Redmine

Oh, and note that redmine doesn't give any useful error message. We just get redirected to a blank login page with the URL:

http://redmine.koumbit.net/login?_method=post&open_id_complete=1

Quite odd.

Could you try to change source:trunk/vendor/plugins/open_id_authentication/lib/open_id_authentication.rb#L146 from :

redirect_to(open_id_redirect_url(open_id_request, return_to, method))

to :

redirect_to(open_id_redirect_url(open_id_request, return_to, method), :status => 307)

?

(requires to restart Redmine)

Etienne Massip wrote:

Could you try to change source:trunk/vendor/plugins/open_id_authentication/lib/open_id_authentication.rb#L146 from :

A bit better, but still fails, now I get:

Invalid form authenticity token.

Note that the URL is the same.

Looks like the controller that open_id_redirect_url points to just needs to skip the checking of the authenticity token for that action since there is no point in this case.

Jeffrey Lee Jones: not sure how that could be done. Any ideas?

This is still broken. From what I can tell, Redmine needs a HTTP redirect, which is a 1.0 protocol, while it's actually implementing the 2.0 protocol.

So right now, I am making the decision of breaking the OpenID logins on redmine from Drupal, in favor of Stackoverflow and other standard implementations.

I would really appreciate feedback on how this could be fixed in Redmine, or in Drupal's openid_provider, if you guys think it's broken. As things stand, I believe the problem really is redmine.

I figured out how to disable the token check. You need to add

  skip_before_filter :verify_authenticity_token

in the AccountController. Unforatunately, this disables CSRF attack protection on an important form. Furthermore, it still doesn't work: with this we just go back to the form, unmodified.

I notice also that the openid wrapper used by redmine hasn't been updated in years while there has been upstream releases:

https://github.com/Velir/open_id_authentication

... that should probably the first step in fixing that problem.

This isn't quite perfect -- logging in with OpenID always redirects the user to the front page, no matter where you started.

Antoine Beaupré wrote:

this seems to be fine without the patch in redmine 1.4.4.

I've did some quick lookup of openid related revisions on Redmine 1.4.x but couln't find any which should be able to solve this issue...

OTOH: on Redmine 2.x the included openid wrapper has been updated to https://github.com/Velir/open_id_authentication/tree/8b97cd2e9e3bbe1650ea526b6be3555b159f5ad4 and several other fixes has been applied. Though, some other issues (#3780 & #11778) still seem to exist.

I wonder how this related to the openid-fix plugin? http://projects.andriylesyuk.com/projects/openid-fix

Also see issue #11778