Defect #8399
closedopenid logins not working with 2.0 redirects
100%
Description
I am the maintainer of the Drupal.org OpenID Provider module. We are having interoperability problems when using POST redirections to login through openid on redmine sites.
We want to use POST redirections because it's part of the OpenID 2.0 standard spec and fixes interoperability problems with stackoverflow and dotnetauth relying parties.
The patch is here:
I also filed this issue in the ruby library bugtracker:
https://github.com/openid/ruby-openid/issues/19
We're running the Debian backport on Lenny, with the 2.1.8 ruby library.
Thanks for any feedback
Files
Related issues
Updated by Antoine Beaupré over 13 years ago
Oh, and note that redmine doesn't give any useful error message. We just get redirected to a blank login page with the URL:
http://redmine.koumbit.net/login?_method=post&open_id_complete=1
Quite odd.
Updated by Etienne Massip over 13 years ago
Could you try to change source:trunk/vendor/plugins/open_id_authentication/lib/open_id_authentication.rb#L146 from :
redirect_to(open_id_redirect_url(open_id_request, return_to, method))
to :
redirect_to(open_id_redirect_url(open_id_request, return_to, method), :status => 307)
?
(requires to restart Redmine)
Updated by Antoine Beaupré over 13 years ago
Etienne Massip wrote:
Could you try to change source:trunk/vendor/plugins/open_id_authentication/lib/open_id_authentication.rb#L146 from :
A bit better, but still fails, now I get:
Invalid form authenticity token.
Note that the URL is the same.
Updated by Jeffrey Jones over 13 years ago
Looks like the controller that open_id_redirect_url points to just needs to skip the checking of the authenticity token for that action since there is no point in this case.
Updated by Etienne Massip over 13 years ago
- Category changed from Accounts / authentication to OpenID
Updated by Antoine Beaupré almost 13 years ago
Jeffrey Lee Jones: not sure how that could be done. Any ideas?
This is still broken. From what I can tell, Redmine needs a HTTP redirect, which is a 1.0 protocol, while it's actually implementing the 2.0 protocol.
So right now, I am making the decision of breaking the OpenID logins on redmine from Drupal, in favor of Stackoverflow and other standard implementations.
I would really appreciate feedback on how this could be fixed in Redmine, or in Drupal's openid_provider, if you guys think it's broken. As things stand, I believe the problem really is redmine.
Updated by Antoine Beaupré almost 13 years ago
I figured out how to disable the token check. You need to add
skip_before_filter :verify_authenticity_token
in the AccountController. Unforatunately, this disables CSRF attack protection on an important form. Furthermore, it still doesn't work: with this we just go back to the form, unmodified.
Updated by Antoine Beaupré almost 13 years ago
I notice also that the openid wrapper used by redmine hasn't been updated in years while there has been upstream releases:
https://github.com/Velir/open_id_authentication
... that should probably the first step in fixing that problem.
Updated by Antoine Beaupré almost 13 years ago
- File 8399_redmine_fix_openid.patch 8399_redmine_fix_openid.patch added
- % Done changed from 0 to 100
Alright, I confirm the fix works. I needed to fix both the Redmine and Drupal sides, as Redmine was refusing the login, not only because of the missing ticket, but also because Drupal was sending too much stuff.
I had to enable more debugging, otherwise Redmine would just send a blank page when the openid login would fail, without any explanation. I also had to pass down the errors from the ruby library... So the attached patch fixes all this.
Updated by Anonymous over 12 years ago
This isn't quite perfect -- logging in with OpenID always redirects the user to the front page, no matter where you started.
Updated by Antoine Beaupré almost 12 years ago
- Status changed from New to Resolved
this seems to be fine without the patch in redmine 1.4.4.
Updated by Mischa The Evil almost 12 years ago
Antoine Beaupré wrote:
this seems to be fine without the patch in redmine 1.4.4.
I've did some quick lookup of openid related revisions on Redmine 1.4.x but couln't find any which should be able to solve this issue...
OTOH: on Redmine 2.x the included openid wrapper has been updated to https://github.com/Velir/open_id_authentication/tree/8b97cd2e9e3bbe1650ea526b6be3555b159f5ad4 and several other fixes has been applied. Though, some other issues (#3780 & #11778) still seem to exist.
Updated by Anonymous almost 12 years ago
I wonder how this related to the openid-fix plugin? http://projects.andriylesyuk.com/projects/openid-fix
Updated by Go MAEDA about 3 years ago
- Status changed from Resolved to Closed
- Resolution set to Wont fix
The OpenID support has been dropped by #35755 for the upcoming Redmine 5.0.0.