) {
            $this->_setError("The returned assoc_type differed from the supplied openid.assoc_type");
        } else {
            $this->_setError("Missing required data from provider (assoc_handle, expires_in, assoc_type are required)");
        }
        return false;

returns false again despite the association is not necessary to authenticate.

Current workaround: disabling the openssl extension in php.

Comments

No comments to display