Defect #8399
openid logins not working with 2.0 redirects
| Status: | New | Start date: | 2011-05-18 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 100% |
|
| Category: | OpenID | |||
| Target version: | - | |||
| Affected version: | 1.0.1 | Resolution: |
Description
I am the maintainer of the Drupal.org OpenID Provider module. We are having interoperability problems when using POST redirections to login through openid on redmine sites.
We want to use POST redirections because it's part of the OpenID 2.0 standard spec and fixes interoperability problems with stackoverflow and dotnetauth relying parties.
The patch is here:
I also filed this issue in the ruby library bugtracker:
https://github.com/openid/ruby-openid/issues/19
We're running the Debian backport on Lenny, with the 2.1.8 ruby library.
Thanks for any feedback
8399_redmine_fix_openid.patch
(1.6 kB)
History
#1 Updated by Antoine Beaupré about 1 year ago
Oh, and note that redmine doesn't give any useful error message. We just get redirected to a blank login page with the URL:
http://redmine.koumbit.net/login?_method=post&open_id_complete=1
Quite odd.
#2 Updated by Etienne Massip about 1 year ago
Could you try to change source:trunk/vendor/plugins/open_id_authentication/lib/open_id_authentication.rb#L146 from :
1redirect_to(open_id_redirect_url(open_id_request, return_to, method))
to :
1redirect_to(open_id_redirect_url(open_id_request, return_to, method), :status => 307)
?
(requires to restart Redmine)
#3 Updated by Antoine Beaupré 10 months ago
Etienne Massip wrote:
Could you try to change source:trunk/vendor/plugins/open_id_authentication/lib/open_id_authentication.rb#L146 from :
A bit better, but still fails, now I get:
Invalid form authenticity token.
Note that the URL is the same.
#4 Updated by Jeffrey Jones 9 months ago
Looks like the controller that open_id_redirect_url points to just needs to skip the checking of the authenticity token for that action since there is no point in this case.
#5 Updated by Etienne Massip 8 months ago
- Category changed from Accounts / authentication to OpenID
#6 Updated by Antoine Beaupré 4 months ago
@Jeffrey Jones: not sure how that could be done. Any ideas?
This is still broken. From what I can tell, Redmine needs a HTTP redirect, which is a 1.0 protocol, while it's actually implementing the 2.0 protocol.
So right now, I am making the decision of breaking the OpenID logins on redmine from Drupal, in favor of Stackoverflow and other standard implementations.
I would really appreciate feedback on how this could be fixed in Redmine, or in Drupal's openid_provider, if you guys think it's broken. As things stand, I believe the problem really is redmine.
#7 Updated by Antoine Beaupré 4 months ago
I figured out how to disable the token check. You need to add
skip_before_filter :verify_authenticity_token
in the AccountController. Unforatunately, this disables CSRF attack protection on an important form. Furthermore, it still doesn't work: with this we just go back to the form, unmodified.
#8 Updated by Antoine Beaupré 4 months ago
I notice also that the openid wrapper used by redmine hasn't been updated in years while there has been upstream releases:
https://github.com/Velir/open_id_authentication
... that should probably the first step in fixing that problem.
#9 Updated by Antoine Beaupré 4 months ago
- File 8399_redmine_fix_openid.patch added
- % Done changed from 0 to 100
Alright, I confirm the fix works. I needed to fix both the Redmine and Drupal sides, as Redmine was refusing the login, not only because of the missing ticket, but also because Drupal was sending too much stuff.
I had to enable more debugging, otherwise Redmine would just send a blank page when the openid login would fail, without any explanation. I also had to pass down the errors from the ruby library... So the attached patch fixes all this.