ZF-7458: MyOpenID authentication failure: Discovery information verification failed

Issue Type:
Bug
Created:
2009-08-03T12:28:35.000+0000
Last Updated:
2012-11-20T20:52:46.000+0000
Status:
Closed
Fix version(s):
    Reporter:
    Kris Thompson (thomp132)
    Assignee:
    None
    Tags:
    • Zend_Auth
    • Zend_OpenId
    Related issues:
    Attachments:

    Description

    I've been having a problem authenticating using OpenID with the MyOpenID site.

    Just as the error in the summary suggests, I have traced the problem to the Zend_OpenId_Consumer->verify function (line 316). The problem stems from the 'openid_op_endpoint' parameter not matching the stored discovered server.

    During initial server discovery, MyOpenID is sending back 'http://www.myopenid.com/server' and this is stored in the consumer storage file. After authentication with MyOpenID, in the 'openid_op_endpoint' parameter, it is sending back 'https://www.myopenid.com/server'. Note that the only difference is the scheme (http vs. https) but this is enough to cause the authentication to fail because it does not match.

    I don't know why MyOpenID is sending back two different endpoints and I know this isn't exactly a bug per se but perhaps the code should be changed to verify the endpoint based only upon the host and path.

    Comments

    Posted by Pádraic Brady (padraic) on 2009-09-17T14:21:45.000+0000

    I'm looking into this. MyOpenId automatically redirects http to an https endpoint which may not be getting picked up correctly by Zend_Openid.

    Posted by Rob Allen (rob) on 2012-11-20T20:52:46.000+0000

    Bulk change of all issues last updated before 1st January 2010 as "Won't Fix".

    Feel free to re-open and provide a patch if you want to fix this issue.