Comments (18)
I can confirm the same error. Traced it to the same Google Group message...
from ruby-openid.
Okay, I'm certain this patch demonstrates a gross misunderstanding of the OpenID specifications, but it's a fix (for me, at least):
(Additional update: kendagriff@79beaa4)
from ruby-openid.
Let me know if this is worthy of a pull request (somehow I doubt it).
from ruby-openid.
Thanks for this @kendagriff! Your patch is working for us at https://rapportive.com/ :D. I've emailed our contact at Google to see if they know what's causing this, will let you know if I get a shareable response.
from ruby-openid.
Thanks for the patch @kendagriff..
from ruby-openid.
Hey @kendagriff. Thanks for the patch!
from ruby-openid.
We ran into this change as well, and after a lot of trying to figure out what was going on (especially with the unfortunately small amount of detail on the google group), it seems that an association is determined during "step 1" of going through OpenID (ie. building the request to send to google), and if one is found, its handle is included in the URL. Having this association handle in the URL is what causes Google to return invalid.
I'm not sure if @kendagriff's patch will cause problems for any other OpenID providers, and possibly will make the OpenID store completely useless? I'm not exactly sure how that part works.
Anyways, before I saw this issue, this was the monkey patch I wrote, which is limited to OpenID requests for google:
module OpenID
class Consumer
class AssociationManager
def get_association_with_skip_for_google
# Google no longer wants the assoc_handle parameter when authenticating by OpenID, and passing it in causes
# it to always respond that the request is invalid. To get around this, if we're using google, just don't
# collect/create an association, so no handle will be used in the request.
# See: https://groups.google.com/forum/#!topic/google-federated-login-api/qXZDD7_K7jU
return nil if @server_url == "https://www.google.com/accounts/o8/ud"
get_association_without_skip_for_google
end
alias_method_chain :get_association, :skip_for_google
end
end
end
I'm not really sure how to determine in a universal way if the assoc_handle is desired or not.
from ruby-openid.
@kendagriff's patch is working for us, in production. We currently use OpenID exclusively for Google sign on so I'm not sure whether the patch affects other OpenID providers, as @dvandersluis suggested. Hopefully enough folks can try this out over the next few days to get a solid patch integrated into this gem ASAP.
from ruby-openid.
Thanks @dvandersluis and @kendagriff! I'm using @dvandersluis's monkey patch in production for now, at least until there is clarity about how other openid providers expect this to be handled. Thanks again!
from ruby-openid.
Thanks @kendagriff, Working for us at http://www.piesync.com. Cost me quite some time to figure out this was the issue...
Thanks again! See what google comes up with now ...
from ruby-openid.
@dvandersluis as best I can tell, yesterday's Google change is limited to OpenID 2 requests in stateless mode - that is, requests that by definition shouldn't be using a store. For stateful mode, the whole point is to avoid having the RP (you and me) make an extra server-side request to the OP (Google) to validate the assertion. That's probably the proper universal way.
We (Heroku) are using @kendagriff's patch in a couple places internally, though not in prod. We've so far limited our deployment to just apps that were set up in stateless mode initially. Our ruby-openid using apps that are doing stateful OpenID (as a dependency from OmniAuth or Warden) weren't impacted by Google's change.
from ruby-openid.
Can the contributors chime in? IMO, Google is a sufficiently important OpenID provider – and given that they appear to implement the specification correctly – that ruby-openid should support OpenID2 requests out of the box – i.e. without a monkey patch.
Or, perhaps ruby-openid
could support "compatibility" mode for providers who require the association?
from ruby-openid.
@dennisreimann could you comment on this one?
from ruby-openid.
Update on using the patch posted by @dvandersluis:
I realized today that I needed to add a check for https://www.google.com/accounts/o8/site-xrds to fix our Google Apps OpenID Login.
So:
module OpenID
class Consumer
class AssociationManager
def get_association_with_skip_for_google
# Google no longer wants the assoc_handle parameter when authenticating by OpenID, and passing it in causes
# it to always respond that the request is invalid. To get around this, if we're using google, just don't
# collect/create an association, so no handle will be used in the request.
# See: https://groups.google.com/forum/#!topic/google-federated-login-api/qXZDD7_K7jU
return nil if @server_url == "https://www.google.com/accounts/o8/ud"
return nil if @server_url and @server_url.starts_with?("https://www.google.com/accounts/o8/site-xrds")
get_association_without_skip_for_google
end
alias_method_chain :get_association, :skip_for_google
end
end
end
from ruby-openid.
This bit us too. Can this get reviewed/merged ASAP? Though, this monkeypatch from cortfr worked for us instead of pegging the ruby-openid version.
from ruby-openid.
I can confirm @cortfr's monkey patch also works for us, thanks!
from ruby-openid.
So this patch has not been merged to the latest version of the gem?
from ruby-openid.
I finally found the time to fix the tests and merge this and other pull requests.
Please try v2.3.0 which was just released and see if it works in production :)
from ruby-openid.
Related Issues (20)
- NameError - uninitialized constant OpenID::Server::Server::DefaultNegotiator HOT 1
- lacking debug information HOT 1
- OpenID.fetch does not handle relative path redirects HOT 3
- Printing error messages HOT 2
- Question concerning CVE-2019-11027 HOT 36
- Maybe check signatures first? HOT 1
- Unable to complete OpenID login with ruby-openid 2.9.0/2.9.1 HOT 8
- Trying to find a simple walk through on adding OIDC to a ruby application HOT 2
- missing charset for StandardFetcher#fetch HOT 1
- Certification Status HOT 1
- Passwords HOT 1
- Server responds that the 'check_authentication' call is not valid HOT 3
- Digest::HMAC is deprecated in ruby 2.2 HOT 3
- Please tag release on github HOT 1
- Please fix security vulnerability according to my emails HOT 2
- add encrypted cookie store HOT 2
- rescue Exception HOT 2
- OpenID::OAuth::Response.from_success_response when NS_URI is missing HOT 3
- Verify SSL certificates by default HOT 1
- Using memcache storage with Dalli HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ruby-openid.