Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Hi,
we have been experiencing that our users are not able to login to some websites: eg. stackoverflow.com
they are using dotnetopenid - http://www.dotnetopenauth.net
the error response is saying:
Unable to log in with your OpenID provider:
The following required non-empty parameters were empty in the DotNetOpenAuth.OpenId.Messages.PositiveAssertionResponse message: openid.assoc_handle
any hints?
thanks
Comment | File | Size | Author |
---|---|---|---|
#17 | openid_provider-stackoverflow_fix-831162-17.patch | 793 bytes | jwineinger |
#8 | 1158356_openiddotnet.patch | 803 bytes | anarcat |
Comments
Comment #1
stupiddingo CreditAttribution: stupiddingo commentedI can confirm the same behavior on StackOverflow and my websites using dotNetOpenAuth library.
I'll start looking at this today. Sign, have you had any luck with a solution?
Comment #2
sign CreditAttribution: sign commented@stupiddingo: actualy we had another issue with dotnetopenauth. As we had to make it to work with another .net website that implemented this. It was giving us error that the returned string is not base64 encoded.
In fact, it was sending the return_to twice, once in url and then in argument. So made a change to return only base url where it comes from and then pass all the needed vars through arguments.
I'll post more info, can't look now, sorry.
But this didn't fix the stackoverflow issue.
Comment #3
stupiddingo CreditAttribution: stupiddingo commented@sign, thanks for the quick response.
I did some research and was able to determine the error I was receiving with dotnetopenauth interacting with the drupal openid provider was due to the passed return_to url containing a querystring. The drupal openid provider was then appending this querystring parameter (dnoa.userSuppliedIdentifier) twice in the response. This caused it to fail validation by dotnetopenauth after successfully authenticating on the drupal end.
By commenting out both sections of openid_provider.inc that included parse_url and appended the querystring elements I was able to get dotnetopenauth to work with drupal openid provider (lines 126-133 & 329-330). It isn't elegant, but it works. New to drupal and PHP, but it seems that the calls to array_merge() should be removing the duplicate querystring elements, but they seem to not be doing so.
Unfortunately, though my hack works with the most recent release of dotnetopenauth (3.4.4) and other openid consumers it doesn't fix stackoverflow's older version of dotnetopenauth. I'll look for something more elegant.
Here's an example of the querystring returned by the openid provider module:
Comment #4
anarcat CreditAttribution: anarcat commentedCould you provide a patch?
I marked #1002134: Cannot login on stackoverflow.net as a duplicate of this bug.
To repeat myself:
But since you have been able to fix this without fixing that problem, maybe that's not the issue...
Comment #5
anarcat CreditAttribution: anarcat commentedI rolled out a patch in #1158356: can't login to ikiwiki.info (perl's Net-OpenID-Consumer?), can you test it?
Comment #6
DamienMcKennaSub.
Comment #7
anarcat CreditAttribution: anarcat commentedI confirm this is still failing after the patch, so that's not the fix.
This is the error I am getting:
Comment #8
anarcat CreditAttribution: anarcat commentedI got this to work.
First, you need the patch in #1158356: can't login to ikiwiki.info (perl's Net-OpenID-Consumer?), which gets us a bit further, without it I see:
So that part is fixed.
I was able to get it working by using the right redirection function!!! Patch attached... We'll run this in production for a while to see if it's good then we'll merge. Please test!
Comment #9
anarcat CreditAttribution: anarcat commentedThis breaks login on redmine, which uses the ruby-openid library, which is really Janrain's so we should consider this to be a bad fix.
Comment #10
anarcat CreditAttribution: anarcat commentedSo from what I see here, the response generated by the OP is exactly the same before and after the patch. The *only* difference is the way the response is generated. It looks like redmine doesn't like requests sent through _POST...
So let me get this straight: in order to fix interop with janrain's DotNet implementation, we break ruby's? something is clearly wrong here...
I'm running ruby-openid-2.1.2debian-1
Comment #11
anarcat CreditAttribution: anarcat commentedI reported this issue against the ruby library, because I feel the problem is there:
https://github.com/openid/ruby-openid/issues/19
I also filed a bug against redmine itself:
http://www.redmine.org/issues/8399
Let's wait and see where this goes.
Comment #12
anarcat CreditAttribution: anarcat commentedPeople responded on the redmine side with a hotfix, which I tried, and which fails still. Kind of frustrating...
Comment #13
nkinkade CreditAttribution: nkinkade commentedJust bumping this issue to see if anyone may have found any solutions. I have tried applying the prescribed patches listed above in the thread, but to no effect. Like @anarcat, after the patch the error just changes to "The openid.return_to parameter [...]". I played around a bit in the code to see if I could get the openid.return_to parameter to some acceptable value for stackoverflow.com, but found that it didn't appear possible without trying to manually construct it, and it wasn't even clear to me where they got their open.return_to parameter, as if their OpenID installation is somehow broken or not reporting the right error.
If anyone has any solutions, then definitely it would be helpful if they posted it back to this thread.
Comment #14
anarcat CreditAttribution: anarcat commentedhave you tried the patch in #8? It worked for me, but broke logins on redmine sites. I came to think that the fault was with redmine, not with us so I may apply this patch in the end, if this custom redmine module fixes the openid authentication in the end, see:
http://projects.andriylesyuk.com/projects/openid-fix
http://www.redmine.org/issues/3780
http://www.redmine.org/issues/5966
Comment #15
jwineinger CreditAttribution: jwineinger commentedI'm testing the D7 port so #8 patch didn't apply cleanly. It was just a one line change so I did it manually.
That patch does allow me to successfully login to stackoverflow, which I previously could not do.
That patch doesn't however, fix my inability to login to slashdot with openid. I receive this error on the redirect back to slashdot: "Unable to verify with http://specs.openid.net/auth/2.0/identifier_select."
Comment #16
anarcat CreditAttribution: anarcat commentedCool!
Could you provide an updated patch for D7? Once that's done, please RTBC this patch. :)
I would like to consider slashdot's problem to be seperate if you don't mind. As you saw, openid implementations vary wildly around, and since we have a fix for dotnetopenid, let's focus on that here. Please open a seperate issue for slashdot. Talking with the slashdot people to see what implementation they are using could also be useful.
Comment #17
jwineinger CreditAttribution: jwineinger commentedHere's a new patch which applies to the D7 port of openid_provider. I've tested it and it does allow me to login to stackoverflow via my drupal site.
Comment #18
anarcat CreditAttribution: anarcat commentedGive up on redmine and fix logins on stackoverflow, which seems to be following the standards, while redmine seems to need a 1.0 redirect while it is asking for a 2.0 protocol.
This fix is shipped in 6.x-1.0-beta5 and 7.x-1.0-beta2.