Details
-
Type:
Bug
-
Status: Resolved (View Workflow)
-
Priority:
Major
-
Resolution: Done
-
Affects Version/s: None
-
Fix Version/s: 3.1.0.Final
-
Labels:None
-
Git Pull Request:
Description
Gliffy Diagrams
Activity
- All
- Comments
- Work Log
- History
- Activity
- Links Hierarchy
The problem seems to be in
OpenIdProviderAuthenticationService
Message authResponse = openIdServerManager.get().authResponse(parameterList, opLocalIdentifier, claimedIdentifier, authenticationSuccesful);
|
|
|
if (response instanceof DirectError) {
|
writeMessageToResponse(authResponse, response);
|
} else {
|
if (openIdProviderRequest.get().getRequestedAttributes() != null) {
|
try {
|
FetchResponse fetchResponse = FetchResponse.createFetchResponse(openIdProviderRequest.get().getFetchRequest(), attributeValues);
|
authResponse.addExtension(fetchResponse);
|
} catch (MessageException e) {
|
throw new RuntimeException(e);
|
}
|
}
|
The authResponse signs the message before the extension is added, therefore the signature is invalid.
Show
Marek Schmidt
added a comment - The problem seems to be in
OpenIdProviderAuthenticationService
Message authResponse = openIdServerManager.get().authResponse(parameterList, opLocalIdentifier, claimedIdentifier, authenticationSuccesful);
if (response instanceof DirectError) {
writeMessageToResponse(authResponse, response);
} else {
if (openIdProviderRequest.get().getRequestedAttributes() != null) {
try {
FetchResponse fetchResponse = FetchResponse.createFetchResponse(openIdProviderRequest.get().getFetchRequest(), attributeValues);
authResponse.addExtension(fetchResponse);
} catch (MessageException e) {
throw new RuntimeException(e);
}
}
The authResponse signs the message before the extension is added, therefore the signature is invalid.
Marek Schmidt
added a comment - The problem seems to be in
OpenIdProviderAuthenticationService
Message authResponse = openIdServerManager.get().authResponse(parameterList, opLocalIdentifier, claimedIdentifier, authenticationSuccesful);
if (response instanceof DirectError) {
writeMessageToResponse(authResponse, response);
} else {
if (openIdProviderRequest.get().getRequestedAttributes() != null) {
try {
FetchResponse fetchResponse = FetchResponse.createFetchResponse(openIdProviderRequest.get().getFetchRequest(), attributeValues);
authResponse.addExtension(fetchResponse);
} catch (MessageException e) {
throw new RuntimeException(e);
}
}
The authResponse signs the message before the extension is added, therefore the signature is invalid. fixed
the problem was not apparent before, as the openid4java 0.9.5 had a bug and didn't check the AX signatures at all.
Show
Marek Schmidt
added a comment - fixed
the problem was not apparent before, as the openid4java 0.9.5 had a bug and didn't check the AX signatures at all.
Marek Schmidt
added a comment - fixed
the problem was not apparent before, as the openid4java 0.9.5 had a bug and didn't check the AX signatures at all. 
Downgrading OpenID4Java from 0.9.6 (which fixes a security issue) to 0.9.5 seems to make the test happy, so it is probably caused by some change of behaviour of the library.