Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Unless I'm mistaken, the security fix at http://drupal.org/node/1425084 (for the OpenID client in Drupal core) means that the OpenID Provider module is not signing the correct keys for a Drupal client to actually be able to use things like the username and email address from the OpenID response. The effect is that if you have a Drupal site talking to a Drupal site via OpenID, the login/etc won't work at all.
The attached patch adds 'sreg.nickname' and 'sreg.email' to the hardcoded list of signed keys, thereby allowing it to work with Drupal clients again. Does that look like the correct approach? (I'm not an OpenID expert at all.)
I'm not sure if it's correct to add other keys here too, or to leave it up to other modules to deal with that themselves in hook_openid_provider() (for example, there may need to be a corresponding issue filed with http://drupal.org/project/openid_provider_ax). But 'sreg.nickname' and 'sreg.email' are the ones that OpenID Provider adds itself in openid_provider_authentication_response(), so it seemed to make sense that it should sign those.
The patch should work for both Drupal 6 and Drupal 7.
| Comment | File | Size | Author |
|---|---|---|---|
| openid-provider-sign-sreg.patch | 741 bytes | David_Rothstein |
Comments
Comment #1
bsevere CreditAttribution: bsevere commentedWe are using version 6.x-1.0-beta1 (yea, I know we need to upgrade) and we ran into problems after the 6.24 core update. It is not the logins that are affected but the user registrations. The change in core will assign NULL values to the sreg.email and sreg.nickname variables and redirect the user to user/login (endless loop between OP and RP).
I used the same code in the proposed patch above to solve our issue. I will not set the status to RTBC as I cannot test the dev version as of yet. However, I do believe this is the correct fix!
Comment #2
anarcat CreditAttribution: anarcat commentedI am happy to hear that! I'll try to test this patch and apply it for the next release. In the meantime, if anyone wants to confirm it works on 1.0-rc2, please mark RTBC!
Comment #3
anarcat CreditAttribution: anarcat commentedpatch committed, you're absolutely right, of course. thanks!