Project

General

Profile

Actions

Defect #8399

closed

openid logins not working with 2.0 redirects

Added by Antoine Beaupré almost 13 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
OpenID
Target version:
-
Start date:
2011-05-18
Due date:
% Done:

100%

Estimated time:
Resolution:
Wont fix
Affected version:

Description

I am the maintainer of the Drupal.org OpenID Provider module. We are having interoperability problems when using POST redirections to login through openid on redmine sites.

We want to use POST redirections because it's part of the OpenID 2.0 standard spec and fixes interoperability problems with stackoverflow and dotnetauth relying parties.

The patch is here:

http://drupal.org/node/831162

I also filed this issue in the ruby library bugtracker:

https://github.com/openid/ruby-openid/issues/19

We're running the Debian backport on Lenny, with the 2.1.8 ruby library.

Thanks for any feedback


Files

8399_redmine_fix_openid.patch (1.59 KB) 8399_redmine_fix_openid.patch Antoine Beaupré, 2012-01-28 21:59

Related issues

Related to Redmine - Defect #11778: openid : Fields not taken when logged in using Google account. Redmine 2.0.3Closed

Actions
Actions #1

Updated by Antoine Beaupré almost 13 years ago

Oh, and note that redmine doesn't give any useful error message. We just get redirected to a blank login page with the URL:

http://redmine.koumbit.net/login?_method=post&open_id_complete=1

Quite odd.

Actions #2

Updated by Etienne Massip almost 13 years ago

Could you try to change source:trunk/vendor/plugins/open_id_authentication/lib/open_id_authentication.rb#L146 from :

redirect_to(open_id_redirect_url(open_id_request, return_to, method))

to :

redirect_to(open_id_redirect_url(open_id_request, return_to, method), :status => 307)

?

(requires to restart Redmine)

Actions #3

Updated by Antoine Beaupré over 12 years ago

Etienne Massip wrote:

Could you try to change source:trunk/vendor/plugins/open_id_authentication/lib/open_id_authentication.rb#L146 from :

A bit better, but still fails, now I get:

Invalid form authenticity token.

Note that the URL is the same.

Actions #4

Updated by Jeffrey Jones over 12 years ago

Looks like the controller that open_id_redirect_url points to just needs to skip the checking of the authenticity token for that action since there is no point in this case.

Actions #5

Updated by Etienne Massip over 12 years ago

  • Category changed from Accounts / authentication to OpenID
Actions #6

Updated by Antoine Beaupré about 12 years ago

Jeffrey Lee Jones: not sure how that could be done. Any ideas?

This is still broken. From what I can tell, Redmine needs a HTTP redirect, which is a 1.0 protocol, while it's actually implementing the 2.0 protocol.

So right now, I am making the decision of breaking the OpenID logins on redmine from Drupal, in favor of Stackoverflow and other standard implementations.

I would really appreciate feedback on how this could be fixed in Redmine, or in Drupal's openid_provider, if you guys think it's broken. As things stand, I believe the problem really is redmine.

Actions #7

Updated by Antoine Beaupré about 12 years ago

I figured out how to disable the token check. You need to add

  skip_before_filter :verify_authenticity_token

in the AccountController. Unforatunately, this disables CSRF attack protection on an important form. Furthermore, it still doesn't work: with this we just go back to the form, unmodified.

Actions #8

Updated by Antoine Beaupré about 12 years ago

I notice also that the openid wrapper used by redmine hasn't been updated in years while there has been upstream releases:

https://github.com/Velir/open_id_authentication

... that should probably the first step in fixing that problem.

Actions #9

Updated by Antoine Beaupré about 12 years ago

Alright, I confirm the fix works. I needed to fix both the Redmine and Drupal sides, as Redmine was refusing the login, not only because of the missing ticket, but also because Drupal was sending too much stuff.

I had to enable more debugging, otherwise Redmine would just send a blank page when the openid login would fail, without any explanation. I also had to pass down the errors from the ruby library... So the attached patch fixes all this.

Actions #10

Updated by Anonymous almost 12 years ago

This isn't quite perfect -- logging in with OpenID always redirects the user to the front page, no matter where you started.

Actions #11

Updated by Antoine Beaupré about 11 years ago

  • Status changed from New to Resolved

this seems to be fine without the patch in redmine 1.4.4.

Actions #12

Updated by Mischa The Evil about 11 years ago

Antoine Beaupré wrote:

this seems to be fine without the patch in redmine 1.4.4.

I've did some quick lookup of openid related revisions on Redmine 1.4.x but couln't find any which should be able to solve this issue...

OTOH: on Redmine 2.x the included openid wrapper has been updated to https://github.com/Velir/open_id_authentication/tree/8b97cd2e9e3bbe1650ea526b6be3555b159f5ad4 and several other fixes has been applied. Though, some other issues (#3780 & #11778) still seem to exist.

Actions #13

Updated by Anonymous about 11 years ago

I wonder how this related to the openid-fix plugin? http://projects.andriylesyuk.com/projects/openid-fix

Actions #14

Updated by Anonymous about 11 years ago

Also see issue #11778

Actions #15

Updated by Go MAEDA over 2 years ago

  • Status changed from Resolved to Closed
  • Resolution set to Wont fix

The OpenID support has been dropped by #35755 for the upcoming Redmine 5.0.0.

Actions

Also available in: Atom PDF