Issue Type: Bug Created: 2008-04-17T23:46:21.000+0000 Last Updated: 2008-09-02T10:39:44.000+0000 Status: Resolved Fix version(s): - 1.6.0 (02/Sep/08)
Reporter: Paul Huff (phuff) Assignee: Dmitry Stogov (dmitry) Tags: - Zend_OpenId
Related issues: Attachments: - sha256_sha1_fallback.patch
The spec requires a Consumer to fallback to SHA1 authentication if it receives a message saying that the Provider doesn't support SHA256, which it's not required to do.
Posted by Paul Huff (phuff) on 2008-04-17T23:57:30.000+0000
This patch solves the problem. It alters _httpRequest to properly parse OpenId messages and return the values they give back to whatever is calling it.
Additionally, it falls back to sha1 encryption if sha256 fails, generating a new keypair in the process, just for safety's sake. It should also alter all the other places that call _httpRequest.
I've sort of hacked it together from our implementation, so I'm not quite sure if it's working, because I had to remove some key parts from our implementation before handing it over, but it kinda gives the idea of what the fix needs to happen in case.
Posted by Dmitry Stogov (dmitry) on 2008-04-18T08:20:31.000+0000
Do you know a way to test the patch? (May be some OpenId provider which is affected by this bug)
Posted by Paul Huff (phuff) on 2008-04-18T09:00:36.000+0000
Yeah, in 1.5.1 the Consumer fails on any 2.0 provider which doesn't support SHA-256. This includes Yahoo, and I think every other 2.0 provider that we tried, though I can't recall any of the other ones at the moment. Yahoo is the one I tested against, though, during which I discovered this bug and the url fragment bug.
Posted by Paul Huff (phuff) on 2008-04-18T09:07:00.000+0000
Oh yeah, I remembered now. Beemba is another one, but I wouldn't test against them because they weren't fully up to spec, and my patch had to be loosened against spec to get them to work.
That's the relevant portion of the spec. Beemba was returning unsupported-type but wasn't setting HTTP_STATUS to 400, which the spec requires.
Because these are really openid messages that are being passed back, I figured that I'd move their parsing outside of the _httpRequest function, since it seems like _associate() or verify() should be the ones interacting with the openid level of the protocol...
Posted by Dmitry Stogov (dmitry) on 2008-04-18T11:41:50.000+0000
Tested with Yahoo.
Posted by Darby Felton (darby) on 2008-04-21T13:48:25.000+0000
Marking as fixed for next minor release pending merge of changes to release-1.5 branch.
Posted by Wil Sinclair (wil) on 2008-09-02T10:39:44.000+0000
Updating for the 1.6.0 release.
Have you found an issue?
See the Overview section for more details.