Opened 10 years ago

Last modified 6 years ago

#2138 assigned Bug/Something is broken

Open ID login for support.mayfirst.org does not work with Yahoo

Reported by: https://id.mayfirst.org/jamie Owned by: https://id.mayfirst.org/dkg
Priority: Medium Component: Tech
Keywords: moses.mayfirst.org openid mod_auth_openid Cc:
Sensitive: no

Description

Yahoo seems to support a new feature in OpenID 2.0 which allows you to login using to an OpenID consumer by simply typing "yahoo.com" in the login box (rather than your full openid).

This seems to work when I try it with LiveJournal, however, it fails on support.mayfirst.org with the error:

Your identity provider could not be found or is down at the moment (no_idp_found)

I think that's because libapache2-mod-auth-openid (which handles the openid consumer process) doesn't support openid 2.0. It also might be because our custom login page doesn't support it.

This is all very closely related to #2137 and might get fixed when that issue is fixed because we will be able to pull in a new version of libapache2-mod-auth-openid.

Change History (12)

comment:1 Changed 10 years ago by https://id.mayfirst.org/dkg

  • Keywords trac removed

I can work on this after moses is upgraded.

comment:2 Changed 10 years ago by https://id.mayfirst.org/jamie

Thanks!!

jamie

comment:3 Changed 9 years ago by https://id.mayfirst.org/jamie

Thanks to the work on #2137 we've made serious progress on this issue!

I just tested with my jamiemcclown@yahoo.com address - and I no longer get the same error. In fact, I'm properly redirected to Yahoo, I login, and I'm properly redirected to our support site, all logged in any everything.

The only problem... Trac identifies my username as "http://yahoo.com" :(. Bleh. I'm not sure if the failure is with mod_auth_openid or with trac - but I presume it's with mod_auth_openid, but maybe we should work on the trac upgrade next (since we have to do that anyone) and see if the problem persists.

jamie

comment:4 Changed 9 years ago by http://yahoo.com/

Here's my demonstration post as the http://yahoo.com/ user.

jamie

comment:5 Changed 9 years ago by https://id.mayfirst.org/dkg

  • Keywords mod_auth_openid added

I'm pretty sure this is unrelated to the trac situation, because trac simply accepts the name handed to it by apache's authentication module. There is no need to wait for a trac upgrade on this site (or any other) in order to try to resolve this issue with mod_auth_openid.

Last edited 6 years ago by https://id.mayfirst.org/dkg (previous) (diff)

comment:6 Changed 9 years ago by https://id.mayfirst.org/jamie

Hi dkg,

Thanks dkg for the report back. I realize that the problem could also be something going wrong with our custom login page for libapache2_mod_auth_openid... I'll have to test with the default page provided by the module and see if the problem persists and if so perhaps open a bug against libapache2_mod_auth_openid.

jamie

comment:7 Changed 9 years ago by https://id.mayfirst.org/jamie

I think this is a bug with libapache2_mod_auth_openid (or Yahoo).

I tried to test on my local laptop, however, when logging in with an MFPL openid it worked, but logging in with a Yahoo openid I was simply returned to the openid login prompt after having successfully authenticated with Yahoo.

I figured that was because my laptop does not present a route-able domain name. My understanding is that it's not required but...

I tested as well on support.mayfirst.org with a special directory that uses the default libapache2_mod_auth_openid login page. Upon authentication, I simply dumped the php $_SERVER variable which produced this output:

Protected directory.SCRIPT_URL: /debug/index.php
SCRIPT_URI: https://support.mayfirst.org/debug/index.php
HTTPS: on
HTTP_HOST: support.mayfirst.org
HTTP_USER_AGENT: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.7) Gecko/2009030814 Iceweasel/3.0.9 (Debian-3.0.9-1)
HTTP_ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
HTTP_ACCEPT_LANGUAGE: en-us
HTTP_ACCEPT_ENCODING: gzip,deflate
HTTP_ACCEPT_CHARSET: UTF-8,*
HTTP_KEEP_ALIVE: 300
HTTP_CONNECTION: keep-alive
HTTP_REFERER: https://open.login.yahoo.com/openid/op/start?z=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
HTTP_COOKIE: open_id_session_id=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; __unam=xxxxxxx-xxxxxxx-xxxxxxxx-x; trac_form_token=xxxxxxxxx; SESS8xxxxxxxxxxxxxxxxxx=xxxxxxxxxxxxxxx; trac_auth=xxxxxxxxxxxxxxxxxxxxxxxxxx
PATH: /usr/local/bin:/usr/bin:/bin
SERVER_SIGNATURE:
Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g Server at support.mayfirst.org Port 443

SERVER_SOFTWARE: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g
SERVER_NAME: support.mayfirst.org
SERVER_ADDR: 209.51.180.27
SERVER_PORT: 443
REMOTE_ADDR: 74.64.11.156
DOCUMENT_ROOT: /srv/empty
SERVER_ADMIN: [no address given]
SCRIPT_FILENAME: /srv/debug/index.php
REMOTE_PORT: 44648
REMOTE_USER: http://yahoo.com/
GATEWAY_INTERFACE: CGI/1.1
SERVER_PROTOCOL: HTTP/1.1
REQUEST_METHOD: GET
QUERY_STRING:
REQUEST_URI: /debug/index.php
SCRIPT_NAME: /debug/index.php
PHP_SELF: /debug/index.php
REQUEST_TIME: 1246544640
argv: Array
argc: 0

The REMOTE_USER is, I presume, what libapache2_mod_auth_openid presents to the underlying application, right? In which case, it seems to be providing the wrong one :(.

jamie

comment:8 Changed 7 years ago by https://id.mayfirst.org/abh

Looking for insights on https://support.mayfirst.org/ticket/4727 I stumbled upon this:

http://meta.stackoverflow.com/questions/51940/unable-to-log-in-with-your-openid-provider-no-openid-endpoint-found

which suggests that there are (were) known problems with Yahoo in particular.

comment:9 Changed 7 years ago by https://id.mayfirst.org/dkg

ekes apparently also cannot log in here with his openID. he wrote me the following details:

My open_id is clamshell, it's running on https://id.iskra.net/ It was working like way back https://support.mayfirst.org/ticket/961 where i am http://id.iskra.net/ekes But now it's "Your identity provider could not be found or is down at the moment (no_idp_found)."

comment:10 Changed 6 years ago by https://id.mayfirst.org/ross

  • Status changed from new to assigned

comment:11 follow-up: Changed 6 years ago by https://id.mayfirst.org/dkg

Despite the recent upgrades of mod_auth_openid, i still get the following when i put "yahoo.com" into the lower box on the login page:

Your identity provider could not be found or is down at the moment (no_idp_found).

And when i put in https://id.iskra.net/ekes or http://id.iskra.net/ekes as the OpenID URL, i get the same thing.

I note that id.iskra.net has a transvalid X.509 certificate (no intermediate CA certs are sent during the TLS handshake), so that might be one reason for the failure of https://id.iskra.net/ekes And http://id.iskra.net/ekes just provides an HTTP 302 redirect to the HTTPS version.

I note that when i try to connect to id.mayfirst.org, i see the following in the headers:

X-XRDS-Location: https://id.mayfirst.org/user/10/xrds
X-Yadis-Location: https://id.mayfirst.org/user/10/xrds

and this in the <head>:

<link rel="openid2.provider" href="https://id.mayfirst.org/openid/provider" />
<link rel="openid.server" href="https://id.mayfirst.org/openid/provider" />

I see nothing of either kind when i try to fetch from http://www.yahoo.com/. it might be worth re-reading the OpenID spec to see if there is a good argument that Yahoo is failing to live up to the provider side of the spec.

comment:12 in reply to: ↑ 11 Changed 6 years ago by https://id.mayfirst.org/dkg

Replying to https://id.mayfirst.org/dkg:

I note that id.iskra.net has a transvalid X.509 certificate (no intermediate CA certs are sent during the TLS handshake), so that might be one reason for the failure of https://id.iskra.net/ekes And http://id.iskra.net/ekes just provides an HTTP 302 redirect to the HTTPS version.

I've written ekes and posted to http://iskra.net/contact about this, so maybe that will get fixed.

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.