openid / ruby-openid Goto Github PK

View Code? Open in Web Editor NEW

316.0 18.0 159.0 1.79 MB

OpenID library for Ruby

License: Other

Ruby 99.23% Shell 0.25% Python 0.15% HTML 0.38%

ruby-openid's Introduction

Ruby OpenID

A Ruby library for verifying and serving OpenID identities.

Features

Easy to use API for verifying OpenID identites - OpenID::Consumer
Support for serving OpenID identites - OpenID::Server
Does not depend on underlying web framework
Supports multiple storage mechanisms (Filesystem, ActiveRecord, Memory)
Example code to help you get started, including:
- Ruby on Rails based consumer and server
- OpenIDLoginGenerator for quickly getting creating a rails app that uses OpenID for authentication
- ActiveRecordOpenIDStore plugin
Comprehensive test suite
Supports both OpenID 1 and OpenID 2 transparently

Installing

Before running the examples or writing your own code you'll need to install the library. See the INSTALL file or use rubygems:

gem install ruby-openid

Check the installation:

$ irb
irb> require 'rubygems'
=> false
irb> gem 'ruby-openid'
=> true

The library is known to work with Ruby 1.9.2 and above on Unix, Max OS X and Win32.

Getting Started

The best way to start is to look at the rails_openid example. You can run it with:

cd examples/rails_openid
script/server

If you are writing an OpenID Relying Party, a good place to start is: examples/rails_openid/app/controllers/consumer_controller.rb

And if you are writing an OpenID provider: examples/rails_openid/app/controllers/server_controller.rb

The library code is quite well documented, so don't be squeamish, and look at the library itself if there's anything you don't understand in the examples.

Homepage

GitHub repository: openid/ruby-openid
Homepage: OpenID.net

Community

Discussion regarding the Ruby OpenID library and other JanRain OpenID libraries takes place on the OpenID mailing list.

Please join this list to discuss, ask implementation questions, report bugs, etc. Also check out the openid channel on the freenode IRC network.

If you have a bugfix or feature you'd like to contribute, don't hesitate to send it to us: How to contribute.

Author

Contact [email protected].

License

Apache Software License. For more information see the LICENSE file.

ruby-openid's People

Contributors

Stargazers

Watchers

Forkers

glebm nov cail nilclass rjspotter xxx tquackenbush chanks eggie5 agoragames rbjarnason fullware evilmarty hide24 epictetus authornari jwang jmthomas cloud-on-prem justinlove ananthakumaran mikrob whitepages mcary liuhenry entp activecell caseyli calh jak78 naveenska kbuckler amateurhuman grosser portco skroutz sergheim thrillcall jordoh optyn zawaideh sa4250mnpo70 fac kendagriff rapportive-oss tmaher freshworks bivek heroku stembolthq ajwootto anushachenreddy p5k6 maxwellzdm amco carlosvina martinjos manastech adorechic 16bitidol david50407 goosetav senjai tomhughes jjbohn vivek mkolenda kleopatra999 wjs23415 awebneck bxd602 ka2n ad-dc walf443 exeorb tsukasaoishi martin-snajdr patrickhildreth-noaa mattconnolly ehq kenji21 edithau michelangelo13 emrox douchunrong balius jasoncotton gitter-badger johnlane sai43 mattadam ecoologic tadaniels jeffolen4 wj-zhang debambi snehitgajjar meineerde planio-gmbh restream

ruby-openid's Issues

Examples/open_id ruby config out of date

Hi there,
When trying to run script/server on the examples/rails_openid , I had some problems since it uses an old version of rails. It will barf with this error:

can't activate rails (= 2.3.5, runtime) for [], already activated rails-3.0.3 for

I'm running rail-3.0.3 on my machine. I was able to get the app partially running by creating a new project and copying the app folder, but the example doesn't completely run and the views show blank pages for login/index.rhtml.

Any chance someone on the project team could push out an update? The files in git show 2007 updates. Thanks!

require_gem -> gem

require_gem has been deprecated in favor of gem, and a quick find-replace would be helpful as far as initial configuration goes.

JRuby compatibility

I've tried almost every example of Rails apps that use openid, and using this gem failed to authenticate with JRuby, but with regular RMI it works.
It is possible to investigate in what's is going on?

The only error messages is "OpenID verification failed".

thx

test suite fails with recent MiniTest and TestUnit

It seems that assert does not accept object as a test message anymore. #to_s could be used to fix this issues, however I am not sure that it will improve the readability in case of failure.

Test-Unit:

===============================================================================
Error:
test_single_endpoint(OpenID::MakeCompoundFilterTest):
ArgumentError: assertion message must be String, Proc or Test::Unit::Assertions::AssertionMessage: <#<Method: OpenID::Yadis::BasicServiceEndpoint#from_basic_service_endpoint>>(<Method>)
    /builddir/build/BUILD/ruby-openid-2.1.7/test/test_filters.rb:210:in `test_single_endpoint'
===============================================================================
..E
===============================================================================
Error:
test_parts_array(OpenID::MakeFilterTest):
ArgumentError: assertion message must be String, Proc or Test::Unit::Assertions::AssertionMessage: <#<OpenID::Yadis::TransformFilterMaker:0x92a516c @filter_procs=[#<Method: OpenID::Yadis::BasicServiceEndpoint#from_basic_service_endpoint>, #<Method: OpenID::Yadis::BasicServiceEndpoint#from_basic_service_endpoint>]>>(<OpenID::Yadis::TransformFilterMaker>)
    /builddir/build/BUILD/ruby-openid-2.1.7/test/test_filters.rb:177:in `test_parts_array'
===============================================================================
E
===============================================================================
Error:
test_parts_nil(OpenID::MakeFilterTest):
ArgumentError: assertion message must be String, Proc or Test::Unit::Assertions::AssertionMessage: <#<OpenID::Yadis::TransformFilterMaker:0x92ac3f4 @filter_procs=[#<Method: OpenID::Yadis::BasicServiceEndpoint.from_basic_service_endpoint>]>>(<OpenID::Yadis::TransformFilterMaker>)
    /builddir/build/BUILD/ruby-openid-2.1.7/test/test_filters.rb:168:in `test_parts_nil'
===============================================================================
E
===============================================================================
Error:
test_parts_single(OpenID::MakeFilterTest):
ArgumentError: assertion message must be String, Proc or Test::Unit::Assertions::AssertionMessage: <#<OpenID::Yadis::TransformFilterMaker:0x92b4b80 @filter_procs=[#<Method: OpenID::Yadis::BasicServiceEndpoint#from_basic_service_endpoint>]>>(<OpenID::Yadis::TransformFilterMaker>)
    /builddir/build/BUILD/ruby-openid-2.1.7/test/test_filters.rb:186:in `test_parts_single'
===============================================================================
...............................................................................
...............................................................................
.......................................E
===============================================================================
Error:
test_store(OpenID::Store::FileStoreTestCase):
ArgumentError: assertion message must be String, Proc or Test::Unit::Assertions::AssertionMessage: <#<OpenID::Association:0x8823414 @handle=":hm'\\mn2z:LTxR5fd*^J\\Vps0ku9ElVF#h@FDLJ;JV<Op1Z\\Ecr@[\"d}POogV7Gc?!VED1cTT)Qn=7ueuc<Rg~m2^<YHWTH\"U\\'OI-(>g*a\"LI>\".~z6*l6[UD+VWX7O", @secret="\xFD\xADQ\xC3)g\xB5\xAE\x1A\xD3\nL\xD8\\\xD6\x1E\xC5\xB6\xE9\xAE", @issued=2012-02-06 10:36:45 +0000, @lifetime=600, @assoc_type="HMAC-SHA1">>(<OpenID::Association>)
    /builddir/build/BUILD/ruby-openid-2.1.7/test/test_stores.rb:122:in `test_store'
===============================================================================
...E
===============================================================================
Error:
test_store(OpenID::Store::MemoryStoreTestCase):
ArgumentError: assertion message must be String, Proc or Test::Unit::Assertions::AssertionMessage: <#<OpenID::Association:0x92b709c @handle="7vP{}iCXaA$L#.^Vd}Y7^k9\"}#VZMVJ'([2n|~U(,W=}Wo*[]>f)>#e-/@hf\"OsW/T?\#@fH;=n=G3%:E9j|,0tCm|il:;]{6Z=!6kMXj#zkt1{!|tODv(r`*m50Q94D,", @secret="\xF8\xCE\xE6\xF0|\xEF^\xA2\xEA\x996\x8Fp\xC6y\xB8\xCE\x1Ai\x00", @issued=2012-02-06 10:36:45 +0000, @lifetime=600, @assoc_type="HMAC-SHA1">>(<OpenID::Association>)
    /builddir/build/BUILD/ruby-openid-2.1.7/test/test_stores.rb:122:in `test_store'
===============================================================================
...............................................................................
........................................E
===============================================================================
Error:
test_dictOfLists(OpenID::TestDecode):
ArgumentError: assertion message must be String, Proc or Test::Unit::Assertions::AssertionMessage: <#<ArgumentError: Query dict must have one value for each key, not lists of values.  Query is {"openid.mode"=>["checkid_setup"], "openid.identity"=>"http://decoder.am.unittest/", "openid.assoc_handle"=>"{assoc}{handle}", "openid.return_to"=>"http://rp.unittest/foobot/?qux=zam", "openid.trust_root"=>"http://rp.unittest/"}>>(<ArgumentError>)
    /builddir/build/BUILD/ruby-openid-2.1.7/test/test_server.rb:211:in `rescue in test_dictOfLists'
    /builddir/build/BUILD/ruby-openid-2.1.7/test/test_server.rb:208:in `test_dictOfLists'
===============================================================================
...............................................................................
..........................................................E
===============================================================================
Error:
test_cancel(OpenID::TestSigningEncode):
ArgumentError: assertion message must be String, Proc or Test::Unit::Assertions::AssertionMessage: <{"openid.ns"=>"http://specs.openid.net/auth/2.0", "openid.mode"=>"cancel"}>(<Hash>)
    /builddir/build/BUILD/ruby-openid-2.1.7/test/test_server.rb:1011:in `test_cancel'
===============================================================================
....................................................E
===============================================================================
Error:
test_build_discovery_url(TrustRootTest):
ArgumentError: assertion message must be String, Proc or Test::Unit::Assertions::AssertionMessage: <["http://foo.com/path", "http://foo.com/path", "http://foo.com/path"]>(<Array>)
    /builddir/build/BUILD/ruby-openid-2.1.7/test/test_trustroot.rb:110:in `block in test_build_discovery_url'
    /builddir/build/BUILD/ruby-openid-2.1.7/test/test_trustroot.rb:106:in `each'
    /builddir/build/BUILD/ruby-openid-2.1.7/test/test_trustroot.rb:106:in `test_build_discovery_url'
===============================================================================
.E
===============================================================================
Error:
test_trustroots(TrustRootTest):
ArgumentError: assertion message must be String, Proc or Test::Unit::Assertions::AssertionMessage: <[["", "23: Does not parse", "baz.org\n*.foo.com\nhttp://*.schtuff.*/\nftp://foo.com\nftp://*.foo.com\nhttp://*.foo.com:80:90/\nfoo.*.com\nhttp://foo.*.com\nhttp://www.*\nhttp://*foo.com/\nhttp://foo.com/invalid#fragment\nhttp://..it/\nhttp://.it/\nhttp://*:8081/\nhttp://*:80\nhttp://localhost:1900foo/\nhttp://foo.com\\/\nhttp://Ď�.pi.com/\nhttp://lambda.com/Î�\n\n \n \t\n5", "14: Insane", "http:///\nhttp://*/\nhttps://*/\nhttp://*.com\nhttp://*.com/\nhttps://*.com/\nhttp://*.com.au/\nhttp://*.co.uk/\nhttp://*.foo.notatld/\nhttps://*.foo.notatld/\nhttp://*.museum/\nhttps://*.museum/\nhttp://www.schtuffcom/\nhttp://it/", "18: Sane", "http://*.schtuff.com./\nhttp://*.schtuff.com/\nhttp://*.foo.schtuff.com/\nhttp://*.schtuff.com\nhttp://www.schtuff.com/\nhttp://www.schtuff.com./\nhttp://www.schutff.com\nhttp://*.this.that.schtuff.com/\nhttp://*.foo.com/path\nhttp://*.foo.com/path?action=foo2\nhttp://x.foo.com/path?action=foo2\nhttp://x.foo.com/path?action=%3D\nhttp://localhost:8081/\nhttp://localhost:8082/?action=openid\nhttps://foo.com/\nhttp://kink.fm/should/be/sane\nhttp://beta.lingu.no/\nhttp://goathack.livejournal.org:8020/openid/login.bml"], ["bad", "insane", "sane"]]>(<Array>)
    /builddir/build/BUILD/ruby-openid-2.1.7/test/test_trustroot.rb:59:in `getTests'
    /builddir/build/BUILD/ruby-openid-2.1.7/test/test_trustroot.rb:42:in `test_trustroots'
===============================================================================

MiniTest:

  7) Error:
test_single_endpoint(OpenID::MakeCompoundFilterTest):
ArgumentError: assertion message must be String or Proc, but Method was given.
    /builddir/build/BUILD/ruby-openid-2.1.7/test/test_filters.rb:210:in `test_single_endpoint'
  8) Error:
test_parts_array(OpenID::MakeFilterTest):
ArgumentError: assertion message must be String or Proc, but OpenID::Yadis::TransformFilterMaker was given.
    /builddir/build/BUILD/ruby-openid-2.1.7/test/test_filters.rb:177:in `test_parts_array'
  9) Error:
test_parts_nil(OpenID::MakeFilterTest):
ArgumentError: assertion message must be String or Proc, but OpenID::Yadis::TransformFilterMaker was given.
    /builddir/build/BUILD/ruby-openid-2.1.7/test/test_filters.rb:168:in `test_parts_nil'
 10) Error:
test_parts_single(OpenID::MakeFilterTest):
ArgumentError: assertion message must be String or Proc, but OpenID::Yadis::TransformFilterMaker was given.
    /builddir/build/BUILD/ruby-openid-2.1.7/test/test_filters.rb:186:in `test_parts_single'
 11) Error:
test_store(OpenID::Store::FileStoreTestCase):
ArgumentError: assertion message must be String or Proc, but OpenID::Association was given.
    /builddir/build/BUILD/ruby-openid-2.1.7/test/test_stores.rb:122:in `test_store'
 12) Error:
test_store(OpenID::Store::MemoryStoreTestCase):
ArgumentError: assertion message must be String or Proc, but OpenID::Association was given.
    /builddir/build/BUILD/ruby-openid-2.1.7/test/test_stores.rb:122:in `test_store'
 13) Error:
test_dictOfLists(OpenID::TestDecode):
ArgumentError: assertion message must be String or Proc, but ArgumentError was given.
    /builddir/build/BUILD/ruby-openid-2.1.7/test/test_server.rb:211:in `rescue in test_dictOfLists'
    /builddir/build/BUILD/ruby-openid-2.1.7/test/test_server.rb:208:in `test_dictOfLists'
 14) Error:
test_getAssocExpired(OpenID::TestSignatory):
ArgumentError: assertion message must be String or Proc, but NilClass was given.
    /builddir/build/BUILD/ruby-openid-2.1.7/test/test_server.rb:2343:in `test_getAssocExpired'
 15) Error:
test_cancel(OpenID::TestSigningEncode):
ArgumentError: assertion message must be String or Proc, but Hash was given.
    /builddir/build/BUILD/ruby-openid-2.1.7/test/test_server.rb:1011:in `test_cancel'
 16) Error:
test_build_discovery_url(TrustRootTest):
ArgumentError: assertion message must be String or Proc, but Array was given.
    /builddir/build/BUILD/ruby-openid-2.1.7/test/test_trustroot.rb:110:in `block in test_build_discovery_url'
    /builddir/build/BUILD/ruby-openid-2.1.7/test/test_trustroot.rb:106:in `each'
    /builddir/build/BUILD/ruby-openid-2.1.7/test/test_trustroot.rb:106:in `test_build_discovery_url'
 17) Error:
test_trustroots(TrustRootTest):
ArgumentError: assertion message must be String or Proc, but Array was given.
    /builddir/build/BUILD/ruby-openid-2.1.7/test/test_trustroot.rb:59:in `getTests'
    /builddir/build/BUILD/ruby-openid-2.1.7/test/test_trustroot.rb:42:in `test_trustroots'

ActiveRecordStore server_url types inconsistent

server_url is a binary on Association but a string on Nonce.
I can't tell the reason for the difference. Is it necessary for it to be a binary?

Error fetching <url>: closed stream

Hi,

I'm experiencing some difficulty to have ruby-openid work only in my production environment, dev and staging are fine.
I use memcache store for openid, rack-openid, ruby 1.8.7, passenger 2.2.4

I tracked down the issue to that method call which raises the error:
openid/fetchers.rb:181
OpenID.fetch(url, body=nil, headers=nil, redirect_limit=REDIRECT_LIMIT)
raises => Error fetching :closed stream

I've been stuck on with this for a few days now and really need some help.

Thanks,

ActiveRecordStore#cleanup_associations destroys non-expired associations

The example ActiveRecordStore's cleanup_associations method leaves expired associations and deletes non-expired ones.

In examples/active_record_openid_store/lib/openid_ar_store.rb
Association.delete_all(['issued + lifetime > ?',now])
should instead be
Association.delete_all(['issued + lifetime < ?',now])

encoding problems with 2.3.0 test suite

I've encountered two test failures related to encoding problems.

Fedora's build system does not set the LANG variable. You can duplicate this as follows:

export LANG=
testrb -Ilib test

Here's the results:

Run options: -Ilib
# Running tests:
.....................................E.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................E.
Finished tests in 14.175624s, 61.8668 tests/s, 453.1723 assertions/s.
  1) Error:
LinkParseTestCase#test_linkparse:
ArgumentError: invalid byte sequence in US-ASCII
    /builddir/build/BUILD/ruby-openid-2.3.0/usr/share/gems/gems/ruby-openid-2.3.0/test/test_linkparse.rb:57:in `split'
    /builddir/build/BUILD/ruby-openid-2.3.0/usr/share/gems/gems/ruby-openid-2.3.0/test/test_linkparse.rb:57:in `test_linkparse'
  2) Error:
TrustRootTest#test_trustroots:
ArgumentError: invalid byte sequence in US-ASCII
    /builddir/build/BUILD/ruby-openid-2.3.0/usr/share/gems/gems/ruby-openid-2.3.0/test/test_trustroot.rb:37:in `split'
    /builddir/build/BUILD/ruby-openid-2.3.0/usr/share/gems/gems/ruby-openid-2.3.0/test/test_trustroot.rb:37:in `test_trustroots'
877 tests, 6424 assertions, 0 failures, 2 errors, 0 skips
ruby -v: ruby 2.0.0p247 (2013-06-27 revision 41674) [armv7hl-linux]

When I set LANG to en_US.utf8, the tests pass.

ruby-openid v2.3.0 ignores assoc_handle when using open ID 2.0

We were having some encoding issues with openid and while looking at this I noticed that ruby-openid v2.3.0 is silently switching to stateless mode for openid 2.0.
Reading the openid specs I would think that it is valid to use an association handle with openid 2.0.

The code that introduced the change was PR #53.

dh.rb:60: [BUG] Segmentation fault

Hello.

I got a segfault while trying to use omniauth and google open-id.

/opt/local/lib/ruby1.9/gems/1.9.1/gems/ruby-openid-2.1.8/lib/openid/dh.rb:60: [BUG] Segmentation fault
ruby 1.9.2p180 (2011-02-18 revision 30909) [x86_64-darwin11]

Stack trace here: http://dl.dropbox.com/u/1558924/ruby_openid_segfault.txt

please release

want to get rid of our github dependency :)

please specify license of test data

As part of a Fedora package review, @mtasaka pointed out that the license(s) of the files under /test/data/ is somewhat unclear.

The linkparse.txt file seems to have been copied from the Python OpenID project: https://svn.apache.org/repos/asf/incubator/heraldry/libraries/python/openid/trunk/openid/test/linkparse.txt

The license file for the Python OpenID project indicates that the files are available under the LGPLv2.1 or later license. However, the LICENSE file in ruby-openid makes no mention of this.

Can you please clarify this situation? Does ruby-openid distribute the files /test/data/ files under LGPLv2.1+, or a different license (eg ASL 2.0)?

ArgumentError invalid byte sequence in UTF-8

It seems like REXML can only handle UTF-8. It fails for sites having other encoding(eg http://thehubhostel.com)

begin
    d = REXML::Document.new(text)
rescue RuntimeError => why
    raise XRDSError.new("Not an XRDS document. Failed to parse XML.")
end

Full Trace

/home/ananth/.rvm/rubies/ruby-1.9.2-p180/lib/ruby/1.9.1/rexml/parseexception.rb:31:in `gsub'
/home/ananth/.rvm/rubies/ruby-1.9.2-p180/lib/ruby/1.9.1/rexml/parseexception.rb:31:in `to_s'
/home/ananth/.rvm/rubies/ruby-1.9.2-p180/lib/ruby/1.9.1/rexml/parsers/treeparser.rb:95:in `message'
/home/ananth/.rvm/rubies/ruby-1.9.2-p180/lib/ruby/1.9.1/rexml/parsers/treeparser.rb:95:in `rescue in parse'
/home/ananth/.rvm/rubies/ruby-1.9.2-p180/lib/ruby/1.9.1/rexml/parsers/treeparser.rb:20:in `parse'
/home/ananth/.rvm/rubies/ruby-1.9.2-p180/lib/ruby/1.9.1/rexml/document.rb:230:in `build'
/home/ananth/.rvm/rubies/ruby-1.9.2-p180/lib/ruby/1.9.1/rexml/document.rb:43:in `initialize'
/media/Studies/Git_Repo/ruby-openid/lib/openid/yadis/xrds.rb:96:in `new'
/media/Studies/Git_Repo/ruby-openid/lib/openid/yadis/xrds.rb:96:in `parseXRDS'
/media/Studies/Git_Repo/ruby-openid/lib/openid/yadis/services.rb:32:in `apply_filter'
/media/Studies/Git_Repo/ruby-openid/lib/openid/consumer/discovery.rb:202:in `from_xrds'
/media/Studies/Git_Repo/ruby-openid/lib/openid/consumer/discovery.rb:395:in `discover_yadis'
/media/Studies/Git_Repo/ruby-openid/lib/openid/consumer/discovery.rb:485:in `discover_uri'
/media/Studies/Git_Repo/ruby-openid/lib/openid/consumer/discovery.rb:494:in `discover'
oa-openid (0.3.0) lib/omniauth/openid/gapps.rb:10:in `discover'
/media/Studies/Git_Repo/ruby-openid/lib/openid/consumer.rb:333:in `discover'
/media/Studies/Git_Repo/ruby-openid/lib/openid/consumer/discovery_manager.rb:51:in `get_next_service'
/media/Studies/Git_Repo/ruby-openid/lib/openid/consumer.rb:222:in `begin'
rack-openid (1.3.1) lib/rack/openid.rb:123:in `begin_authentication'
rack-openid (1.3.1) lib/rack/openid.rb:102:in `call'
oa-openid (0.3.0) lib/omniauth/strategies/open_id.rb:70:in `start'
oa-openid (0.3.0) lib/omniauth/strategies/open_id.rb:65:in `request_phase'
oa-core (0.3.0) lib/omniauth/strategy.rb:58:in `request_call'
oa-core (0.3.0) lib/omniauth/strategy.rb:41:in `call!'
oa-core (0.3.0) lib/omniauth/strategy.rb:30:in `call'
oa-core (0.3.0) lib/omniauth/strategy.rb:44:in `call!'
oa-core (0.3.0) lib/omniauth/strategy.rb:30:in `call'
oa-core (0.3.0) lib/omniauth/strategy.rb:44:in `call!'
oa-core (0.3.0) lib/omniauth/strategy.rb:30:in `call'
oa-core (0.3.0) lib/omniauth/strategy.rb:44:in `call!'
oa-core (0.3.0) lib/omniauth/strategy.rb:30:in `call'
warden (1.0.5) lib/warden/manager.rb:35:in `block in call'
warden (1.0.5) lib/warden/manager.rb:34:in `catch'
warden (1.0.5) lib/warden/manager.rb:34:in `call'
actionpack (3.1.0) lib/action_dispatch/middleware/best_standards_support.rb:17:in `call'
rack (1.3.3) lib/rack/etag.rb:23:in `call'
rack (1.3.3) lib/rack/conditionalget.rb:25:in `call'
actionpack (3.1.0) lib/action_dispatch/middleware/head.rb:14:in `call'
actionpack (3.1.0) lib/action_dispatch/middleware/params_parser.rb:21:in `call'
actionpack (3.1.0) lib/action_dispatch/middleware/flash.rb:243:in `call'
rack (1.3.3) lib/rack/session/abstract/id.rb:195:in `context'
rack (1.3.3) lib/rack/session/abstract/id.rb:190:in `call'
actionpack (3.1.0) lib/action_dispatch/middleware/cookies.rb:326:in `call'
activerecord (3.1.0) lib/active_record/query_cache.rb:62:in `call'
activerecord (3.1.0) lib/active_record/connection_adapters/abstract/connection_pool.rb:477:in `call'
actionpack (3.1.0) lib/action_dispatch/middleware/callbacks.rb:29:in `block in call'
activesupport (3.1.0) lib/active_support/callbacks.rb:392:in `_run_call_callbacks'
activesupport (3.1.0) lib/active_support/callbacks.rb:81:in `run_callbacks'
actionpack (3.1.0) lib/action_dispatch/middleware/callbacks.rb:28:in `call'
actionpack (3.1.0) lib/action_dispatch/middleware/reloader.rb:68:in `call'
rack (1.3.3) lib/rack/sendfile.rb:101:in `call'
actionpack (3.1.0) lib/action_dispatch/middleware/remote_ip.rb:48:in `call'
actionpack (3.1.0) lib/action_dispatch/middleware/show_exceptions.rb:47:in `call'
railties (3.1.0) lib/rails/rack/logger.rb:13:in `call'
rack (1.3.3) lib/rack/methodoverride.rb:24:in `call'
rack (1.3.3) lib/rack/runtime.rb:17:in `call'
activesupport (3.1.0) lib/active_support/cache/strategy/local_cache.rb:72:in `call'
rack (1.3.3) lib/rack/lock.rb:15:in `call'
actionpack (3.1.0) lib/action_dispatch/middleware/static.rb:53:in `call'
railties (3.1.0) lib/rails/engine.rb:455:in `call'
railties (3.1.0) lib/rails/rack/content_length.rb:16:in `call'
railties (3.1.0) lib/rails/rack/log_tailer.rb:14:in `call'
thin (1.2.11) lib/thin/connection.rb:84:in `block in pre_process'
thin (1.2.11) lib/thin/connection.rb:82:in `catch'
thin (1.2.11) lib/thin/connection.rb:82:in `pre_process'
thin (1.2.11) lib/thin/connection.rb:57:in `process'
thin (1.2.11) lib/thin/connection.rb:42:in `receive_data'
eventmachine (0.12.10) lib/eventmachine.rb:256:in `run_machine'
eventmachine (0.12.10) lib/eventmachine.rb:256:in `run'
thin (1.2.11) lib/thin/backends/base.rb:61:in `start'
thin (1.2.11) lib/thin/server.rb:159:in `start'
rack (1.3.3) lib/rack/handler/thin.rb:13:in `run'
rack (1.3.3) lib/rack/server.rb:265:in `start'
railties (3.1.0) lib/rails/commands/server.rb:70:in `start'
railties (3.1.0) lib/rails/commands.rb:54:in `block in <top (required)>'
railties (3.1.0) lib/rails/commands.rb:49:in `tap'
railties (3.1.0) lib/rails/commands.rb:49:in `<top (required)>'
script/rails:6:in `require'
script/rails:6:in `<main>'

Passwords

In the example server controller, how would I prompt a relying party to enter a username/password for the user on the openid provider?

Do not store ruby objects in session

I'm trying to covert our session to be json serializable, but open-id puts objects into it,
is that something you think is worth fixing ?

Using memcache-client or dalli with the memcache store

In OpenID::Store::Memcache#use_nonce, the return value of #use_nonce is based on a regex search for 'STORED' on the result of @cache_client.add(). However when using memcache-client or dalli for the cache client, the return value of #add is a boolean, and #use_nonce will always return false. This will cause an "invalid credentials" failure message during the authentication process.

I'm not sure if this should be changed in the source code, but using

return result == true

instead of

return !!(result =~/^STORED/)

in #use_nonce, seems to fix the problem.

Why doesn't the AX extension register_namespace_alias like SReg?

When you require 'openid/extensions/sreg' the code is smart enough to register the 'sreg' namespace. However, require 'openid/extensions/ax' does not do this. The result is that calling OpenID::AX::FetchResponse.from_success_response(openid_response) fails because the ax-related arguments are grouped under a generic OpenID namespace (like 'http://openid.net/signon/1.0').

Is there a reason that the AX extension doesn't automatically register the 'ax' namespace?

The workaround is to manually add the namespace whenever you require the ax extension (in a Rails Controller, for example)

# Require the AX extension
require 'openid/extensions/ax'
# Register the ax namespace
OpenID::Message.register_namespace_alias(OpenID::AX::AXMessage::NS_URI, 'ax')

undefined method for_url? for OpenID::Consumer::DiscoveredServices on Rails 4.1 RC1

Works fine in Rails 4.0.x, on Ruby 2.1.0. This is with a pretty vanilla rails app, configured to use OmniAuth and Google Apps for login. We've been using this stack and exact gem versions fine for 3.2.x and 4.0.x on Ruby 1.9.x, 2.0.x and 2.1.x.

This is for version 2.5 of this gem (gem list included below).

Looking at the code, I have no idea why it's complaining. Stack trace below. Any ideas?

12:57:35 web.1  | I, [2014-02-19T12:57:35.105838 #97709]  INFO -- omniauth: (google_apps) Request phase initiated.
12:57:35 web.1  | F, [2014-02-19T12:57:35.160764 #97709] FATAL -- : 
12:57:35 web.1  | NoMethodError (undefined method `for_url?' for "#<OpenID::Consumer::DiscoveredServices:0x007f857ec91908>":String):
12:57:35 web.1  |   ruby-openid (2.5.0) lib/openid/consumer/discovery_manager.rb:80:in `get_manager'
12:57:35 web.1  |   ruby-openid (2.5.0) lib/openid/consumer/discovery_manager.rb:44:in `get_next_service'
12:57:35 web.1  |   ruby-openid (2.5.0) lib/openid/consumer.rb:222:in `begin'
12:57:35 web.1  |   rack-openid (1.3.1) lib/rack/openid.rb:123:in `begin_authentication'
12:57:35 web.1  |   rack-openid (1.3.1) lib/rack/openid.rb:102:in `call'
12:57:35 web.1  |   omniauth-openid (1.0.1) lib/omniauth/strategies/open_id.rb:53:in `start'
12:57:35 web.1  |   omniauth-openid (1.0.1) lib/omniauth/strategies/open_id.rb:48:in `request_phase'
12:57:35 web.1  |   omniauth (1.2.1) lib/omniauth/strategy.rb:215:in `request_call'
12:57:35 web.1  |   omniauth (1.2.1) lib/omniauth/strategy.rb:183:in `call!'
12:57:35 web.1  |   omniauth (1.2.1) lib/omniauth/strategy.rb:164:in `call'
12:57:35 web.1  |   omniauth (1.2.1) lib/omniauth/builder.rb:59:in `call'
12:57:35 web.1  |   newrelic_rpm (3.7.2.195) lib/new_relic/rack/error_collector.rb:55:in `call'
12:57:35 web.1  |   newrelic_rpm (3.7.2.195) lib/new_relic/rack/agent_hooks.rb:32:in `call'
12:57:35 web.1  |   newrelic_rpm (3.7.2.195) lib/new_relic/rack/browser_monitoring.rb:27:in `call'
12:57:35 web.1  |   rack (1.5.2) lib/rack/etag.rb:23:in `call'
12:57:35 web.1  |   rack (1.5.2) lib/rack/conditionalget.rb:25:in `call'
12:57:35 web.1  |   rack (1.5.2) lib/rack/head.rb:11:in `call'
12:57:35 web.1  |   actionpack (4.1.0.rc1) lib/action_dispatch/middleware/params_parser.rb:27:in `call'
12:57:35 web.1  |   actionpack (4.1.0.rc1) lib/action_dispatch/middleware/flash.rb:254:in `call'
12:57:35 web.1  |   rack (1.5.2) lib/rack/session/abstract/id.rb:225:in `context'
12:57:35 web.1  |   rack (1.5.2) lib/rack/session/abstract/id.rb:220:in `call'
12:57:35 web.1  |   actionpack (4.1.0.rc1) lib/action_dispatch/middleware/cookies.rb:551:in `call'
12:57:35 web.1  |   activerecord (4.1.0.rc1) lib/active_record/query_cache.rb:36:in `call'
12:57:35 web.1  |   activerecord (4.1.0.rc1) lib/active_record/connection_adapters/abstract/connection_pool.rb:621:in `call'
12:57:35 web.1  |   activerecord (4.1.0.rc1) lib/active_record/migration.rb:380:in `call'
12:57:35 web.1  |   actionpack (4.1.0.rc1) lib/action_dispatch/middleware/callbacks.rb:29:in `block in call'
12:57:35 web.1  |   activesupport (4.1.0.rc1) lib/active_support/callbacks.rb:82:in `run_callbacks'
12:57:35 web.1  |   actionpack (4.1.0.rc1) lib/action_dispatch/middleware/callbacks.rb:27:in `call'
12:57:35 web.1  |   actionpack (4.1.0.rc1) lib/action_dispatch/middleware/reloader.rb:73:in `call'
12:57:35 web.1  |   actionpack (4.1.0.rc1) lib/action_dispatch/middleware/remote_ip.rb:76:in `call'
12:57:36 web.1  |   airbrake (3.1.15) lib/airbrake/rails/middleware.rb:13:in `call'
12:57:36 web.1  |   actionpack (4.1.0.rc1) lib/action_dispatch/middleware/debug_exceptions.rb:17:in `call'
12:57:36 web.1  |   actionpack (4.1.0.rc1) lib/action_dispatch/middleware/show_exceptions.rb:30:in `call'
12:57:36 web.1  |   stitchfix-logger (2.1.0) lib/rails_ext/rails/rack/logger.rb:29:in `call_app'
12:57:36 web.1  |   stitchfix-logger (2.1.0) lib/rails_ext/rails/rack/logger.rb:23:in `call'
12:57:36 web.1  |   actionpack (4.1.0.rc1) lib/action_dispatch/middleware/request_id.rb:21:in `call'
12:57:36 web.1  |   rack (1.5.2) lib/rack/methodoverride.rb:21:in `call'
12:57:36 web.1  |   rack (1.5.2) lib/rack/runtime.rb:17:in `call'
12:57:36 web.1  |   activesupport (4.1.0.rc1) lib/active_support/cache/strategy/local_cache.rb:87:in `call'
12:57:36 web.1  |   rack (1.5.2) lib/rack/lock.rb:17:in `call'
12:57:36 web.1  |   actionpack (4.1.0.rc1) lib/action_dispatch/middleware/static.rb:64:in `call'
12:57:36 web.1  |   rack (1.5.2) lib/rack/sendfile.rb:112:in `call'
12:57:36 web.1  |   airbrake (3.1.15) lib/airbrake/user_informer.rb:16:in `_call'
12:57:36 web.1  |   airbrake (3.1.15) lib/airbrake/user_informer.rb:12:in `call'
12:57:36 web.1  |   railties (4.1.0.rc1) lib/rails/engine.rb:515:in `call'
12:57:36 web.1  |   railties (4.1.0.rc1) lib/rails/application.rb:142:in `call'
12:57:36 web.1  |   rack (1.5.2) lib/rack/lint.rb:49:in `_call'
12:57:36 web.1  |   rack (1.5.2) lib/rack/lint.rb:37:in `call'
12:57:36 web.1  |   rack (1.5.2) lib/rack/showexceptions.rb:24:in `call'
12:57:36 web.1  |   rack (1.5.2) lib/rack/commonlogger.rb:33:in `call'
12:57:36 web.1  |   rack (1.5.2) lib/rack/chunked.rb:43:in `call'
12:57:36 web.1  |   rack (1.5.2) lib/rack/content_length.rb:14:in `call'
12:57:36 web.1  |   unicorn (4.8.2) lib/unicorn/http_server.rb:572:in `process_client'
12:57:36 web.1  |   unicorn (4.8.2) lib/unicorn/http_server.rb:666:in `worker_loop'
12:57:36 web.1  |   newrelic_rpm (3.7.2.195) lib/new_relic/agent/instrumentation/unicorn_instrumentation.rb:22:in `call'
12:57:36 web.1  |   newrelic_rpm (3.7.2.195) lib/new_relic/agent/instrumentation/unicorn_instrumentation.rb:22:in `block (4 levels) in <top (required)>'
12:57:36 web.1  |   unicorn (4.8.2) lib/unicorn/http_server.rb:521:in `spawn_missing_workers'
12:57:36 web.1  |   unicorn (4.8.2) lib/unicorn/http_server.rb:140:in `start'
12:57:36 web.1  |   unicorn (4.8.2) bin/unicorn:126:in `<top (required)>'
12:57:36 web.1  |   /Users/davec/.rvm/gems/ruby-2.1.0@astro_city/bin/unicorn:23:in `load'
12:57:36 web.1  |   /Users/davec/.rvm/gems/ruby-2.1.0@astro_city/bin/unicorn:23:in `<main>'
12:57:36 web.1  |   /Users/davec/.rvm/gems/ruby-2.1.0@astro_city/bin/ruby_executable_hooks:15:in `eval'
12:57:36 web.1  |   /Users/davec/.rvm/gems/ruby-2.1.0@astro_city/bin/ruby_executable_hooks:15:in `<main>'

> gem list
actionmailer (4.1.0.rc1)
actionpack (4.1.0.rc1)
actionview (4.1.0.rc1)
activemodel (4.1.0.rc1)
activerecord (4.1.0.rc1)
activesupport (4.1.0.rc1)
airbrake (3.1.15)
arel (5.0.0)
atomic (1.1.14)
bigdecimal (1.2.3)
bootstrap-sass (3.1.1.0)
bower-rails (0.7.1)
braintree (2.19.0)
brakeman (2.4.1)
builder (3.2.2)
bundler (1.3.5)
bundler-unload (1.0.2)
cancan (1.6.10)
capybara (2.2.1)
childprocess (0.5.1)
coffee-rails (4.0.1)
coffee-script (2.2.0)
coffee-script-source (1.7.0)
daemons (1.1.9)
dalli (2.7.0)
database_cleaner (1.2.0)
diff-lcs (1.2.5)
dotenv (0.9.0)
erubis (2.7.0)
eventmachine (1.0.3)
execjs (2.0.2)
executable-hooks (1.2.6)
factory_girl (4.4.0)
factory_girl_rails (4.4.0)
fastercsv (1.5.5)
ffi (1.9.3)
foreman (0.63.0)
gem-man (0.3.0)
gem-wrappers (1.2.1)
gli (2.8.1)
haml (4.0.5)
hashie (2.0.5)
highline (1.6.20)
hike (1.2.3)
hk (0.0.1)
hl (1.1.0)
i18n (0.6.9)
io-console (0.4.2)
jbuilder (2.0.3)
jquery-rails (3.1.0)
jquery-ui-rails (4.2.0)
json (1.8.1)
kgio (2.9.2)
mail (2.5.4)
mail_view (2.0.4)
mailcatcher (0.2.4)
mc-settings (0.1.6)
methadone (1.0.0)
mime-types (1.25.1)
mini_portile (0.5.2)
minitest (5.2.3, 4.7.5)
mono_logger (1.1.0)
multi_json (1.8.4)
newrelic_rpm (3.7.2.195)
nokogiri (1.6.1)
omniauth (1.2.1)
omniauth-google-apps (0.1.0, 0.0.2)
omniauth-openid (1.0.1)
paper_trail (3.0.0)
pg (0.17.1)
phantomjs (1.9.2.1)
polyglot (0.3.4)
psych (2.0.2)
rack (1.5.2)
rack-openid (1.3.1)
rack-protection (1.5.2)
rack-test (0.6.2)
rails (4.1.0.rc1)
rails_12factor (0.0.2)
rails_serve_static_assets (0.0.2)
rails_stdout_logging (0.0.3)
railties (4.1.0.rc1)
rainbow (2.0.0, 1.99.1)
raindrops (0.13.0)
rake (10.1.1, 10.1.0)
rdoc (4.1.1, 4.1.0)
redis (3.0.7)
redis-namespace (1.4.1)
resque (1.25.1)
resque-retry (1.0.0)
resque-scheduler (2.5.4)
resque_mailer (2.2.6)
rspec (2.14.1)
rspec-core (2.14.7)
rspec-expectations (2.14.5)
rspec-mocks (2.14.5)
rspec-rails (2.14.1)
ruby-openid (2.5.0, 2.3.0)
ruby-openid-apps-discovery (1.2.0)
ruby2ruby (2.0.7)
ruby_css_lint (0.1.0)
ruby_parser (3.4.1)
rubygems-bundler (1.4.2)
rubyzip (1.1.0)
rufus-scheduler (2.0.24)
rvm (1.11.3.8)
sass (3.2.14, 3.2.13)
sass-rails (4.0.1)
sdoc (0.4.0)
selenium-webdriver (2.39.0)
sexp_processor (4.4.1)
sinatra (1.4.4)
skinny (0.2.3)
slim (2.0.2)
spring (1.1.1)
sprockets (2.10.1)
sprockets-rails (2.0.1)
sqlite3 (1.3.8)
sqlite3-ruby (1.3.3)
teaspoon (0.7.9)
temple (0.6.7)
terminal-table (1.4.5)
test-unit (2.1.0.0)
thin (1.5.1)
thor (0.18.1)
thread_safe (0.1.3)
tilt (1.4.1)
treetop (1.4.15)
trickster (1.3.1)
tzinfo (1.1.0)
uglifier (2.4.0)
unicorn (4.8.2)
vegas (0.1.11)
websocket (1.0.7)
xpath (2.0.0)

Put out a request for new maintainers?

I do not wish to offend with this post but, as someone starting to look into doing some openid work it looks like the ruby-openid library could really do with some fixing up.

No commits for over a year
A number of long-waiting bugs not yet fixed in the main repository.
There are a large number of forks that improve the library and fix problems that have not been merged into the main repository.
Pull requests sitting around with no apparent progress.
Little / no feedback from repository owners.
Hilariously out of date README (Talking about ruby 1.8.4 etc, no mention of rails 3 or ruby 1.9)
Examples don't work 'out of the box' / missing some setup documentation ().

All the above points to a project / repository that has been abandoned by the owners, which is especially embarrassing since this is the "standard" ruby openid library (linked to from openid.net no less) AND it appears to be is maintained by a commercial organisation in the shape of Janrain which, in my opinion at least, doesn't reflect well on them.

Possible solutions:

Janrain takes up leadership again, merges pull requests, fixes bugs etc.
Janrain adds gives committer permissions to others willing to update the repository.
Janrain puts out a request for new maintainers to fully take up the responsibility for this repository.

Again, not trying to offend, just giving an outside view (and hopefully a kick in the rear)

Test failures with ruby-openid 2.2.0

I'm getting the following test failures. I guess this happens because my system resolves localhost to ::1 (IPv6) while the fetchers seems to be initialized with 127.0.0.1.

  1) Error:
test_cases(FetcherTestCase):
OpenID::FetchingError: Error fetching http://localhost:40622/success: Connection refused - connect(2)
    ../lib/openid/fetchers.rb:218:in `fetch'
    ./test_fetchers.rb:247:in `test_cases'
    ./test_fetchers.rb:238:in `each'
    ./test_fetchers.rb:238:in `test_cases'

  2) Error:
test_headers(FetcherTestCase):
OpenID::FetchingError: Error fetching http://localhost:51109/require_header: Connection refused - connect(2)
    ../lib/openid/fetchers.rb:218:in `fetch'
    ./test_fetchers.rb:195:in `test_headers'

  3) Error:
test_headers_after_redirect(FetcherTestCase):
OpenID::FetchingError: Error fetching http://localhost:40351/redirect_to_reqheader: Connection refused - connect(2)
    ../lib/openid/fetchers.rb:218:in `fetch'
    ./test_fetchers.rb:206:in `test_headers_after_redirect'

  4) Error:
test_post(FetcherTestCase):
OpenID::FetchingError: Error fetching http://localhost:56165/post: Connection refused - connect(2)
    ../lib/openid/fetchers.rb:218:in `fetch'
    ./test_fetchers.rb:214:in `test_post'

  5) Failure:
test_redirect_limit(FetcherTestCase) [./test_fetchers.rb:223]:
<OpenID::HTTPRedirectLimitReached> exception expected but was
Class: <OpenID::FetchingError>
Message: <"Error fetching http://localhost:43437/redirect_loop: Connection refused - connect(2)">
---Backtrace---
../lib/openid/fetchers.rb:218:in `fetch'
./test_fetchers.rb:224:in `test_redirect_limit'
./test_fetchers.rb:223:in `test_redirect_limit'
---------------

  6) Error:
test_utf8_page(FetcherTestCase):
OpenID::FetchingError: Error fetching http://localhost:45005/utf8_page: Connection refused - connect(2)
    ../lib/openid/fetchers.rb:218:in `fetch'
    ./test_fetchers.rb:230:in `test_utf8_page'

868 tests, 6583 assertions, 1 failures, 5 errors

Digest::HMAC is deprecated in ruby 2.2

Ruby 2.2 deprecates Digest::HMAC. See:

ruby/ruby@24be1f1

As per the deprecation here, OpenSSL::HMAC should be used in preference to Digest::HMAC.

OpenID::Consumer::IdResHandler#verify_return_to_args doesn't like arguments with [bracketed] sections

In cases where the return_to URL includes arguments of the form a[b], OpenID::Consumer::IdResHandler#verify_return_to_args will usually throw "Message missing return_to argument 'a[b]'". This is because return_to_parsed_query doesn't handle these the same way Rack does.

Specifically, the return_to_parsed_query hash contains a key called "a[b]", but the query hash contains a key called "a", which points to a hash containing a key called "b".

One way of solving this would be to use Rack::Request to parse the query rather than CGI.parse, but this would add a Rack dependency to the ruby-openid gem, as well as possibly breaking non-Rack users of ruby-openid. I'm not sure if there is a better way to do it.

Server responds that the 'check_authentication' call is not valid

We started having this issue crop up and now it's affect a large percentage of our openid log ins.

#<OpenID::Consumer::FailureResponse:0x007f84a00418f8 @endpoint=nil, @message="Server https://www.google.com/a/shopify.com/o8/ud?be=o8 responds that the 'check_authentication' call is not valid", @contact=nil, @reference=nil>

I've been able to reproduce it on our staging environment so I threw in some logging of the requests and responses. Here is the request that's failing:

#<OpenID::Message:0x007f2f770bd648 @args={["http://specs.openid.net/auth/2.0", "mode"]=>"check_authentication", ["http://specs.openid.net/auth/2.0", "op_endpoint"]=>"https://www.google.com/a/shopify.com/o8/ud?be=o8", ["http://specs.openid.net/auth/2.0", "response_nonce"]=>"2014-09-24T22:01:47ZWQC4oCngG0MFlA", ["http://specs.openid.net/auth/2.0", "return_to"]=>"https://foggy-meerkat-builders-3.staging.shopify.com/admin/staff", ["http://specs.openid.net/auth/2.0", "assoc_handle"]=>"1.AMlYA9W7SJ96LV7ncVuuTOziqdBbwOw5svD1SPykJqM43wirWRb-nRY4HyRM1JzD", ["http://specs.openid.net/auth/2.0", "signed"]=>"op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle,ns.ext1,ext1.mode,ext1.type.ext1,ext1.value.ext1,ext1.type.ext2,ext1.value.ext2,ext1.type.ext0,ext1.value.ext0", ["http://specs.openid.net/auth/2.0", "sig"]=>"fWa64GHxywaDukzfsHRhwcuYF6c=", ["http://specs.openid.net/auth/2.0", "identity"]=>"http://shopify.com/openid?id=113240996681813919788", ["http://specs.openid.net/auth/2.0", "claimed_id"]=>"http://shopify.com/openid?id=113240996681813919788", ["http://openid.net/srv/ax/1.0", "mode"]=>"fetch_response", ["http://openid.net/srv/ax/1.0", "type.ext1"]=>"http://axschema.org/namePerson/first", ["http://openid.net/srv/ax/1.0", "value.ext1"]=>"Samuel", ["http://openid.net/srv/ax/1.0", "type.ext2"]=>"http://axschema.org/namePerson/last", ["http://openid.net/srv/ax/1.0", "value.ext2"]=>"Kadolph", ["http://openid.net/srv/ax/1.0", "type.ext0"]=>"http://axschema.org/contact/email", ["http://openid.net/srv/ax/1.0", "value.ext0"]=>"[email protected]"}, @namespaces=#<OpenID::NamespaceMap:0x007f2f770c2440 @alias_to_namespace={:null_namespace=>"http://specs.openid.net/auth/2.0", "ext1"=>"http://openid.net/srv/ax/1.0"}, @namespace_to_alias={"http://specs.openid.net/auth/2.0"=>:null_namespace, "http://openid.net/srv/ax/1.0"=>"ext1"}, @implicit_namespaces=[]>, @openid_ns_uri="http://specs.openid.net/auth/2.0">

And the response from Google:

#<OpenID::Message:0x007f2f77140c28 @args={["http://specs.openid.net/auth/2.0", "is_valid"]=>"false"}, @namespaces=#<OpenID::NamespaceMap:0x007f2f77140bd8 @alias_to_namespace={:null_namespace=>"http://specs.openid.net/auth/2.0"}, @namespace_to_alias={"http://specs.openid.net/auth/2.0"=>:null_namespace}, @implicit_namespaces=[]>, @openid_ns_uri="http://specs.openid.net/auth/2.0">

As far as I can tell we haven't changed anything so it might be an issue with Google.

Sample OpenID provider doesn't work in test-id.org

I deployed your rails_openid example to heroku:

http://ruby-open-id-example.herokuapp.com/

There's an online OpenID tester here:

http://test-id.org/OP/AXFetch.aspx

When I point it to the sample app, it gives:

Login failed: The OpenID Provider issued an assertion for an Identifier whose discovery information did not match. Assertion endpoint info: ClaimedIdentifier: http://ruby-open-id-example.herokuapp.com/user/foo ProviderLocalIdentifier: http://ruby-open-id-example.herokuapp.com/user/foo ProviderEndpoint: http://ruby-open-id-example.herokuapp.com/server OpenID version: 2.0 Service Type URIs: Discovered endpoint info: []

The problem is, in my company we started our own OpenID provider and of course if fails the same way, because we based our code on the provided example.

Do you have any idea what's the problem or how it can be fixed?

Thanks!

Why aren't you pulling in changes from other users?

Others and me made some very useful changes to the library, why don't they get pulled in? Another project of mine (masquerade) depends on the fixes I made (added AX store request support and added tests for that), please pull those in.

Bad signature in response

In a Rails 3.2 app, I consistently get an error during the validation of the signature..

Bad signature in response from https://www.google.com/accounts/o8/ud

In a sinatra app, I do not get this error.

Pete

Please fix security vulnerability according to my emails

Security issue with Attribute Exchange?

Hi,

was wondering if you looked into the AX issue Google posted here:

http://googlecode.blogspot.com/2011/05/security-advisory-to-websites-using.html

and if ruby-openid was vulnerable to it?

Verification failed: Unexpected parameter (not on return_to): 'controller'=nil)

ruby 1.9.3p125 (2012-02-16) [x86_64-linux]
Rails 3.2.2

OpenID::OAuth::Response.from_success_response when NS_URI is missing

When an OpenID::Consumer::SuccessResponse does not include OpenID::OAuth::NS_URI, a call to OpenID::OAuth::Response.from_success_response returns an OpenID::OAuth::Response instance with default values for ns_alias and ns_uri and nil values for request_token and scope.

In order to defend against this, I have coded a check:

def oauth_response(openid_response)
  unless openid_response.message.namespaces.get_alias(OpenID::OAuth::NS_URI).blank?
    OpenID::OAuth::Response.from_success_response openid_response
  end
end

Should OpenID::OAuth::Response.from_success_response return nil or raise an error instead of returning an empty object when the NS_URI isn't present in the OpenID::Consumer::SuccessResponse?

Sreg arguments are lost during setup_needed phase

When client is making immediate request, asking for extra arguments (e.g. "http://openid.net/extensions/sreg/1.1", optional = "email") and user is not authorized, setup_url is returned. OpenID::Server::CheckIDRequest is trying to clone itself for having immediate=false and then encoding to setup_url, but it is losing extra self.message.args, so when second setup request arrives, the args are lost and there is no way to get them back, but to send another request.

Test failures with recent ruby 1.8.7 versions

Recent versions of ruby randomize hash ordering, which seems to cause failures for the following tests. Using ruby 1.8.7 (2012-03-02 patchlevel 359) [x86_64-linux]:

  1) Failure:
test_proxy_url(OpenID::Yadis::ProxyQueryTestCase) [./test_xrires.rb:37]:
<"http://xri.example.com/=foo?_xrd_r=application%2Fxrds%2Bxml&_xrd_t=xri%3A%2F%2F%2Bi-service%2A%28%2Bforwarding%29%2A%28%24v%2A1.0%29"> expected but was
<"http://xri.example.com/=foo?_xrd_t=xri%3A%2F%2F%2Bi-service%2A%28%2Bforwarding%29%2A%28%24v%2A1.0%29&_xrd_r=application%2Fxrds%2Bxml">.

  2) Failure:
test_proxy_url_qmarks(OpenID::Yadis::ProxyQueryTestCase) [./test_xrires.rb:57]:
<"http://xri.example.com/=foo/bar??_xrd_r=application%2Fxrds%2Bxml&_xrd_t=xri%3A%2F%2F%2Bi-service%2A%28%2Bforwarding%29%2A%28%24v%2A1.0%29"> expected but was
<"http://xri.example.com/=foo/bar??_xrd_t=xri%3A%2F%2F%2Bi-service%2A%28%2Bforwarding%29%2A%28%24v%2A1.0%29&_xrd_r=application%2Fxrds%2Bxml">.

openid signature fails after upgrade to 1.9.2-p180

I have a working rails app with ruby-openid for logins that has been working well for months on ruby 1.9.2-p0. The installed version of ruby was upgraded to 1.9.2.-p180 today with the same ruby-openid gem version 2.1.8. Now openid logins fail for all providers (tried myopenid and google).

The error comes from lib/openid/consumer/idres.rb:222
elsif !assoc.check_message_signature(@message)
raise ProtocolError, "Bad signature in response from #{server_url}"

I've done comparisons between the server running on ruby -p0 and -p180 and the openid params appear to be ordered correctly before being signed. I haven't deduced the root cause of the problem but switching between p0 and p180 does seem to create the problem.

I hope to look into it more but I wanted to file this information as soon as possible.

How bad is "Error attempting to use stored discovery information"?

I noticed that ruby-openid is logging this when a user logs in:

Error attempting to use stored discovery information: OpenID::TypeURIMismatch
Attempting discovery to verify endpoint
Performing discovery on https://www.google.com/accounts/o8/id?id=<removed>

This seems to happens because the type_uris don't match up in verify_discovery_single:

>> endpoint.type_uris
=> ["http://specs.openid.net/auth/2.0/server", "http://openid.net/srv/ax/1.0", "http://specs.openid.net/extensions/ui/1.0/mode/popup", "http://specs.openid.net/extensions/ui/1.0/icon", "http://specs.openid.net/extensions/pape/1.0"]
>> to_match.type_uris
=> ["http://specs.openid.net/auth/2.0/signon"]
>>

"http://specs.openid.net/auth/2.0/signon" is not found in endpoint.type_uris.

I found a similar issue for openid/python-openid#23.

Im I doing something wrong?

encoding problems with 2.2.3 test suite

I'm packaging ruby-openid for Fedora. When running the test suite in our build system, the following tests fail with some encoding errors:

export LANG=en_US.utf8
testrb -Ilib test

Here are the specific failures:

  1) Failure:
OpenID::DiffieHellmanTestCase#test_strxor_success [/builddir/build/BUILD/ruby-openid-2.2.3/test/test_dh.rb:30]:
<"\xFF"> (UTF-8) expected but was
<"\xFF"> (ASCII-8BIT).
  2) Failure:
OpenID::AssociationTestCase#test_sign_sha1 [/builddir/build/BUILD/ruby-openid-2.2.3/test/test_association.rb:83]:
<"\xFD\xAA\xFE;\xAC\xFC*\x988\xAD\x05d6-\xEAVy\xD5\xA5Z.<\xA9\xED\x18\x82\\$\x95x\x1C&"> expected but was
<"\xFD\xAA\xFE;\xAC\xFC*\x988\xAD\u0005d6-\xEAVyեZ.<\xA9\xED\u0018\x82\\$\x95x\u001C&">.

I'm using ruby 2.0.0p247 (2013-06-27 revision 41674) [i386-linux]

?=u in url

The library works perfectly with all major openid providers.
However my openid provider gives the id urls in the form

http://forum.feng-shui.ru/smf-openid-server/?u=almays

The presence of ?query in the id url seems to lead to the mistake

Attempting discovery to verify endpoint
Performing discovery on http://forum.feng-shui.ru/smf-openid-server/?u=almays
Discovery verification failure for http://forum.feng-shui.ru/smf-openid-server/?u=almays
 * Endpoint mismatch: local_id mismatch. Expected http://forum.feng-shui.ru/smf-openid-server/?u=almays, got http://forum.feng-shui.ru/smf-openid-server/
 * Endpoint mismatch: OpenID::TypeURIMismatch

And here is the respond that we get from the server

#<OpenID::Consumer::FailureResponse:0x103fc6b98 @reference=nil, @message="No matching endpoint found after discovering http://forum.feng-shui.ru/smf-openid-server/?u=almays", @contact=nil, @endpoint=#<OpenID::OpenIDServiceEndpoint:0x1040028f0 @claimed_id="http://forum.feng-shui.ru/smf-openid-server/?u=almays", @local_id="http://forum.feng-shui.ru/smf-openid-server/", @display_identifier=nil, @type_uris=["http://openid.net/signon/1.1"], @used_yadis=false, @server_url="http://forum.feng-shui.ru/smf-openid-server/?u=almays", @canonical_id=nil>>

We can see that @claimed_id and @local_id are different.
How can we solve it?

tagged releases

How about creating a tag that represents the version included in the last released ruby-gem?

Maybe it's also a good idea to include the "bundler/gem_tasks" (known from 'bundle gem ' which creates a nice gem skeleton an includes nice rake tasks for release management (tagging, rubygems upload))

Breaking google change, results in "Server https://www.google.com/accounts/o8/ud responds that the 'check_authentication' call is not valid"

I believe the fix is to no longer include 'assoc_handle' when creating requests with mode checkid_immediate or checkid_setup. See https://groups.google.com/forum/?fromgroups=#!topic/google-federated-login-api/qXZDD7_K7jU .

NoMethodError when attributes unexpectedly unsigned

If AX::FetchResponse#from_success_response is called and instructed to require signed attributes, but the attributes are not signed, a NoMethodError is generated by the first line of AXMessage#check_mode. (Ideal behavior would be returning nil or throwing an AX::Error, etc.)

Using memcache storage with Dalli

I'm using OpenID::Store::Memcache with Dalli::Client and getting this warning:
"Expiration interval too long for Memcached, converting to an expiration timestamp"

Please tag release on github

For 2.7.0 :)

Server http://www.myopenid.com/server responds that the ‘check_authentication’ call is not valid

I have been working on this issue for the past few days and finally think I pinpointed the problem. A few other people seem to be having this problem:

http://stackoverflow.com/questions/2917858/server-http-www-myopenid-com-server-responds-that-the-check-authentication-ca
http://lists.openidenabled.com/pipermail/dev/2010-February/001528.html
It boils down to this line where, if @store.nil?, it calls check_auth.

That call returns this...

#<OpenID::Consumer::FailureResponse:0x2217e04 @reference=nil, @endpoint=#<OpenID::OpenIDServiceEndpoint:0x225e944 @local_id="http://viatropos.myopenid.com/", @display_identifier=nil, @type_uris=["http://specs.openid.net/auth/2.0/signon", "http://openid.net/sreg/1.0", "http://openid.net/extensions/sreg/1.1", "http://schemas.openid.net/pape/policies/2007/06/phishing-resistant", "http://openid.net/srv/ax/1.0"], @used_yadis=true, @server_url="http://www.myopenid.com/server", @canonical_id=nil, @claimed_id="http://viatropos.myopenid.com/">, @message="Server http://www.myopenid.com/server responds that the 'check_authentication' call is not valid", @contact=nil>

That occurs in here:

def check_signature
    if @store.nil?
      assoc = nil
    else
      assoc = @store.get_association(server_url, fetch('assoc_handle'))
    end

    if assoc.nil?
      check_auth
    else
      if assoc.expires_in <= 0
        # XXX: It might be a good idea sometimes to re-start the
        # authentication with a new association. Doing it
        # automatically opens the possibility for
        # denial-of-service by a server that just returns expired
        # associations (or really short-lived associations)
        raise ProtocolError, "Association with #{server_url} expired"
      elsif !assoc.check_message_signature(@message)
        raise ProtocolError, "Bad signature in response from #{server_url}"
      end
    end
  end

If I add this to the config/environment.rb, it works fine:

OpenIdAuthentication.store = :file

Otherwise, with "none" or "in-memory" store, it doesn't work.

Any ideas?

This is on Rails 2.3.5

add encrypted cookie store

Would it be possible to add the option for storing state in an encrypted cookie? It looks like it'd just be a matter of adding a new store class.

The problem I'm running in to is I'm running an OpenID server on a load balanced domain with three physically separate servers that don't share any state. All my other session handling is done by storing data in encrypted cookies so any server can handle the request.

interoperability problems with Drupal's openid_provider

Hi,

I'm looking for help to resolve this issue I'm having in interoperability between Drupal's openid_provider and ruby's. We have been using 1.0 redirection in the provider for a while and we are trying to support 2.0 properly, by using the POST-based redirection. This fixes interoperability with Stackoverflow and dotnetauth openid providers. The patch is here:

http://drupal.org/node/831162#comment-4481628

The patch fixes stackoverflow logins, but breaks redmine (which uses ruby-openid) logins. I am using libopenid-ruby-2.1.2debian-1 in Debian lenny, but it also affects 2.1.8-debian.

The two different functions are in drupalcore:

http://api.drupal.org/api/drupal/modules--openid--openid.inc/function/openid_redirect/6
http://api.drupal.org/api/drupal/modules--openid--openid.inc/function/openid_redirect_http/6

Any feedback, either here or on drupal.org, would be hugely appreciated.

Verify SSL certificates by default

Currently, this Gem does not verify server certificates by default. It does check whether the common name or subjectAltName matches, but does not verify whether the certificate was issued by a trusted certificate authority, effectively making that check useless. The code does print a warning when making the request but I think that it does not communicate the full impact of the problem (a MITM attack would make it possible to fully impersonate an OpenID provider, see https://openid.net/specs/openid-authentication-2_0.html#anchor41 section 15.1.2) and is probably ignored by a lot of users.
It is possible to manually enable server certificate verification by specifying a CA bundle, but it is not clear why the verification could not enabled by default without requiring users to download a CA bundle from somewhere on the internet which might or might not contain the CAs the user really wants to trust. Net::HTTP is verifying server certificates by default since 2010 (see https://bugs.ruby-lang.org/issues/2579) and can use the operating system's default CAs just fine, but ruby-openid deliberately disables the verification.

So, please make server certificate verification the default as long as it is not very explicitly disabled even when not specifying a CA path.

rescue Exception

We just spent quite a long time trying to figure out why our login tests weren't failing in certain cases when we were expecting them to . . . turns out the answer is the ruby-openid gem is rescuing Exception in several places.

Fails when assoc request has a session_type of an empty string

pypi.python.org sends an assoc request with session_type set to an empty string.

Params sent are:

{"openid.mode"=>"associate", "openid.session_type"=>"", "openid.assoc_type"=>"HMAC-SHA1"}

According to the OpenID spec, session_type will be either blank or "DH-SHA1". In order to fix my provider code I had to override this value to "no-encryption" before letting the gem process the request.

Specifics of using gem with bundler

When including gem through bundler, one should use the following syntax:

gem "ruby-openid", :require => 'openid'

to avoid problems like this on application start

ActionDispatch::Session::SessionRestoreError (Session contains objects whose class definition isn't available.
Remember to require the classes for all objects kept in the session.
(Original exception: uninitialized constant OpenID [NameError])
):

Is ruby-openid prone to unsigned attributes vulnerability?

http://googlecode.blogspot.com/2011/05/security-advisory-to-websites-using.html

Ruby 1.9.1 support

Ruby 1.9 introduced String encoding. It means that we can't use Regexp to match with incompatible encoding String. For example, we can't discover OpenID server from UTF-8 encoding HTML page with Ruby 1.9 because a HTML page that is fetched by ruby-openid has ASCII-8BIT encoding not UTF-8 encoding and a Regexp in openid/consumer/html_parser.rb has UTF-8 encoding. (UTF-8 and ASCII-8BIT are incompatible encoding.)

I wrote patches to support Ruby 1.9.1. Please pull the patches: http://github.com/kou/ruby-openid/tree/support-ruby19

openid / ruby-openid Goto Github PK

ruby-openid's Introduction

Ruby OpenID

Features

Installing

Getting Started

Homepage

Community

Author

License

ruby-openid's People

Contributors

Stargazers

Watchers

Forkers

ruby-openid's Issues

Recommend Projects

Recommend Topics

Recommend Org

Jobs