ZF-3136: On a 2.0 Provider, Consumer::_associate doesn't properly fallback to SHA1 authentication on a proper error message from the provider.


The spec requires a Consumer to fallback to SHA1 authentication if it receives a message saying that the Provider doesn't support SHA256, which it's not required to do.


This patch solves the problem. It alters _httpRequest to properly parse OpenId messages and return the values they give back to whatever is calling it.

Additionally, it falls back to sha1 encryption if sha256 fails, generating a new keypair in the process, just for safety's sake. It should also alter all the other places that call _httpRequest.

I've sort of hacked it together from our implementation, so I'm not quite sure if it's working, because I had to remove some key parts from our implementation before handing it over, but it kinda gives the idea of what the fix needs to happen in case.

Do you know a way to test the patch? (May be some OpenId provider which is affected by this bug)

Yeah, in 1.5.1 the Consumer fails on any 2.0 provider which doesn't support SHA-256. This includes Yahoo, and I think every other 2.0 provider that we tried, though I can't recall any of the other ones at the moment. Yahoo is the one I tested against, though, during which I discovered this bug and the url fragment bug.

Oh yeah, I remembered now. Beemba is another one, but I wouldn't test against them because they weren't fully up to spec, and my patch had to be loosened against spec to get them to work.…

That's the relevant portion of the spec. Beemba was returning unsupported-type but wasn't setting HTTP_STATUS to 400, which the spec requires.

Because these are really openid messages that are being passed back, I figured that I'd move their parsing outside of the _httpRequest function, since it seems like _associate() or verify() should be the ones interacting with the openid level of the protocol...

Tested with Yahoo.

Marking as fixed for next minor release pending merge of changes to release-1.5 branch.

Updating for the 1.6.0 release.