Defect #8399

openid logins not working with 2.0 redirects

Added by Antoine Beaupré about 8 years ago. Updated about 6 years ago.

Status:ResolvedStart date:2011-05-18
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:OpenID
Target version:-
Resolution: Affected version:1.0.1

Description

I am the maintainer of the Drupal.org OpenID Provider module. We are having interoperability problems when using POST redirections to login through openid on redmine sites.

We want to use POST redirections because it's part of the OpenID 2.0 standard spec and fixes interoperability problems with stackoverflow and dotnetauth relying parties.

The patch is here:

http://drupal.org/node/831162

I also filed this issue in the ruby library bugtracker:

https://github.com/openid/ruby-openid/issues/19

We're running the Debian backport on Lenny, with the 2.1.8 ruby library.

Thanks for any feedback

8399_redmine_fix_openid.patch Magnifier (1.59 KB) Antoine Beaupré, 2012-01-28 21:59


Related issues

Related to Redmine - Defect #11778: openid : Fields not taken when logged in using Google acc... New

History

#1 Updated by Antoine Beaupré about 8 years ago

Oh, and note that redmine doesn't give any useful error message. We just get redirected to a blank login page with the URL:

http://redmine.koumbit.net/login?_method=post&open_id_complete=1

Quite odd.

#2 Updated by Etienne Massip about 8 years ago

Could you try to change source:trunk/vendor/plugins/open_id_authentication/lib/open_id_authentication.rb#L146 from :

redirect_to(open_id_redirect_url(open_id_request, return_to, method))

to :

redirect_to(open_id_redirect_url(open_id_request, return_to, method), :status => 307)

?

(requires to restart Redmine)

#3 Updated by Antoine Beaupré almost 8 years ago

Etienne Massip wrote:

Could you try to change source:trunk/vendor/plugins/open_id_authentication/lib/open_id_authentication.rb#L146 from :

A bit better, but still fails, now I get:

Invalid form authenticity token.

Note that the URL is the same.

#4 Updated by Jeffrey Jones almost 8 years ago

Looks like the controller that open_id_redirect_url points to just needs to skip the checking of the authenticity token for that action since there is no point in this case.

#5 Updated by Etienne Massip over 7 years ago

  • Category changed from Accounts / authentication to OpenID

#6 Updated by Antoine Beaupré over 7 years ago

@Jeffrey Jones: not sure how that could be done. Any ideas?

This is still broken. From what I can tell, Redmine needs a HTTP redirect, which is a 1.0 protocol, while it's actually implementing the 2.0 protocol.

So right now, I am making the decision of breaking the OpenID logins on redmine from Drupal, in favor of Stackoverflow and other standard implementations.

I would really appreciate feedback on how this could be fixed in Redmine, or in Drupal's openid_provider, if you guys think it's broken. As things stand, I believe the problem really is redmine.

#7 Updated by Antoine Beaupré over 7 years ago

I figured out how to disable the token check. You need to add

  skip_before_filter :verify_authenticity_token

in the AccountController. Unforatunately, this disables CSRF attack protection on an important form. Furthermore, it still doesn't work: with this we just go back to the form, unmodified.

#8 Updated by Antoine Beaupré over 7 years ago

I notice also that the openid wrapper used by redmine hasn't been updated in years while there has been upstream releases:

https://github.com/Velir/open_id_authentication

... that should probably the first step in fixing that problem.

#9 Updated by Antoine Beaupré over 7 years ago

Alright, I confirm the fix works. I needed to fix both the Redmine and Drupal sides, as Redmine was refusing the login, not only because of the missing ticket, but also because Drupal was sending too much stuff.

I had to enable more debugging, otherwise Redmine would just send a blank page when the openid login would fail, without any explanation. I also had to pass down the errors from the ruby library... So the attached patch fixes all this.

#10 Updated by Anonymous about 7 years ago

This isn't quite perfect -- logging in with OpenID always redirects the user to the front page, no matter where you started.

#11 Updated by Antoine Beaupré about 6 years ago

  • Status changed from New to Resolved

this seems to be fine without the patch in redmine 1.4.4.

#12 Updated by Mischa The Evil about 6 years ago

Antoine Beaupré wrote:

this seems to be fine without the patch in redmine 1.4.4.

I've did some quick lookup of openid related revisions on Redmine 1.4.x but couln't find any which should be able to solve this issue...

OTOH: on Redmine 2.x the included openid wrapper has been updated to https://github.com/Velir/open_id_authentication/tree/8b97cd2e9e3bbe1650ea526b6be3555b159f5ad4 and several other fixes has been applied. Though, some other issues (#3780 & #11778) still seem to exist.

#13 Updated by Anonymous about 6 years ago

I wonder how this related to the openid-fix plugin? http://projects.andriylesyuk.com/projects/openid-fix

#14 Updated by Anonymous about 6 years ago

Also see issue #11778

Also available in: Atom PDF